OpenVPN probes and script question

[Patrik Karlsson <patrik () cqure net>]

Hi all,

I'm toying around with OpenVPN for the moment and I've implemented probes that detect it running on both UDP and TCP.  
As far as I can tell it's only possible to detect it if it's running in PKI mode eg. not using static keys. The reason 
for this is that when running with a static key, if the receiving part receives a message it can't decrypt it simply 
doesn't answer. There does not appear to be any kind of handshake that could be triggered when running in this mode. 
But, I'm implementing it based on packet dumps between two test systems so I could be wrong.

Apart from the probes I've implemented a script (it's kind of rough for the moment) that retrieves the remote 
certificate. However, the certificate is ASN encoded. So I guess my question is (before I start re-inventing the wheel 
(again)), could I call openssl from lua to decode it? I've looked at ssl-cert.nse but it seems to get the cert already 
decoded in a table. 

Regarding the probes,  I appended some text to the end of the byte sequence of the UDP probe in order to trigger an 
error, rather than having OpenVPN waiting for additional UDP packets. Without this text, two scans in a row will fail 
because the service is waiting for more packets until a certain timeout occurs.

Oh, and one last thing, this message got me a bit curious as it's triggered by the probes, but so far I haven't lost 
any connection on other clients when it appears: 
Fri Jan 29 21:36:39 2010 SIGUSR1[soft,tls-error] received, process restarting

I'm attaching a patch for the probes and a few signatures if someone wants to improve the match lines.

//Patrik
--
Patrik Karlsson
http://www.cqure.net

Attachment: openvpn-probe.patch
Description:

Attachment: openvpn-signatures.txt
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/