Re: http-slowloris-check doesn't work on nmap 7.12

[Daniel Miller <bonsaiviking () gmail com>]

I see two things here: first, the SSL detection is breaking for some
reason. Previously we did not detect this condition and just kept going,
defaulting to TCP. So I'm not sure what the error is that's causing that,
but I did just make a change to send a real HTTP request instead of "GET /
\r\n\r\n" and to properly close the socket afterwards. This probably won't
change things.

The other thing I see is that the service is running IIS, which is *not*
vulnerable to the Slowloris attack. It *does* have a problem with slow POST
attacks, but Slowloris is about slow HTTP headers, which IIS will not
permit. So I am inclined to believe that the Nmap 6.40 result is a false
positive.

Dan

On Thu, Mar 23, 2017 at 4:36 PM, Omar Arturo Orozco <oorozcoo () gmail com>
wrote:

> Hi Tom.
> I have checked it with nmap 7.40 and I got the same result.
>
> Regards.
>
> On Thu, Mar 23, 2017 at 2:59 PM, Tom Sellers <nmap () fadedcode net> wrote:
>
> > On 3/23/2017 10:47 AM, Omar Arturo Orozco wrote:
> > > Hello.
> > > I was running some tests to check the slowloris vulnerablity.
> > > With nmap 6.40 the script works very well, with nmap 7.12 doesn't work.
> > > I'm  attaching the debug log.
> > >
> > > Regards
> > >
> > > --
> > > ISEC Omar Arturo Orozco
> > > LPIC2 - CEH - ECSA - LPT - CHFI
> >
> > Hello Omar,
> >
> > That error appears to be related to SSL.  There have been quite a few SSL
> > improvements since 7.12 was released.
> >
> > Would it be possible for you to check with Nmap 7.40?
> >
> >
> > Thank you,
> > Tom
>
>
> --
> ISEC Omar Arturo Orozco
> LPIC2 - CEH - ECSA - LPT - CHFI
>
> _______________________________________________
> Sent through the dev mailing list
> https://nmap.org/mailman/listinfo/dev
> Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/