Nmap Development mailing list archives
Re: [NSE] nselib / sslcert.lua - breaking when used w/ version detection
From: Daniel Miller <bonsaiviking () gmail com>
Date: Sat, 25 Oct 2014 12:42:02 -0500
Tom, This looks good. I got halfway through reading your description, saw the problem, and committed the same thing, except that I forgot the API and checked port.service_tunnel (nonexistent!). I've rolled that back, so you can commit this one if you like. If you need me to commit it, I can do that, too. Dan On Sat, Oct 25, 2014 at 6:28 AM, Tom Sellers <nmap () fadedcode net> wrote:
There is a problem with ssl-enum-ciphers.nse when run with version detection against certain services. The root cause is in sslcert.lua where functions 'getPrepareTLSWithoutReconnect' and 'isPortSupported' perform a lookup against a port or service name to determine if STARTTLS should be used against a given port to negotiate SSL/TLS. No issues occur if provided a port number. The problem arises when version detection is used against a service that is in the lookup table, such as ldap or smtp, and that service is already wrapped in SSL/TLS. The functions will still return a function that the scripts will then use to try to use STARTTLS resulting in invalid data and a dropped connection. For example, the functions' logic works fine against non-TLS LDAP on port 389/tcp but will fail against LDAP/S on port 636/tcp. Similar results can be seen on SMTP on port 25 vs SMTPS on port 465/tcp. I have experienced this against LDAP/S (636/tcp), SMTPS (465/tcp), POP3S (995/tcp) and IMAP/S (993/tcp). Example: Does not work, simply returns version detection information nmap -sSV --script=ssl-enum-ciphers -p465 <mail_server_w/_TLS> PORT STATE SERVICE VERSION 465/tcp open ssl/smtp BigName smtp No version detection, works as expect and returns ciphers nmap -sS --script=ssl-enum-ciphers -p465 <mail_server_w/_TLS> PORT STATE SERVICE VERSION 465/tcp open ssl/smtp BigName smtp | ssl-enum-ciphers: | SSLv3: | ciphers: | TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_RC4_128_SHA - strong | TLS_RSA_WITH_RC4_128_MD5 - strong | TLS_RSA_WITH_AES_128_CBC_SHA - strong <snip> This problem will also affect the ssl-ccs-injection, ssl-date, ssl-heartbleed, and ssl-poodle scripts. To fix this I have attached a patch that adds checks to these two functions that determines if the specified port is already wrapped with TLS and returns nil if so. Thanks much, Tom Sellers _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] nselib / sslcert.lua - breaking when used w/ version detection Tom Sellers (Oct 25)
- Re: [NSE] nselib / sslcert.lua - breaking when used w/ version detection Daniel Miller (Oct 25)
- Re: [NSE] nselib / sslcert.lua - breaking when used w/ version detection Tom Sellers (Oct 25)
- Re: [NSE] nselib / sslcert.lua - breaking when used w/ version detection Daniel Miller (Oct 25)