Nmap Development mailing list archives
Strange reponse to comm.tryssl
From: Francois Lachance <digitallachance () gmail com>
Date: Tue, 23 Oct 2012 16:24:13 -0600
I am a total n00b at writing nmap scripts. I am hoping that someone can help with this one. I am trying to write a script to scan for WebLogic Node Manager. Those connections are supposed to use SSL, so naturally I decided to use comm.tryssl. Unfortunately, I am getting inconsistent results. It usually fails to establish an SSL connection. The frustrating thing is that it has succeeded on a few occasions. The only thing that is returned by the tryssl is a short 7 bytes : 15 00 02 00 02 02 46 Does that mean anything to anyone? Here are the relevant part of the output: Initiating NSE at 15:57 NSOCK (1.4990s) TCP connection requested to 10.2.7.20:5556 (IOD #1) EID 8 NSOCK (1.4990s) Setting of SO_BROADCAST failed (IOD #1) NSOCK (1.5010s) Callback: CONNECT SUCCESS for EID 8 [10.2.7.20:5556] NSE: TCP 10.4.7.136:4894 > 10.2.7.20:5556 | CONNECT NSE: TCP 10.4.7.136:4894 > 10.2.7.20:5556 | 00000000: 48 45 4c 4c 4f 20 77 6c 2d 74 65 73 74 2e 6e 73 HELLO wl-test.ns 00000010: 65 0a e NSOCK (1.5140s) Write request for 18 bytes to IOD #1 EID 19 [10.2.7.20:5556]: HELLO wl-test.nse. NSOCK (1.5140s) Callback: WRITE SUCCESS for EID 19 [10.2.7.20:5556] NSE: TCP 10.4.7.136:4894 > 10.2.7.20:5556 | SEND NSOCK (1.5150s) Read request from IOD #1 [10.2.7.20:5556] (timeout: 8000ms) EID 26 NSOCK (1.5470s) Callback: READ SUCCESS for EID 26 [(null):-1] (7 bytes): ......F NSE: TCP unknown protocol:0 < unknown protocol:0 | 00000000: 15 00 02 00 02 02 46 F NSE: Action script started.... NSE: Finished 'wl-test' (thread: 029C81C0) against 10.2.7.20:5556. NSE: TCP unknown protocol:0 > unknown protocol:0 | CLOSE NSOCK (1.5490s) nsi_delete() (IOD #1) Completed NSE at 15:57, 0.05s elapsed Nmap scan report for fccvml205.corp.fcc.ca (10.2.7.20) Host is up, received echo-reply (0.0045s latency). Scanned at 2012-10-23 15:57:40 Canada Central Standard Time for 0s PORT STATE SERVICE REASON 5556/tcp open unknown syn-ack |_wl-test: Unexpected response from server: \x15\x00\x02\x00\x02\x02F Final times for host: srtt: 4500 rttvar: 12750 to: 100000 NSE: Script Post-scanning. NSE: Starting runlevel 1 (of 1) scan. Read from C:\Program Files (x86)\Nmap: nmap-payloads nmap-services. Nmap done: 1 IP address (1 host up) scanned in 1.55 seconds Raw packets sent: 2 (72B) | Rcvd: 2 (72B) NSOCK (1.5510s) nsi_delete() (IOD #1) And here is a capture of the output when it was successful: Initiating NSE at 11:16 NSOCK (1.5300s) TCP connection requested to 10.2.7.20:5556 (IOD #1) EID 8 NSOCK (1.5300s) Setting of SO_BROADCAST failed (IOD #1) NSOCK (1.5330s) Callback: CONNECT SUCCESS for EID 8 [10.2.7.20:5556] NSE: TCP 10.4.7.136:2336 > 10.2.7.20:5556 | CONNECT NSE: TCP 10.4.7.136:2336 > 10.2.7.20:5556 | 00000000: 48 45 4c 4c 4f 20 77 6c 2d 74 65 73 74 2e 6e 73 HELLO wl-test.ns 00000010: 65 0a e NSOCK (1.5450s) Write request for 18 bytes to IOD #1 EID 19 [10.2.7.20:5556]: HELLO wl-test.nse. NSOCK (1.5490s) Callback: WRITE SUCCESS for EID 19 [10.2.7.20:5556] NSE: TCP 10.4.7.136:2336 > 10.2.7.20:5556 | SEND NSOCK (1.5510s) Read request from IOD #1 [10.2.7.20:5556] (timeout: 8000ms) EID 26 NSOCK (1.5510s) Callback: READ ERROR [Unknown error (10054)] for EID 26 [ 10.2.7.20:5556] NSE: TCP 10.4.7.136:2336 > 10.2.7.20:5556 | CLOSE NSOCK (1.5520s) nsi_delete() (IOD #1) NSOCK (1.5540s) SSL connection requested to 10.2.7.20:5556/tcp (IOD #2) EID 33 NSOCK (1.5540s) Setting of SO_BROADCAST failed (IOD #2) NSOCK (1.5710s) Callback: SSL-CONNECT SUCCESS for EID 33 [10.2.7.20:5556] NSE: TCP 10.4.7.136:2337 > 10.2.7.20:5556 | CONNECT NSE: TCP 10.4.7.136:2337 > 10.2.7.20:5556 | 00000000: 48 45 4c 4c 4f 20 77 6c 2d 74 65 73 74 2e 6e 73 HELLO wl-test.ns 00000010: 65 0a e NSOCK (1.5730s) Write request for 18 bytes to IOD #2 EID 43 [10.2.7.20:5556]: HELLO wl-test.nse. NSOCK (1.5760s) Callback: WRITE SUCCESS for EID 43 [10.2.7.20:5556] NSE: TCP 10.4.7.136:2337 > 10.2.7.20:5556 | SEND NSOCK (1.5770s) Read request from IOD #2 [10.2.7.20:5556] (timeout: 8000ms) EID 50 NSOCK (1.5770s) Callback: READ SUCCESS for EID 50 [10.2.7.20:5556] (32 bytes): +OK Node ma nager v10.3 started.. NSE: TCP 10.4.7.136:2337 < 10.2.7.20:5556 | 00000000: 2b 4f 4b 20 4e 6f 64 65 20 6d 61 6e 61 67 65 72 +OK Node manager 00000010: 20 76 31 30 2e 33 20 73 74 61 72 74 65 64 0d 0a v10.3 started NSE: Action script started.... NSE: Finished 'wl-test' (thread: 02888660) against 10.2.7.20:5556. NSE: TCP 10.4.7.136:2337 > 10.2.7.20:5556 | CLOSE NSOCK (1.5780s) nsi_delete() (IOD #2) Completed NSE at 11:16, 0.06s elapsed Nmap scan report for fccvml205.corp.fcc.ca (10.2.7.20) Host is up, received echo-reply (0.0010s latency). Scanned at 2012-10-23 11:16:43 Canada Central Standard Time for 0s PORT STATE SERVICE REASON 5556/tcp open unknown syn-ack |_wl-test: +OK Node manager v10.3 started Final times for host: srtt: 1000 rttvar: 3750 to: 100000 NSE: Script Post-scanning. NSE: Starting runlevel 1 (of 1) scan. Read from C:\Program Files (x86)\Nmap: nmap-payloads nmap-services. Nmap done: 1 IP address (1 host up) scanned in 1.60 seconds Raw packets sent: 2 (72B) | Rcvd: 2 (72B) NSOCK (1.5870s) nsi_delete() (IOD #2) The script is attached. Any help would be appreciated! Thanks, Francois
Attachment:
wl-test.nse
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Strange reponse to comm.tryssl Francois Lachance (Oct 23)
- Re: Strange reponse to comm.tryssl Patrik Karlsson (Oct 23)