Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Manually specified SNI values for ssl-* NSE scripts

From: Daniel Miller <bonsaiviking () gmail com>
Date: Wed, 13 Jan 2016 08:57:55 -0600
Bertrand,

This is an interesting idea. As you noted, we currently use host.targetname
for this, but it could easily be extended to try the reverse-DNS name if
that is not available. A script-arg for this would also be easy to
implement, but it wouldn't scale to scans of multiple hosts. Nonetheless, I
have added the idea to our issue tracker for future implementation:
https://github.com/nmap/nmap/issues/276

Dan

On Wed, Jan 13, 2016 at 7:17 AM, Bertrand Bonnefoy-Claudet <
bertrand () cryptosense com> wrote:


Hi,

Nmap uses the TLS SNI extension when provided with a domain name for the
host to scan.  For instance,

    nmap --script ssl-enum-ciphers -p443 <hostname>

will try to use <hostname> as the server name in the TLS ClientHello
message and find the IP address from a DNS resolution.  This is useful
when scanning a specific virtual host on a given target host.

However, I think there are cases when the DNS cannot or should not be
relied upon.  For instance, you might want to scan a specific host but
the A record for this host would rotate.  You could then do:

    nmap --script ssl-enum-ciphers -p443 <ip_address>

to make sure you would hit the right host.  In that case, no server name
would be specified and you would end up scanning the default virtual
host instead of the one you wanted.  I am not aware of any simple
workaround for this (i.e. modifying the hosts file would be a
painstaking thing to do).  Are you?

OpenSSL can do this with the "-servername" option.  What about having
those scripts honor some kind of ssl.servername argument?

--
Bertrand
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/


_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: