Re: [Version Detection] SSL only ports - softmatch

[David Fifield <david () bamsoftware com>]

On Fri, Mar 01, 2013 at 05:49:28PM -0600, Tom Sellers wrote:
> All,
>       Lines 6605 and 6606 of the nmap-service-probes file match when a HTTP server generates a response that 
> indicates that a client should connect using SSL such as the following:
>
>
> **************************************************************************************
>
> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
> <html><head>
> <title>400 Bad Request</title>
> </head><body>
> <h1>Bad Request</h1>
> <p>Your browser sent a request that this server could not understand.<br />
> Reason: You're speaking plain HTTP to an SSL-enabled server port.<br />
> Instead use the HTTPS scheme to access this URL, please.<br />
> <blockquote>Hint: <a href="https://xxx.xxx.xxx.xxx:8443/";><b>https://xxx.xxx.xxx.xx:8443/</b></a></blockquote></p>
> </body></html>
>
> **************************************************************************************
>
>
> In the case above the device is not directing the client to connect via SSL on a different port, but to the same port 
> using SSL.
>
> Unfortunately this stops further version detection via SSL that might actually fingerprint the service.  I have a 
> case like this in my lab now where converting 6605 and 6606 to a softmatch will permit
> correct identification of the service.
>
> I would like to change both 6605 and 6606 to softmatches.  I don't forsee any negative impacts but I wanted to see if 
> anyone had any thoughts on this.
> If approved I will submit the change in a commit that adds an fingerprint for a device where some versions respond 
> similar to the above.

Looks good to me, go ahead.

Is it really Apache, as nmap-service-probes claims?

David Fifield
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/