Re: [NSE] ssl-date

[Aleksandar Nikolic <nikolic.alek () gmail com>]

On 7/31/2012 8:11 PM, David Fifield wrote:
> On Mon, Jul 30, 2012 at 09:57:33AM +0200, Aleksandar Nikolic wrote:
> > Hi all,
> >
> > I've written a script that extracts the remote server's time from
> > ServerHello ssl reply.
> > First 4 bytes of server random are actually system time.
> >
> > Original idea by Jacob Appelbaum and his TeaTime and tlsdate tools:
> >     - https://github.com/ioerror/TeaTime
> >     - https://github.com/ioerror/tlsdate
> >
> > --
> > -- @output
> > -- PORT    STATE SERVICE REASON
> > -- 443/tcp open  https   syn-ack
> > -- |_ssl-date: Server time 2012-07-30 09:46:07 GMT; 0s from the local time.
> >
> > The script can be used to detect wrongly set time, or even detect non
> > standard SSL implementations.
> This looks good and it works for me. Please commit it.
>
> Do you think it is possible to add STARTTLS support to this script for
> the same protocols as ssl-cert? There is a table of STARTTLS functions
> in sslcert.lua, but they probably operate at the wrong level of
> abstraction as they call nmap.reconnect_ssl. Perhaps that table can be
> broken into two steps, and your code that needs to craft its own
> ClientHello can call only the lower-level of the two steps.
>
> David Fifield
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://seclists.org/nmap-dev/
Added to trunk as 29421.

I'll look into adding STARTTLS , it shouldn't be much of a problem.

Aleksandar


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/