Nmap Development mailing list archives
Re: Manually specified SNI values for ssl-* NSE scripts
From: Daniel Miller <bonsaiviking () gmail com>
Date: Wed, 13 Jan 2016 08:57:55 -0600
Bertrand, This is an interesting idea. As you noted, we currently use host.targetname for this, but it could easily be extended to try the reverse-DNS name if that is not available. A script-arg for this would also be easy to implement, but it wouldn't scale to scans of multiple hosts. Nonetheless, I have added the idea to our issue tracker for future implementation: https://github.com/nmap/nmap/issues/276 Dan On Wed, Jan 13, 2016 at 7:17 AM, Bertrand Bonnefoy-Claudet < bertrand () cryptosense com> wrote:
Hi, Nmap uses the TLS SNI extension when provided with a domain name for the host to scan. For instance, nmap --script ssl-enum-ciphers -p443 <hostname> will try to use <hostname> as the server name in the TLS ClientHello message and find the IP address from a DNS resolution. This is useful when scanning a specific virtual host on a given target host. However, I think there are cases when the DNS cannot or should not be relied upon. For instance, you might want to scan a specific host but the A record for this host would rotate. You could then do: nmap --script ssl-enum-ciphers -p443 <ip_address> to make sure you would hit the right host. In that case, no server name would be specified and you would end up scanning the default virtual host instead of the one you wanted. I am not aware of any simple workaround for this (i.e. modifying the hosts file would be a painstaking thing to do). Are you? OpenSSL can do this with the "-servername" option. What about having those scripts honor some kind of ssl.servername argument? -- Bertrand _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Manually specified SNI values for ssl-* NSE scripts Bertrand Bonnefoy-Claudet (Jan 13)
- Re: Manually specified SNI values for ssl-* NSE scripts Daniel Miller (Jan 13)