Nmap Development mailing list archives
Re: Floating a bit of an idea - identifying web server/host OS based on SSL handshake results?
From: David Fifield <david () bamsoftware com>
Date: Fri, 14 May 2010 21:06:31 -0600
On Wed, May 12, 2010 at 01:40:52PM -0500, Dario Ciccarone (dciccaro) wrote:
We know how the SSL handshake works, cipher/compression algorithm wise - client establishes connection to server, lists the cryptographic capabilities of the client in order of preference, server replies w/ cipher suite/compression algorithm chosen. Idea (which needs from testing ;)) - for heavily firewalled/obfuscated web servers, an NSE script could establish X SSL connections, each one with a different set of ciphers (permutations on a given set or mutually exclusive sets), check which one is chosen by the server. My (untested, unproven) theory is that the server-side preference for one algorithm over another is hard coded/defaults never changed, and may allow to sort out not only between Apache/IIS/JSSE-based servers, but maybe between same server revisions.
The ssl-enum-ciphers gets the list of supported ciphers in order. http://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html $ nmap -T2 --script=ssl-enum-ciphers -p 443 apache.org microsoftiis.com localhost -d -Pn -n PORT STATE SERVICE REASON 443/tcp open https syn-ack | ssl-enum-ciphers: | SSLv3 | Ciphers (8) | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA | TLS_DHE_RSA_WITH_AES_128_CBC_SHA | TLS_DHE_RSA_WITH_AES_256_CBC_SHA | TLS_RSA_WITH_3DES_EDE_CBC_SHA | TLS_RSA_WITH_AES_128_CBC_SHA | TLS_RSA_WITH_AES_256_CBC_SHA | TLS_RSA_WITH_RC4_128_MD5 | TLS_RSA_WITH_RC4_128_SHA | Compressors (1) | uncompressed | TLSv1.0 | Ciphers (8) | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA | TLS_DHE_RSA_WITH_AES_128_CBC_SHA | TLS_DHE_RSA_WITH_AES_256_CBC_SHA | TLS_RSA_WITH_3DES_EDE_CBC_SHA | TLS_RSA_WITH_AES_128_CBC_SHA | TLS_RSA_WITH_AES_256_CBC_SHA | TLS_RSA_WITH_RC4_128_MD5 | TLS_RSA_WITH_RC4_128_SHA | Compressors (1) |_ uncompressed Final times for host: srtt: 72402 rttvar: 72402 to: 400000 Nmap scan report for microsoftiis.com (203.31.191.220) Host is up, received user-set (0.26s latency). Scanned at 2010-05-14 20:57:58 MDT for 242s PORT STATE SERVICE REASON 443/tcp open https syn-ack | ssl-enum-ciphers: | SSLv3 | Ciphers (10) | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA | TLS_DHE_RSA_WITH_AES_128_CBC_SHA | TLS_DHE_RSA_WITH_AES_256_CBC_SHA | TLS_DHE_RSA_WITH_DES_CBC_SHA | TLS_RSA_WITH_3DES_EDE_CBC_SHA | TLS_RSA_WITH_AES_128_CBC_SHA | TLS_RSA_WITH_AES_256_CBC_SHA | TLS_RSA_WITH_DES_CBC_SHA | TLS_RSA_WITH_RC4_128_MD5 | TLS_RSA_WITH_RC4_128_SHA | Compressors (1) | uncompressed | TLSv1.0 | Ciphers (10) | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA | TLS_DHE_RSA_WITH_AES_128_CBC_SHA | TLS_DHE_RSA_WITH_AES_256_CBC_SHA | TLS_DHE_RSA_WITH_DES_CBC_SHA | TLS_RSA_WITH_3DES_EDE_CBC_SHA | TLS_RSA_WITH_AES_128_CBC_SHA | TLS_RSA_WITH_AES_256_CBC_SHA | TLS_RSA_WITH_DES_CBC_SHA | TLS_RSA_WITH_RC4_128_MD5 | TLS_RSA_WITH_RC4_128_SHA | Compressors (1) |_ uncompressed Final times for host: srtt: 259213 rttvar: 259213 to: 1296065 Nmap scan report for localhost (127.0.0.1) Host is up, received user-set (0.0014s latency). Scanned at 2010-05-14 20:57:58 MDT for 40s PORT STATE SERVICE REASON 443/tcp open https syn-ack | ssl-enum-ciphers: | SSLv3 | Ciphers (5) | TLS_RSA_WITH_3DES_EDE_CBC_SHA | TLS_RSA_WITH_AES_128_CBC_SHA | TLS_RSA_WITH_AES_256_CBC_SHA | TLS_RSA_WITH_IDEA_CBC_SHA | TLS_RSA_WITH_RC4_128_SHA | Compressors (1) | uncompressed | TLSv1.0 | Ciphers (5) | TLS_RSA_WITH_3DES_EDE_CBC_SHA | TLS_RSA_WITH_AES_128_CBC_SHA | TLS_RSA_WITH_AES_256_CBC_SHA | TLS_RSA_WITH_IDEA_CBC_SHA | TLS_RSA_WITH_RC4_128_SHA | Compressors (1) |_ uncompressed Final times for host: srtt: 1441 rttvar: 5000 to: 400000 All three lists above are different. (The localhost server is ncat --ssl.) So yes, I think this is feasible. Maybe you or someone else can collect signatures for cipher lists, and ssl-enum-ciphers could make a guess. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Floating a bit of an idea - identifying web server/host OS based on SSL handshake results? Dario Ciccarone (dciccaro) (May 12)
- Re: Floating a bit of an idea - identifying web server/host OS based on SSL handshake results? David Fifield (May 14)