Nmap Development mailing list archives
Re: [NSE] SSL Fingerprint Matching
From: David Fifield <david () bamsoftware com>
Date: Tue, 22 Feb 2011 13:24:26 -0800
On Mon, Dec 20, 2010 at 09:37:47PM -0600, Mak Kolybabi wrote:
Attached is a script that connects to SSL services and checks if the host's fingerprint is in a given list. Also attached is a list containing the 2011 fingerprints from Little Black Box 0.1. While I have used this list by default, other lists such as the Debian blacklist could be used as well. Each fingerprint is associated with a short message to state why it is in the list, or where it came from. If we had compression libraries available, including these lists of fingerprints with Nmap would be easier. Comments, concerns, criticism, and testing are appreciated.
I made a few changes and think this script is almost ready to be committed. I've attached files with these changes: * Renamed ssl-known_key.nse to ssl-known-key.nse. * Renamed ssl-fingerprints.txt to ssl-fingerprints. * Used the new shortport.ssl portrule. * Increased some debug thresholds. * Allowed comments and blank lines in ssl-fingerprints. * Added attribution comments to ssl-fingerprints. To save space, how about storing hashes in the database without colons separating bytes? They can continue to be shown in output. The output looks like this: |_ssl-known-key: 00:28:E7:D4:9C:FA:4A:A5:98:4F:E4:97:EB:73:48:56:07:87:E4:96 is in the database with reason Little Black Box 0.1. Please change it to be |_ssl-known-key: Found in Little Black Box 0.1 - http://code.google.com/p/littleblackbox/ (certificate hash: 00:28:E7:D4:9C:FA:4A:A5:98:4F:E4:97:EB:73:48:56:07:87:E4:96) This will give users a little more context if they don't know what the script is for. Related to that, it would be nice if the description string didn't have to be repeated for hashes with the same description. Could the data file be reworked into something like this: [Little Black Box 0.1 - http://code.google.com/p/littleblackbox/] 00:28:E7:D4:9C:FA:4A:A5:98:4F:E4:97:EB:73:48:56:07:87:E4:96 00:3A:E5:45:D6:9C:47:FB:1C:C2:53:59:AA:D7:54:62:D6:D7:89:90 00:3C:F1:AB:48:B4:6C:41:5E:48:15:10:3F:F8:28:AC:7C:60:D5:51 David Fifield
Attachment:
ssl-known-key.nse
Description:
Attachment:
ssl-fingerprints
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [NSE] SSL Fingerprint Matching Toni Ruottu (Jan 06)
- Re: [NSE] SSL Fingerprint Matching Mak Kolybabi (Jan 06)
- RE: [NSE] SSL Fingerprint Matching Rob Nicholls (Jan 06)
- Re: [NSE] SSL Fingerprint Matching Toni Ruottu (Jan 06)
- RE: [NSE] SSL Fingerprint Matching Rob Nicholls (Jan 06)
- Re: [NSE] SSL Fingerprint Matching Toni Ruottu (Jan 06)
- Re: [NSE] SSL Fingerprint Matching Fyodor (Jan 06)
- Re: [NSE] SSL Fingerprint Matching Mak Kolybabi (Jan 06)
- <Possible follow-ups>
- Re: [NSE] SSL Fingerprint Matching David Fifield (Feb 22)
- Re: [NSE] SSL Fingerprint Matching Fyodor (Feb 23)
- Re: [NSE] SSL Fingerprint Matching Toni Ruottu (Mar 17)
- Re: [NSE] SSL Fingerprint Matching Mak Kolybabi (Mar 18)
- Re: [NSE] SSL Fingerprint Matching Fyodor (Feb 23)
- Re: [NSE] SSL Fingerprint Matching Mak Kolybabi (Mar 20)
- Re: [NSE] SSL Fingerprint Matching David Fifield (Mar 22)