Re: Re: [NSE][PATCH] OpenSSL bindings for NSE

["M M" <v4lkyrius () gmail com>]

> On Mon, Sep 22, 2008 at 05:47:21PM -0600, David Fifield wrote:
> > On Fri, Sep 19, 2008 at 09:12:24AM +0200, Sven Klemm wrote:
> > > Hi everyone,
> > >
> > > here is the latest OpenSSL bindings patch for nmap including support for
> > > multiprecision integer arithmetics, message digests, hmac, symmetric
> > > encryption, symmetric decryption.
> > > Documentation for the new functions is also included.
> >
> > Hi Sven. This is looking great. The documentation is especially
> > appreciated. This module will open a lot of doors for script developers
> > and I'd like to see it integrated.
>
> I completely agree with David here and think Sven's OpenSSL module is
> a winner!  We just need to figure out these last nagging issues (such
> as how to degrade gracefully for people w/o OpenSSL).
>
> In other amusing NSE news, I just got my daily syslog report and
> noticed this:
>
> Protocol major versions differ for UNKNOWN: SSH-2.0-OpenSSH_4.3 vs. SSH-1.5-NmapNSE_1.0 : 57 time(s)
>
> Cheers,
> -F

I first noticed this in auth.log when I got port scanned by a friend a
while back. My firewall rules have reflected this observation ever
since.
Defeats the purpose of nmap, does it not?

For example:

  pluto: # nmap -A -p 22 localhost

  Starting Nmap 4.60 ( http://nmap.org ) at 2008-11-26 06:05 EST
  Warning: Hostname localhost resolves to 2 IPs. Using 127.0.0.1.
  Interesting ports on localhost (127.0.0.1):
  PORT   STATE SERVICE VERSION
  22/tcp open  ssh     OpenSSH 5.0 (protocol 2.0)
  Warning: OSScan results may be unreliable because we could not find
at least 1 open and 1 closed port
  Device type: general purpose
  Running: Linux 2.6.X
  OS details: Linux 2.6.17 - 2.6.24
  Uptime: 0.217 days (since Wed Nov 26 00:52:52 2008)
  Network Distance: 0 hops

  OS and Service detection performed. Please report any incorrect
results at http://nmap.org/submit/ .
  Nmap done: 1 IP address (1 host up) scanned in 1.360 seconds

  pluto:/var/log # tail messages | grep sshd
  Nov 26 06:05:29 pluto sshd[7947]: Did not receive identification
string from 127.0.0.1
  Nov 26 06:05:30 pluto sshd[7951]: Protocol major versions differ for
127.0.0.1: SSH-2.0-OpenSSH_5.0 vs. SSH-1.5-NmapNSE_1.0
  pluto:/ # iptables -I INPUT -p tcp -m string --string "NmapNSE"
--algo bm -j DROP
  pluto:/ # iptables -I INPUT -p tcp -m string --string "NmapNSE"
--algo bm -j LOG --log-prefix "n00b nmap scan: "
  pluto:/ # nmap -A -p22 localhost

  Starting Nmap 4.60 ( http://nmap.org ) at 2008-11-26 06:08 EST
  Warning: Hostname localhost resolves to 2 IPs. Using 127.0.0.1.
  ^C
  pluto:/var/log # grep n00b firewall | tail -1
  Nov 26 06:08:35 pluto kernel: n00b nmap scan: IN=lo OUT=
MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1
DST=127.0.0.1 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=6129 DF PROTO=TCP
SPT=27995 DPT=22 WINDOW=257 RES=0x00 ACK PSH URGP=0


Frankly, I'm surprised no one has so much as mentioned this before (at
least publicly, according to Google). They say discretion is the
polite word for hypocrisy. ;-)

Sincerely,
v4lkyrius

Attachment: SSHv1-support.nse.redpill.patch
Description:

Attachment: SSHv1-support.nse.bluepill.patch
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org