Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [RFC][NSE] Modify shortport.ssl and shortport.http to avoid tcpwrapped services

From: Daniel Miller <bonsaiviking () gmail com>
Date: Mon, 17 Sep 2012 15:32:08 -0500
On 09/14/2012 04:40 PM, David Fifield wrote:

On Fri, Sep 14, 2012 at 04:28:55PM -0500, Daniel Miller wrote:

Checking into the shortport.ssl function, I thought that it could be
extended to check for tcpwrapped services (while still matching
ssl-tunnelled services that get detected as tcpwrapped).

It looks fine to me. Here,


I also added the functionality to shortport.http, and made it match
if Version detection labels a service http. Here's the patch:
+http = function (host, port)
+  return port.version.name == "http" or
+      ( port.version.name ~= "tcpwrapped" and
+      port_or_service(LIKELY_HTTP_PORTS, LIKELY_HTTP_SERVICES)(host, port))
+end

"if Version detection labels a service http": it already does that.
"http" is in LIKELY_HTTP_SERVICES. I think the check
        return port.version.name == "http"
is redundant.

David Fifield
I'm abandoning this change, since in some of my testing, services that were detected as "tcpwrapped" actually succeeded later in responding to SSL probes from NSE. I'm guessing this is due to the timing options of my scan (especially --max-retries=1) leading to dropped packets and/or rate limiting by the targets.
I'm open to suggestions from the list on how to modify scripts to gracefully handle timeouts (which would be the case if the service were truly tcpwrapped). 

Dan
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: