Nmap Development mailing list archives

Re: Unable to get SSL Certificate info for SNMP seriver with nmap ssl-cert

From: Daniel Miller <bonsaiviking () gmail com>
Date: Wed, 23 Sep 2015 14:10:44 -0500

Suhail,

I suspected as much. There are a couple things that affect the ciphers
offered:

1. Your version of OpenSSL. This is why I asked. Nmap can't offer anything
your version doesn't support, so if you're using an older version (like
1.0.0, which doesn't support TLSv1.2) you can run into problems.

2. The cipher list Nsock uses. This is configured in nsock/src/nsock_ssl.c,
and is just a reordering of all possible cipher suites for speed. We could
and should revisit this reordering, since it puts NULL ciphers early on and
other things that are very unlikely to be offered at all. With what we know
from the ssl-enum-ciphers script, some servers will not look at more than
the first 64 ciphersuites, and others will fail completely if the handshake
is too big (too many ciphersuites).

This really means that I need your OpenSSL version, a pcap of the failed
handshake (to see what ciphers were offered), and the output of
ssl-enum-ciphers so I can see what ciphers would have worked.

Dan

On Wed, Sep 23, 2015 at 11:01 AM, suhail sullad <suhail.sullad () gmail com>
wrote:

It turns out that the cipher suite used by snmp is not in nmap.
Looking forwad for this issue to be fixed.
On Sep 22, 2015 9:09 AM, "suhail sullad" <suhail.sullad () gmail com> wrote:

PFA the nmap dump for the following command.
./nmap -sV --script +ssl-cert,+ssl-enum-ciphers --version-light -p 10161
10.212.113.249 --packet-trace > /home/cicadmin/nmapdump.log 2>&1

"sslv3 alert handshake failure"  is because the servers are configured
with tls only. hence any lower protocol will be rejected.

On Tue, Sep 22, 2015 at 1:10 AM, Daniel Miller <bonsaiviking () gmail com>
wrote:

Would both of you post the output of "nmap --version" please? I
specifically need the version of OpenSSL that you are linking with. The
output Venky sent contains this line:

NSOCK INFO [11.6640s] handle_connect_result(): EID 233

error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

This means that the server rejected Nmap's connection attempt. It could
be a result of protocol mismatch between Nmap's OpenSSL and whatever the
snmpd is using.

Suhail is correct, the output of ssl-enum-ciphers would be helpful, too,
or a packet capture of just nmap -sV --version-light -p 10161

Dan




On Mon, Sep 21, 2015 at 9:38 AM, suhail sullad <suhail.sullad () gmail com>
wrote:

Venky,
Just to make sure run the snmp sv on port 161 and also include
ssl-enum-ciphers script
So that it will be helpful for fixing the issue
On Sep 21, 2015 8:04 PM, "knare k" <knarelinux () gmail com> wrote:

Yes, it does't work even with 6.49beta4. Here is the partial output of
nmap with -d2 --script-trace.

Service scan sending probe SSLSessionReq to 127.0.0.1:10161 (tcp)

NSOCK INFO [11.6600s] nsock_read(): Read request from IOD #9
[127.0.0.1:10161] (timeout: 5000ms) EID 226
NSOCK INFO [11.6600s] nsock_trace_handler_callback(): Callback: WRITE
SUCCESS for EID 219 [127.0.0.1:10161]
NSOCK INFO [11.6610s] nsock_trace_handler_callback(): Callback: READ
SUCCESS for EID 226 [127.0.0.1:10161] (7 bytes): ......(
Service scan hard match (Probe SSLSessionReq matched with
SSLSessionReq line 11688): 127.0.0.1:10161 is ssl
NSOCK INFO [11.6610s] nsi_delete(): nsi_delete (IOD #9)
NSOCK INFO [11.6610s] nsi_new2(): nsi_new (IOD #10)
NSOCK INFO [11.6610s] nsock_connect_ssl(): SSL connection requested to
127.0.0.1:10161/tcp (IOD #10) EID 233
NSOCK INFO [11.6620s] handle_connect_result(): EID 233 reconnecting
with SSL_OP_NO_SSLv2
NSOCK INFO [11.6640s] handle_connect_result(): EID 233
error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
failure
NSOCK INFO [11.6640s] nsock_trace_handler_callback(): Callback:
SSL-CONNECT ERROR [Input/output error (5)] for EID 233
[127.0.0.1:10161]
Got nsock CONNECT response with status ERROR - aborting this service
NSOCK INFO [11.6640s] nsi_delete(): nsi_delete (IOD #10)
Completed Service scan at 19:57, 11.01s elapsed (1 service on 1 host)
NSE: Script scanning 127.0.0.1.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 19:57
Fetchfile found
/home/venky/Downloads/nmap-6.49BETA4/nselib/data/enterprise_numbers.txt
NSE: Starting rpc-grind M:23fade0 against localhost (127.0.0.1:10161).
Fetchfile found /home/venky/Downloads/nmap-6.49BETA4/nmap-rpc
NSOCK INFO [11.6640s] nsi_new2(): nsi_new (IOD #1)
NSOCK INFO [11.8010s] nsock_connect_tcp(): TCP connection requested to
127.0.0.1:10161 (IOD #1) EID 8
NSE: Starting ssl-cert M:23fe410 against localhost (127.0.0.1:10161).
NSOCK INFO [11.8010s] nsi_new2(): nsi_new (IOD #2)
NSOCK INFO [11.8010s] nsock_connect_ssl(): SSL connection requested to
127.0.0.1:10161/tcp (IOD #2) EID 17
NSE: Starting skypev2-version M:23fbff0 against localhost (
127.0.0.1:10161).
NSOCK INFO [11.8010s] nsi_new2(): nsi_new (IOD #3)
NSOCK INFO [11.8010s] nsock_connect_tcp(): TCP connection requested to
127.0.0.1:10161 (IOD #3) EID 24
NSOCK INFO [11.8010s] nsock_trace_handler_callback(): Callback:
CONNECT SUCCESS for EID 8 [127.0.0.1:10161]
NSE: TCP 127.0.0.1:47349 > 127.0.0.1:10161 | CONNECT
NSOCK INFO [11.8010s] nsock_trace_handler_callback(): Callback:
CONNECT SUCCESS for EID 24 [127.0.0.1:10161]
NSE: TCP 127.0.0.1:47351 > 127.0.0.1:10161 | CONNECT
NSE: TCP 127.0.0.1:47349 > 127.0.0.1:10161 | 00000000: 80 00 00 28 11
d3 fc 0c 00 00 00 00 00 00 00 02    (
00000010: 00 01 86 a0 00 00 00 02 00 00 00 00 00 00 00 00
00000020: 00 00 00 00 00 00 00 00 00 00 00 00

NSE: TCP 127.0.0.1:47351 > 127.0.0.1:10161 | 00000000: 47 45 54 20 2f
20 48 54 54 50 2f 31 2e 30 0d 0a GET / HTTP/1.0
00000010: 0d 0a

NSOCK INFO [11.8510s] nsock_trace_handler_callback(): Callback: WRITE
SUCCESS for EID 35 [127.0.0.1:10161]
NSE: TCP 127.0.0.1:47349 > 127.0.0.1:10161 | SEND
NSOCK INFO [11.8510s] nsock_trace_handler_callback(): Callback: WRITE
SUCCESS for EID 43 [127.0.0.1:10161]
NSE: TCP 127.0.0.1:47351 > 127.0.0.1:10161 | SEND
NSOCK INFO [11.8530s] handle_connect_result(): EID 17 reconnecting
with SSL_OP_NO_SSLv2
NSOCK INFO [11.8540s] handle_connect_result(): EID 17
error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
failure
NSOCK INFO [11.8540s] nsock_trace_handler_callback(): Callback:
SSL-CONNECT ERROR [Input/output error (5)] for EID 17
[127.0.0.1:10161]
NSE: TCP 127.0.0.1:47352 > 127.0.0.1:10161 | CONNECT
NSOCK INFO [11.8540s] nsock_readbytes(): Read request for 4 bytes from
IOD #1 [127.0.0.1:10161] EID 50
NSE: Finished ssl-cert M:23fe410 against localhost (127.0.0.1:10161).
NSOCK INFO [11.8540s] nsock_readbytes(): Read request for 26 bytes
from IOD #3 [127.0.0.1:10161] EID 58
NSE: TCP 127.0.0.1:47352 > 127.0.0.1:10161 | CLOSE
NSOCK INFO [11.8540s] nsi_delete(): nsi_delete (IOD #2)
NSOCK INFO [11.8550s] nsock_trace_handler_callback(): Callback: READ
EOF for EID 50 [127.0.0.1:10161]
NSOCK INFO [11.8550s] nsock_trace_handler_callback(): Callback: READ
EOF for EID 58 [127.0.0.1:10161]
NSE: [rpc-grind M:23fade0 127.0.0.1:10161] isRPC didn't receive
response.
NSE: [rpc-grind M:23fade0 127.0.0.1:10161] Target port 10161 is not a
RPC port.
NSE: Finished rpc-grind M:23fade0 against localhost (127.0.0.1:10161).
NSE: TCP 127.0.0.1:47351 > 127.0.0.1:10161 | CLOSE
NSOCK INFO [11.8550s] nsi_delete(): nsi_delete (IOD #3)
NSE: Finished skypev2-version M:23fbff0 against localhost (
127.0.0.1:10161).
NSE: TCP 127.0.0.1:47349 > 127.0.0.1:10161 | CLOSE
NSOCK INFO [11.8550s] nsi_delete(): nsi_delete (IOD #1)
Completed NSE at 19:57, 0.19s elapsed
Nmap scan report for localhost (127.0.0.1)
Host is up, received syn-ack (0.00018s latency).
Scanned at 2015-09-21 19:57:22 IST for 12s
PORT      STATE SERVICE     REASON  VERSION
10161/tcp open  ssl/unknown syn-ack
Final times for host: srtt: 179 rttvar: 3773  to: 100000

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 19:57
Completed NSE at 19:57, 0.00s elapsed
Read from /home/venky/Downloads/nmap-6.49BETA4: nmap-payloads
nmap-service-probes nmap-services.
Service detection performed. Please report any incorrect results at
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.92 seconds

Thanks
Venky

On Sun, Sep 20, 2015 at 11:16 PM, suhail sullad <
suhail.sullad () gmail com> wrote:

I am using 6.49beta4. The sslcert.lua script is failing in

getCertificate

function due to socket connection error.

On Sep 20, 2015 11:11 PM, "Daniel Miller" <bonsaiviking () gmail com>

wrote:


Thanks for chiming in. What version of Nmap are you using, suhail?

Venky, it looks like you're using an older version of Nmap. The
ssl-enum-ciphers script has undergone a lot of changes since 6.40.

Can you

try with Nmap 6.49BETA4 or at worst 6.47 and tell us if you still

experience

a problem? See https://nmap.org/download.html

If you still experience a problem, please include output of your

command

with -d2 --script-trace options. I will try to reproduce here if I

don't

hear back soon.

Dan

On Sun, Sep 20, 2015 at 2:47 AM, suhail sullad <

suhail.sullad () gmail com>

wrote:


Observed the same issue. Suspecting a cipher issue.

On Sep 19, 2015 6:48 PM, "knare k" <knarelinux () gmail com> wrote:


Thanks Dan.

I configured a local snmp server on an Ubuntu machine with tls

support.


# snmpd dtlsudp:10161 tlstcp:10161

Created a Self-Signed certificate and used it.

And the output from the command: "openssl s_client -connect
localhost:10161"

# openssl s_client -connect localhost:10161
CONNECTED(00000003)
depth=0 C = IN, ST = AP, L = HYD, O = xyz, OU = embedded, CN =

venky,

emailAddress = venky@localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 C = IN, ST = AP, L = HYD, O = xyz, OU = embedded, CN =

venky,

emailAddress = venky@localhost
verify return:1
140536960857760:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3
alert handshake failure:s3_pkt.c:1262:SSL alert number 40
140536960857760:error:140790E5:SSL routines:SSL23_WRITE:ssl

handshake

failure:s23_lib.c:177:
---
Certificate chain
 0

s:/C=IN/ST=AP/L=HYD/O=xyz/OU=embedded/CN=venky/emailAddress=venky@localhost

i:/C=IN/ST=AP/L=HYD/O=xyz/OU=embedded/CN=venky/emailAddress=venky@localhost

---
Server certificate
-----BEGIN CERTIFICATE-----
MIICaTCCAdICCQCqllznqB/5gjANBgkqhkiG9w0BAQsFADB5MQswCQYDVQQGEwJJ
TjELMAkGA1UECAwCQVAxDDAKBgNVBAcMA0hZRDEMMAoGA1UECgwDeHl6MREwDwYD
VQQLDAhlbWJlZGRlZDEOMAwGA1UEAwwFdmVua3kxHjAcBgkqhkiG9w0BCQEWD3Zl
bmt5QGxvY2FsaG9zdDAeFw0xNTA5MTkwOTI1MDhaFw0xNjA5MTgwOTI1MDhaMHkx
CzAJBgNVBAYTAklOMQswCQYDVQQIDAJBUDEMMAoGA1UEBwwDSFlEMQwwCgYDVQQK
DAN4eXoxETAPBgNVBAsMCGVtYmVkZGVkMQ4wDAYDVQQDDAV2ZW5reTEeMBwGCSqG
SIb3DQEJARYPdmVua3lAbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
iQKBgQDA0+Aiqpx9fk/wH9Hg8wQLhEOs9ysC7ASemmv+0u+axru6nsxZTpM7OnMf
vFgGjAataERxenNVkt2IuRAWIO4p+A6J/H7WrnW3AqEFqovJoWVucAOkqzZfzIuD
bnVdrksyjJoz2KNdamT/C4PLvUp4ksM1cjEHCE5e9EuNe++uQQIDAQABMA0GCSqG
SIb3DQEBCwUAA4GBAFFx8mA0mJSr79n1hKlX8SpWYKfZ415Rt/Od3Pa9HFyb4sjl
pqZHiF82KlAZNJBhdNcp8rnO+bsjJHd1KK/ECFO3ZFL4apKKaQ+6R4rNTTltLCVe
OuHUEptj0ARghnJdSzy4huurwrMurzooZOk6oJ9px4O4MKW9UThGtxr684FZ
-----END CERTIFICATE-----

subject=/C=IN/ST=AP/L=HYD/O=xyz/OU=embedded/CN=venky/emailAddress=venky@localhost

issuer=/C=IN/ST=AP/L=HYD/O=xyz/OU=embedded/CN=venky/emailAddress=venky@localhost

---
No client certificate CA names sent
---
SSL handshake has read 725 bytes and written 210 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID:
    Session-ID-ctx:
    Master-Key:

AA5C362000AE942C8584A8AD153F4D2592AAD5172A2D4D5FE3457FDB5331982AE0739130A72DB3D86CDC1AAAFB30A13B

    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1442654860
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---



And the output from the command: "nmap -sV -p <snmpport>
--script=+ssl-cert <host>"

# nmap -sV -p 10161 --script=+ssl-cert localhost

Starting Nmap 6.40 ( http://nmap.org ) at 2015-09-19 14:59 IST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00014s latency).
PORT      STATE SERVICE     VERSION
10161/tcp open  ssl/unknown

Service detection performed. Please report any incorrect results

at

http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.23 seconds


Thanks
Venky

On Sat, Sep 19, 2015 at 4:41 AM, Daniel Miller <

bonsaiviking () gmail com>

wrote:

Venky,

Can you confirm that the SNMP service is actually running SSL?

This

would be
a highly unusual configuration, but you could test with an

independent

tool.
What is the output of this command?

openssl s_client -connect <host>:<snmpport>

Instead of SSL do you perhaps have SNMPv3 with encryption

enabled?


Dan

On Fri, Sep 18, 2015 at 8:25 AM, knare k <knarelinux () gmail com>

wrote:


Hi Ulrik,

Thanks for your response. We tried with the '+' option, but no

luck.

We have set up  snmp server locally on our ubuntu machine and

tried

it. Checking if we configured the snmp server properly, I will

let

you
know if it works.

Thanks
Venky.


---------- Forwarded message ----------
From: Ulrik Haugen <qha () lysator liu se>
Date: Mon, Sep 14, 2015 at 9:56 PM
Subject: Re: Unable to get SSL Certificate info for SNMP

seriver with

nmap ssl-cert
To: knare k <knarelinux () gmail com>


knare k <knarelinux () gmail com> wrote:

I am not able to get SSL certificate for snmp using ssl-cert

script

of
nmap, able to get for all others. I tried the following

command

with
the snmp port.

# nmap  -sU -Pn -p <snmpport> <host> --script=ssl-cert


You might have more luck with:

# nmap -sU -Pn -p <snmpport> --script=+ssl-cert <host>

The "+" before the script name makes it run even though the

portrule

doesn't fire. Unfortunately i can't find the documentation for

it

right
now so i can't show how you should have discovered it.

Please report if this works, i have some scripts that need

tuning if

it
does!

Best regards
/Ulrik Haugen
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Fwd: Unable to get SSL Certificate info for SNMP seriver with nmap ssl-cert, (continued)
- - Message not available
    - Fwd: Unable to get SSL Certificate info for SNMP seriver with nmap ssl-cert knare k (Sep 18)
    - Re: Unable to get SSL Certificate info for SNMP seriver with nmap ssl-cert Daniel Miller (Sep 18)
    - Re: Unable to get SSL Certificate info for SNMP seriver with nmap ssl-cert knare k (Sep 19)
    - Re: Unable to get SSL Certificate info for SNMP seriver with nmap ssl-cert suhail sullad (Sep 20)
    - Re: Unable to get SSL Certificate info for SNMP seriver with nmap ssl-cert Daniel Miller (Sep 20)
    - Re: Unable to get SSL Certificate info for SNMP seriver with nmap ssl-cert suhail sullad (Sep 20)
    - Message not available
    - Re: Unable to get SSL Certificate info for SNMP seriver with nmap ssl-cert suhail sullad (Sep 21)
    - Re: Unable to get SSL Certificate info for SNMP seriver with nmap ssl-cert Daniel Miller (Sep 21)
    - Re: Unable to get SSL Certificate info for SNMP seriver with nmap ssl-cert suhail sullad (Sep 21)
    - Re: Unable to get SSL Certificate info for SNMP seriver with nmap ssl-cert suhail sullad (Sep 23)
    - Re: Unable to get SSL Certificate info for SNMP seriver with nmap ssl-cert Daniel Miller (Sep 23)