Nmap Development mailing list archives
Problems with the sslv2 NSE script / documentation
From: Anders Thulin <anders.thulin () sentor se>
Date: Tue, 25 Oct 2011 10:10:30 +0200
At a recent security test, I received the following result from the sslv2 script: --- $ nmap -Pn -p443 <host address> --script sslv2 Starting Nmap 5.51 ( http://nmap.org ) at [... omitted] Nmap scan report for <host address> Host is up (0.016s latency). PORT STATE SERVICE 443/tcp open https |_sslv2: server still supports SSLv2 Nmap done: 1 IP address (1 host up) scanned in 2.80 seconds --- However, when I check the documentaton page of the sslv2 script to ensure that I knew exactly what that means, I see that a number of crypto suites seem to be supposed to be listed after the 'server still supports SSLv2' line. By perusing the script code (not expert in NSE, I'm afraid), I find that an alternative but undocumented result is 'server supports SSLv2 protocol, but no SSLv2 cyphers'. * Documentation bug: that output should have been documented. Now, I appear to have received a report that isn't covered by either of these two possibilities, and this suggests something wrong in either the code or the documentation. After still more code digging, I find that verbosity appears to play a part: the script output as shown in the documentation depends on verbosity > 1. * Documentation bug: there is no mention of verbosity levels. * Suggestion: include both non-verbose and verbose results in the Sample Output section. (At present I can't repeat the test against the same host, so I can't verify if the '-sV -sC' options in the Example Usage documentation does enable verbosity, but as far as I read from the Nmap ref. man., they don't. So I assume they really don't.) * Possible Documentation bug: Sample output should, unless anything else is stated, be the result of Example Usage. It also seems desirable to provide an Example Usage that is minimal or tightly focussed on the script. Using -sC to invoke sslv2.nse is a bit indirect. * Suggestion: Replace current example usage with 'nmap -v --script sslv2', and the possible addition that sslv2 is included in the default script set (-sC). * Idea: The perfect solution would probably be to give a Synopsis: 'nmap [-v] --script sslv2' which inclused all other configurations (as verbosity) that affects the script being documented, along with a number of sample outputs covering the important variations. Relying on absence of information to convey positive information (which the non-verbose invocation does in the situation that I encountered) is not ideal, as it assumes the documentation covers all possibilities, or that the user is an expert on the script. * Suggestion: Add information about how may ciphers were returned in handshake to make it clear that the handshake was successful also in the non-verbose case.. Perhaps something like: |_sslv2: server still supports SSLv2 (7 cipher specs) Additionally, the cyphers function appear to be capable of returning an empty string, but there's also a comment that '-- something's got broken along the way if these aren't equal' next to it. This possibly rare error case is not handled in the main body of the program. * Possible code bug: An error situation appears to lead to just the same situation as I encountered, which an expert user would interpret as an indication that the handshake was successful, but where in fact there was an code failure. Hope this is useful, -- Anders Thulin anders.thulin () sentor se 070-757 36 10 / Intl. +46 70 757 36 10 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Problems with the sslv2 NSE script / documentation Anders Thulin (Oct 25)