Nmap Development mailing list archives
Re: Unable to get SSL Certificate info for SNMP seriver with nmap ssl-cert
From: Daniel Miller <bonsaiviking () gmail com>
Date: Wed, 23 Sep 2015 14:10:44 -0500
Suhail, I suspected as much. There are a couple things that affect the ciphers offered: 1. Your version of OpenSSL. This is why I asked. Nmap can't offer anything your version doesn't support, so if you're using an older version (like 1.0.0, which doesn't support TLSv1.2) you can run into problems. 2. The cipher list Nsock uses. This is configured in nsock/src/nsock_ssl.c, and is just a reordering of all possible cipher suites for speed. We could and should revisit this reordering, since it puts NULL ciphers early on and other things that are very unlikely to be offered at all. With what we know from the ssl-enum-ciphers script, some servers will not look at more than the first 64 ciphersuites, and others will fail completely if the handshake is too big (too many ciphersuites). This really means that I need your OpenSSL version, a pcap of the failed handshake (to see what ciphers were offered), and the output of ssl-enum-ciphers so I can see what ciphers would have worked. Dan On Wed, Sep 23, 2015 at 11:01 AM, suhail sullad <suhail.sullad () gmail com> wrote:
It turns out that the cipher suite used by snmp is not in nmap. Looking forwad for this issue to be fixed. On Sep 22, 2015 9:09 AM, "suhail sullad" <suhail.sullad () gmail com> wrote:PFA the nmap dump for the following command. ./nmap -sV --script +ssl-cert,+ssl-enum-ciphers --version-light -p 10161 10.212.113.249 --packet-trace > /home/cicadmin/nmapdump.log 2>&1 "sslv3 alert handshake failure" is because the servers are configured with tls only. hence any lower protocol will be rejected. On Tue, Sep 22, 2015 at 1:10 AM, Daniel Miller <bonsaiviking () gmail com> wrote:Would both of you post the output of "nmap --version" please? I specifically need the version of OpenSSL that you are linking with. The output Venky sent contains this line:NSOCK INFO [11.6640s] handle_connect_result(): EID 233error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure This means that the server rejected Nmap's connection attempt. It could be a result of protocol mismatch between Nmap's OpenSSL and whatever the snmpd is using. Suhail is correct, the output of ssl-enum-ciphers would be helpful, too, or a packet capture of just nmap -sV --version-light -p 10161 Dan On Mon, Sep 21, 2015 at 9:38 AM, suhail sullad <suhail.sullad () gmail com> wrote:Venky, Just to make sure run the snmp sv on port 161 and also include ssl-enum-ciphers script So that it will be helpful for fixing the issue On Sep 21, 2015 8:04 PM, "knare k" <knarelinux () gmail com> wrote:Yes, it does't work even with 6.49beta4. Here is the partial output of nmap with -d2 --script-trace. Service scan sending probe SSLSessionReq to 127.0.0.1:10161 (tcp) NSOCK INFO [11.6600s] nsock_read(): Read request from IOD #9 [127.0.0.1:10161] (timeout: 5000ms) EID 226 NSOCK INFO [11.6600s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 219 [127.0.0.1:10161] NSOCK INFO [11.6610s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 226 [127.0.0.1:10161] (7 bytes): ......( Service scan hard match (Probe SSLSessionReq matched with SSLSessionReq line 11688): 127.0.0.1:10161 is ssl NSOCK INFO [11.6610s] nsi_delete(): nsi_delete (IOD #9) NSOCK INFO [11.6610s] nsi_new2(): nsi_new (IOD #10) NSOCK INFO [11.6610s] nsock_connect_ssl(): SSL connection requested to 127.0.0.1:10161/tcp (IOD #10) EID 233 NSOCK INFO [11.6620s] handle_connect_result(): EID 233 reconnecting with SSL_OP_NO_SSLv2 NSOCK INFO [11.6640s] handle_connect_result(): EID 233 error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure NSOCK INFO [11.6640s] nsock_trace_handler_callback(): Callback: SSL-CONNECT ERROR [Input/output error (5)] for EID 233 [127.0.0.1:10161] Got nsock CONNECT response with status ERROR - aborting this service NSOCK INFO [11.6640s] nsi_delete(): nsi_delete (IOD #10) Completed Service scan at 19:57, 11.01s elapsed (1 service on 1 host) NSE: Script scanning 127.0.0.1. NSE: Starting runlevel 1 (of 1) scan. Initiating NSE at 19:57 Fetchfile found /home/venky/Downloads/nmap-6.49BETA4/nselib/data/enterprise_numbers.txt NSE: Starting rpc-grind M:23fade0 against localhost (127.0.0.1:10161). Fetchfile found /home/venky/Downloads/nmap-6.49BETA4/nmap-rpc NSOCK INFO [11.6640s] nsi_new2(): nsi_new (IOD #1) NSOCK INFO [11.8010s] nsock_connect_tcp(): TCP connection requested to 127.0.0.1:10161 (IOD #1) EID 8 NSE: Starting ssl-cert M:23fe410 against localhost (127.0.0.1:10161). NSOCK INFO [11.8010s] nsi_new2(): nsi_new (IOD #2) NSOCK INFO [11.8010s] nsock_connect_ssl(): SSL connection requested to 127.0.0.1:10161/tcp (IOD #2) EID 17 NSE: Starting skypev2-version M:23fbff0 against localhost ( 127.0.0.1:10161). NSOCK INFO [11.8010s] nsi_new2(): nsi_new (IOD #3) NSOCK INFO [11.8010s] nsock_connect_tcp(): TCP connection requested to 127.0.0.1:10161 (IOD #3) EID 24 NSOCK INFO [11.8010s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [127.0.0.1:10161] NSE: TCP 127.0.0.1:47349 > 127.0.0.1:10161 | CONNECT NSOCK INFO [11.8010s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 24 [127.0.0.1:10161] NSE: TCP 127.0.0.1:47351 > 127.0.0.1:10161 | CONNECT NSE: TCP 127.0.0.1:47349 > 127.0.0.1:10161 | 00000000: 80 00 00 28 11 d3 fc 0c 00 00 00 00 00 00 00 02 ( 00000010: 00 01 86 a0 00 00 00 02 00 00 00 00 00 00 00 00 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 NSE: TCP 127.0.0.1:47351 > 127.0.0.1:10161 | 00000000: 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 30 0d 0a GET / HTTP/1.0 00000010: 0d 0a NSOCK INFO [11.8510s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 35 [127.0.0.1:10161] NSE: TCP 127.0.0.1:47349 > 127.0.0.1:10161 | SEND NSOCK INFO [11.8510s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 43 [127.0.0.1:10161] NSE: TCP 127.0.0.1:47351 > 127.0.0.1:10161 | SEND NSOCK INFO [11.8530s] handle_connect_result(): EID 17 reconnecting with SSL_OP_NO_SSLv2 NSOCK INFO [11.8540s] handle_connect_result(): EID 17 error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure NSOCK INFO [11.8540s] nsock_trace_handler_callback(): Callback: SSL-CONNECT ERROR [Input/output error (5)] for EID 17 [127.0.0.1:10161] NSE: TCP 127.0.0.1:47352 > 127.0.0.1:10161 | CONNECT NSOCK INFO [11.8540s] nsock_readbytes(): Read request for 4 bytes from IOD #1 [127.0.0.1:10161] EID 50 NSE: Finished ssl-cert M:23fe410 against localhost (127.0.0.1:10161). NSOCK INFO [11.8540s] nsock_readbytes(): Read request for 26 bytes from IOD #3 [127.0.0.1:10161] EID 58 NSE: TCP 127.0.0.1:47352 > 127.0.0.1:10161 | CLOSE NSOCK INFO [11.8540s] nsi_delete(): nsi_delete (IOD #2) NSOCK INFO [11.8550s] nsock_trace_handler_callback(): Callback: READ EOF for EID 50 [127.0.0.1:10161] NSOCK INFO [11.8550s] nsock_trace_handler_callback(): Callback: READ EOF for EID 58 [127.0.0.1:10161] NSE: [rpc-grind M:23fade0 127.0.0.1:10161] isRPC didn't receive response. NSE: [rpc-grind M:23fade0 127.0.0.1:10161] Target port 10161 is not a RPC port. NSE: Finished rpc-grind M:23fade0 against localhost (127.0.0.1:10161). NSE: TCP 127.0.0.1:47351 > 127.0.0.1:10161 | CLOSE NSOCK INFO [11.8550s] nsi_delete(): nsi_delete (IOD #3) NSE: Finished skypev2-version M:23fbff0 against localhost ( 127.0.0.1:10161). NSE: TCP 127.0.0.1:47349 > 127.0.0.1:10161 | CLOSE NSOCK INFO [11.8550s] nsi_delete(): nsi_delete (IOD #1) Completed NSE at 19:57, 0.19s elapsed Nmap scan report for localhost (127.0.0.1) Host is up, received syn-ack (0.00018s latency). Scanned at 2015-09-21 19:57:22 IST for 12s PORT STATE SERVICE REASON VERSION 10161/tcp open ssl/unknown syn-ack Final times for host: srtt: 179 rttvar: 3773 to: 100000 NSE: Script Post-scanning. NSE: Starting runlevel 1 (of 1) scan. Initiating NSE at 19:57 Completed NSE at 19:57, 0.00s elapsed Read from /home/venky/Downloads/nmap-6.49BETA4: nmap-payloads nmap-service-probes nmap-services. Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 11.92 seconds Thanks Venky On Sun, Sep 20, 2015 at 11:16 PM, suhail sullad < suhail.sullad () gmail com> wrote:I am using 6.49beta4. The sslcert.lua script is failing ingetCertificatefunction due to socket connection error. On Sep 20, 2015 11:11 PM, "Daniel Miller" <bonsaiviking () gmail com>wrote:Thanks for chiming in. What version of Nmap are you using, suhail? Venky, it looks like you're using an older version of Nmap. The ssl-enum-ciphers script has undergone a lot of changes since 6.40.Can youtry with Nmap 6.49BETA4 or at worst 6.47 and tell us if you stillexperiencea problem? See https://nmap.org/download.html If you still experience a problem, please include output of yourcommandwith -d2 --script-trace options. I will try to reproduce here if Idon'thear back soon. Dan On Sun, Sep 20, 2015 at 2:47 AM, suhail sullad <suhail.sullad () gmail com>wrote:Observed the same issue. Suspecting a cipher issue. On Sep 19, 2015 6:48 PM, "knare k" <knarelinux () gmail com> wrote:Thanks Dan. I configured a local snmp server on an Ubuntu machine with tlssupport.# snmpd dtlsudp:10161 tlstcp:10161 Created a Self-Signed certificate and used it. And the output from the command: "openssl s_client -connect localhost:10161" # openssl s_client -connect localhost:10161 CONNECTED(00000003) depth=0 C = IN, ST = AP, L = HYD, O = xyz, OU = embedded, CN =venky,emailAddress = venky@localhost verify error:num=18:self signed certificate verify return:1 depth=0 C = IN, ST = AP, L = HYD, O = xyz, OU = embedded, CN =venky,emailAddress = venky@localhost verify return:1 140536960857760:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1262:SSL alert number 40 140536960857760:error:140790E5:SSL routines:SSL23_WRITE:sslhandshakefailure:s23_lib.c:177: --- Certificate chain 0s:/C=IN/ST=AP/L=HYD/O=xyz/OU=embedded/CN=venky/emailAddress=venky@localhosti:/C=IN/ST=AP/L=HYD/O=xyz/OU=embedded/CN=venky/emailAddress=venky@localhost--- Server certificate -----BEGIN CERTIFICATE----- MIICaTCCAdICCQCqllznqB/5gjANBgkqhkiG9w0BAQsFADB5MQswCQYDVQQGEwJJ TjELMAkGA1UECAwCQVAxDDAKBgNVBAcMA0hZRDEMMAoGA1UECgwDeHl6MREwDwYD VQQLDAhlbWJlZGRlZDEOMAwGA1UEAwwFdmVua3kxHjAcBgkqhkiG9w0BCQEWD3Zl bmt5QGxvY2FsaG9zdDAeFw0xNTA5MTkwOTI1MDhaFw0xNjA5MTgwOTI1MDhaMHkx CzAJBgNVBAYTAklOMQswCQYDVQQIDAJBUDEMMAoGA1UEBwwDSFlEMQwwCgYDVQQK DAN4eXoxETAPBgNVBAsMCGVtYmVkZGVkMQ4wDAYDVQQDDAV2ZW5reTEeMBwGCSqG SIb3DQEJARYPdmVua3lAbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB iQKBgQDA0+Aiqpx9fk/wH9Hg8wQLhEOs9ysC7ASemmv+0u+axru6nsxZTpM7OnMf vFgGjAataERxenNVkt2IuRAWIO4p+A6J/H7WrnW3AqEFqovJoWVucAOkqzZfzIuD bnVdrksyjJoz2KNdamT/C4PLvUp4ksM1cjEHCE5e9EuNe++uQQIDAQABMA0GCSqG SIb3DQEBCwUAA4GBAFFx8mA0mJSr79n1hKlX8SpWYKfZ415Rt/Od3Pa9HFyb4sjl pqZHiF82KlAZNJBhdNcp8rnO+bsjJHd1KK/ECFO3ZFL4apKKaQ+6R4rNTTltLCVe OuHUEptj0ARghnJdSzy4huurwrMurzooZOk6oJ9px4O4MKW9UThGtxr684FZ -----END CERTIFICATE-----subject=/C=IN/ST=AP/L=HYD/O=xyz/OU=embedded/CN=venky/emailAddress=venky@localhostissuer=/C=IN/ST=AP/L=HYD/O=xyz/OU=embedded/CN=venky/emailAddress=venky@localhost--- No client certificate CA names sent --- SSL handshake has read 725 bytes and written 210 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: Session-ID-ctx: Master-Key:AA5C362000AE942C8584A8AD153F4D2592AAD5172A2D4D5FE3457FDB5331982AE0739130A72DB3D86CDC1AAAFB30A13BKey-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1442654860 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- And the output from the command: "nmap -sV -p <snmpport> --script=+ssl-cert <host>" # nmap -sV -p 10161 --script=+ssl-cert localhost Starting Nmap 6.40 ( http://nmap.org ) at 2015-09-19 14:59 IST Nmap scan report for localhost (127.0.0.1) Host is up (0.00014s latency). PORT STATE SERVICE VERSION 10161/tcp open ssl/unknown Service detection performed. Please report any incorrect resultsathttp://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.23 seconds Thanks Venky On Sat, Sep 19, 2015 at 4:41 AM, Daniel Miller <bonsaiviking () gmail com>wrote:Venky, Can you confirm that the SNMP service is actually running SSL?Thiswould be a highly unusual configuration, but you could test with anindependenttool. What is the output of this command? openssl s_client -connect <host>:<snmpport> Instead of SSL do you perhaps have SNMPv3 with encryptionenabled?Dan On Fri, Sep 18, 2015 at 8:25 AM, knare k <knarelinux () gmail com>wrote:Hi Ulrik, Thanks for your response. We tried with the '+' option, but noluck.We have set up snmp server locally on our ubuntu machine andtriedit. Checking if we configured the snmp server properly, I willletyou know if it works. Thanks Venky. ---------- Forwarded message ---------- From: Ulrik Haugen <qha () lysator liu se> Date: Mon, Sep 14, 2015 at 9:56 PM Subject: Re: Unable to get SSL Certificate info for SNMPseriver withnmap ssl-cert To: knare k <knarelinux () gmail com> knare k <knarelinux () gmail com> wrote:I am not able to get SSL certificate for snmp using ssl-certscriptof nmap, able to get for all others. I tried the followingcommandwith the snmp port. # nmap -sU -Pn -p <snmpport> <host> --script=ssl-certYou might have more luck with: # nmap -sU -Pn -p <snmpport> --script=+ssl-cert <host> The "+" before the script name makes it run even though theportruledoesn't fire. Unfortunately i can't find the documentation foritright now so i can't show how you should have discovered it. Please report if this works, i have some scripts that needtuning ifit does! Best regards /Ulrik Haugen _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Fwd: Unable to get SSL Certificate info for SNMP seriver with nmap ssl-cert, (continued)
- Message not available
- Fwd: Unable to get SSL Certificate info for SNMP seriver with nmap ssl-cert knare k (Sep 18)
- Re: Unable to get SSL Certificate info for SNMP seriver with nmap ssl-cert Daniel Miller (Sep 18)
- Re: Unable to get SSL Certificate info for SNMP seriver with nmap ssl-cert knare k (Sep 19)
- Re: Unable to get SSL Certificate info for SNMP seriver with nmap ssl-cert suhail sullad (Sep 20)
- Re: Unable to get SSL Certificate info for SNMP seriver with nmap ssl-cert Daniel Miller (Sep 20)
- Re: Unable to get SSL Certificate info for SNMP seriver with nmap ssl-cert suhail sullad (Sep 20)
- Message not available
- Re: Unable to get SSL Certificate info for SNMP seriver with nmap ssl-cert suhail sullad (Sep 21)
- Re: Unable to get SSL Certificate info for SNMP seriver with nmap ssl-cert Daniel Miller (Sep 21)
- Re: Unable to get SSL Certificate info for SNMP seriver with nmap ssl-cert suhail sullad (Sep 21)
- Re: Unable to get SSL Certificate info for SNMP seriver with nmap ssl-cert suhail sullad (Sep 23)
- Re: Unable to get SSL Certificate info for SNMP seriver with nmap ssl-cert Daniel Miller (Sep 23)
- Message not available