Re: [NSE] HUGE ssl-enum-ciphers speed improvement

[Daniel Miller <bonsaiviking () gmail com>]

On 07/12/2012 06:25 PM, David Fifield wrote:
> You should check if this is the same change Mak Kolybabi tried in 2010:
> http://seclists.org/nmap-dev/2010/q1/650
> (Look for "...it starts by offering all ciphers at once...".)
>
> There was some problem with this method, the details of which I don't
> remember, but you should try some of the test cases in this thread:
> http://seclists.org/nmap-dev/2010/q1/859
>
> David Fifield

With the advice from Martyn Tovey to try the ciphers in groups of 64 or 
less, I've successfully tested against windowsupdate.microsoft.com, 
coming out with the same results in a fraction of the time. My latest 
test against 5 systems (1 didn't have SSL) reduced scan time from 47 
seconds to 6.5 seconds, with identical results (except for detecting 
compressors that were missed with the old method).

I'm attaching what I feel to be the final version of the script. 
Splitting the ciphers into chunks of 64 means a worst-case extra 3 
handshakes per protocol supported, which I think is not too bad. I also 
changed the compressor detection to always include the NULL compressor, 
and stop checking if the server selects it (since it must always be 
sent, the server will not choose something else if it chooses NULL 
first), which eliminates at least 1 handshake per valid protocol. 
Compressor checking also just sends one cipher (the first valid one from 
cipher detection), to avoid triggering the same 64-cipher limit, and to 
ensure that the handshake will not be rejected for a bad cipher.

Thanks for all the feedback on this! More testing is appreciated.

Dan

Attachment: ssl-enum-ciphers.patch
Description:

Attachment: ssl-enum-ciphers.nse
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/