Re: Tunnel information not always included in XML output

[Matt Foster <mpf () netcraft com>]

On Tue Feb 14 03:54:47 2012, David Fifield wrote:
> On Mon, Feb 13, 2012 at 11:00:07AM +0000, Matt Foster wrote:
> > Hi All,
> >
> > I recently noticed that there's no tunnel information in Nmap's XML
> > output when the service is 'ssl/unknown'. In these cases, there's no
> > service tag in the output, so as a consequence there's no tunnel
> > attribute set.
> >
> > A similar problem to this (but relating to text output) seems to have
> > been fixed back in 2009, but I couldn't find any mention of issues like
> > this relating to XML output.
> >
> > I've attached a very simple patch, to make sure there's a service tag
> > whenever there's an identified SSL tunnel. It may not be the best way to
> > fix this, but so far it seems to be working for me.
>
> What XML does it emit in the conditions you've identified?

We saw:

<port protocol="tcp" portid="6801"><state state="open" reason="syn-ack"
reason_ttl="51"/></port>

without the patch, and then:

<ports><port protocol="tcp" portid="6801"><state state="open"
reason="syn-ack" reason_ttl="51"/><service name="unknown" tunnel="ssl"
method="table" conf="3"/></port>

With it.

That said, I've been trying to replicate the issue using openssl
s_server in order to send you a decent example, and I can't. Nmap
behaves as it should, and reports the tunnel -- so this was probably
cause by something else, rather than what I described above.

Unfortunately, I no longer have access to the server I got those
results from, so I can't check for any other oddities :(

Cheers,

Matt
-- 
Dr Matt Foster
Netcraft Ltd.

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/