Re: Strange reponse to comm.tryssl

[Patrik Karlsson <patrik () cqure net>]

On Wed, Oct 24, 2012 at 12:24 AM, Francois Lachance <
digitallachance () gmail com> wrote:

> I am a total n00b at writing nmap scripts.  I am hoping that someone can
> help with this one.
>
> I am trying to write a script to scan for WebLogic Node Manager.  Those
> connections are supposed to use SSL, so naturally I decided to use
> comm.tryssl.  Unfortunately, I am getting inconsistent results.  It usually
> fails to establish an SSL connection.  The frustrating thing is that it
> has succeeded on a few occasions.  The only thing that is returned by the
> tryssl is a short 7 bytes :
> 15 00 02 00 02 02 46
>
> Does that mean anything to anyone?
>
> Here are the relevant part of the output:
>
> Initiating NSE at 15:57
> NSOCK (1.4990s) TCP connection requested to 10.2.7.20:5556 (IOD #1) EID 8
> NSOCK (1.4990s) Setting of SO_BROADCAST failed (IOD #1)
> NSOCK (1.5010s) Callback: CONNECT SUCCESS for EID 8 [10.2.7.20:5556]
> NSE: TCP 10.4.7.136:4894 > 10.2.7.20:5556 | CONNECT
> NSE: TCP 10.4.7.136:4894 > 10.2.7.20:5556 | 00000000: 48 45 4c 4c 4f 20 77
> 6c 2d 74 65 73 74 2e 6e 73 HELLO wl-test.ns
> 00000010: 65 0a                                           e
>
> NSOCK (1.5140s) Write request for 18 bytes to IOD #1 EID 19 [
> 10.2.7.20:5556]:
> HELLO wl-test.nse.
> NSOCK (1.5140s) Callback: WRITE SUCCESS for EID 19 [10.2.7.20:5556]
> NSE: TCP 10.4.7.136:4894 > 10.2.7.20:5556 | SEND
> NSOCK (1.5150s) Read request from IOD #1 [10.2.7.20:5556] (timeout:
> 8000ms)
> EID 26
> NSOCK (1.5470s) Callback: READ SUCCESS for EID 26 [(null):-1] (7 bytes):
> ......F
> NSE: TCP unknown protocol:0 < unknown protocol:0 | 00000000: 15 00 02 00 02
> 02 46
>                          F
>
> NSE: Action script started....
> NSE: Finished 'wl-test' (thread: 029C81C0) against 10.2.7.20:5556.
> NSE: TCP unknown protocol:0 > unknown protocol:0 | CLOSE
> NSOCK (1.5490s) nsi_delete() (IOD #1)
> Completed NSE at 15:57, 0.05s elapsed
> Nmap scan report for fccvml205.corp.fcc.ca (10.2.7.20)
> Host is up, received echo-reply (0.0045s latency).
> Scanned at 2012-10-23 15:57:40 Canada Central Standard Time for 0s
> PORT     STATE SERVICE REASON
> 5556/tcp open  unknown syn-ack
> |_wl-test: Unexpected response from server: \x15\x00\x02\x00\x02\x02F
> Final times for host: srtt: 4500 rttvar: 12750  to: 100000
>
> NSE: Script Post-scanning.
> NSE: Starting runlevel 1 (of 1) scan.
> Read from C:\Program Files (x86)\Nmap: nmap-payloads nmap-services.
> Nmap done: 1 IP address (1 host up) scanned in 1.55 seconds
>            Raw packets sent: 2 (72B) | Rcvd: 2 (72B)
> NSOCK (1.5510s) nsi_delete() (IOD #1)
>
>
> And here is a capture of the output when it was successful:
>
> Initiating NSE at 11:16
> NSOCK (1.5300s) TCP connection requested to 10.2.7.20:5556 (IOD #1) EID 8
> NSOCK (1.5300s) Setting of SO_BROADCAST failed (IOD #1)
> NSOCK (1.5330s) Callback: CONNECT SUCCESS for EID 8 [10.2.7.20:5556]
> NSE: TCP 10.4.7.136:2336 > 10.2.7.20:5556 | CONNECT
> NSE: TCP 10.4.7.136:2336 > 10.2.7.20:5556 | 00000000: 48 45 4c 4c 4f 20 77
> 6c 2d 74 65 73 74 2e 6e 73 HELLO wl-test.ns
> 00000010: 65 0a                                           e
>
> NSOCK (1.5450s) Write request for 18 bytes to IOD #1 EID 19 [
> 10.2.7.20:5556]:
> HELLO wl-test.nse.
> NSOCK (1.5490s) Callback: WRITE SUCCESS for EID 19 [10.2.7.20:5556]
> NSE: TCP 10.4.7.136:2336 > 10.2.7.20:5556 | SEND
> NSOCK (1.5510s) Read request from IOD #1 [10.2.7.20:5556] (timeout:
> 8000ms)
> EID 26
> NSOCK (1.5510s) Callback: READ ERROR [Unknown error (10054)] for EID 26 [
> 10.2.7.20:5556]
> NSE: TCP 10.4.7.136:2336 > 10.2.7.20:5556 | CLOSE
> NSOCK (1.5520s) nsi_delete() (IOD #1)
> NSOCK (1.5540s) SSL connection requested to 10.2.7.20:5556/tcp (IOD #2)
> EID
> 33
> NSOCK (1.5540s) Setting of SO_BROADCAST failed (IOD #2)
> NSOCK (1.5710s) Callback: SSL-CONNECT SUCCESS for EID 33 [10.2.7.20:5556]
> NSE: TCP 10.4.7.136:2337 > 10.2.7.20:5556 | CONNECT
> NSE: TCP 10.4.7.136:2337 > 10.2.7.20:5556 | 00000000: 48 45 4c 4c 4f 20 77
> 6c 2d 74 65 73 74 2e 6e 73 HELLO wl-test.ns
> 00000010: 65 0a                                           e
>
> NSOCK (1.5730s) Write request for 18 bytes to IOD #2 EID 43 [
> 10.2.7.20:5556]:
> HELLO wl-test.nse.
> NSOCK (1.5760s) Callback: WRITE SUCCESS for EID 43 [10.2.7.20:5556]
> NSE: TCP 10.4.7.136:2337 > 10.2.7.20:5556 | SEND
> NSOCK (1.5770s) Read request from IOD #2 [10.2.7.20:5556] (timeout:
> 8000ms)
> EID 50
> NSOCK (1.5770s) Callback: READ SUCCESS for EID 50 [10.2.7.20:5556] (32
> bytes): +OK Node ma
> nager v10.3 started..
> NSE: TCP 10.4.7.136:2337 < 10.2.7.20:5556 | 00000000: 2b 4f 4b 20 4e 6f 64
> 65 20 6d 61 6e 61 67 65 72 +OK Node manager
> 00000010: 20 76 31 30 2e 33 20 73 74 61 72 74 65 64 0d 0a  v10.3 started
>
> NSE: Action script started....
> NSE: Finished 'wl-test' (thread: 02888660) against 10.2.7.20:5556.
> NSE: TCP 10.4.7.136:2337 > 10.2.7.20:5556 | CLOSE
> NSOCK (1.5780s) nsi_delete() (IOD #2)
> Completed NSE at 11:16, 0.06s elapsed
> Nmap scan report for fccvml205.corp.fcc.ca (10.2.7.20)
> Host is up, received echo-reply (0.0010s latency).
> Scanned at 2012-10-23 11:16:43 Canada Central Standard Time for 0s
> PORT     STATE SERVICE REASON
> 5556/tcp open  unknown syn-ack
> |_wl-test: +OK Node manager v10.3 started
> Final times for host: srtt: 1000 rttvar: 3750  to: 100000
>
> NSE: Script Post-scanning.
> NSE: Starting runlevel 1 (of 1) scan.
> Read from C:\Program Files (x86)\Nmap: nmap-payloads nmap-services.
> Nmap done: 1 IP address (1 host up) scanned in 1.60 seconds
>            Raw packets sent: 2 (72B) | Rcvd: 2 (72B)
> NSOCK (1.5870s) nsi_delete() (IOD #2)
>
> The script is attached.  Any help would be appreciated!
>
> Thanks,
>
> Francois
>
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://seclists.org/nmap-dev/

Francois,

The script looks pretty straight forward to me and correct to me.
I'm vaguely remembering having issues with Weblogic and SSL in the past
that I didn't pursue.
Could you try running a version scan against the service and a few other
SSL scripts to see if they also produce inconsistent results?

Thanks,
Patrik
-- 
Patrik Karlsson
http://www.cqure.net
http://twitter.com/nevdull77
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/