Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: [PATCH] Always list SSL in case any SSL connection succeeded
From: David Fifield <david () bamsoftware com>
Date: Mon, 2 Mar 2009 09:01:05 -0700

On Tue, Feb 24, 2009 at 10:34:59PM +0100, Kristof Boeynaems wrote:
Kristof Boeynaems wrote:
David Fifield wrote:
<snip>
One more thing: In the test you described, the output should be
"ssl/unknown?", not "ssl/unknown". Leaving off the question mark makes
it look as if the port was positively identified. It's confusing in this
case because the port is named "unknown", but that name comes from the
nmap-services file. If you repeat the s_server experiment with port 80
you'll see what I mean. The output should be "ssl/http?", not "ssl/http"
or "http?".

Good point. I'll look into that once we have agreed on where we should  
make the change :)

Mmm, I had a look, and it seems that the behavior is slightly different  
than you describe. Did you really get those results after applying the  
patch? I am unable to reproduce those.

I believe that with the patch, the test case above will always return  
"ssl/unknown", no matter the port.
It will always default to line 476 in output.cc, thus adding "unknown"  
to the "ssl/" string set earlier.

Those aren't results from your patch, just incorrect examples to clarify
what I think the output should be. Your patch does return "ssl/unknown"
regardless of the port as you say, but I think this is inconsistent with
how non-SSL ports are presented.

Nevertheless, if you prefer "ssl/unknown?" for these cases, we can  
probably change it there.

When port 80 is scanned without SSL, and the service sends nothing back,
the result is "http?", not "unknown". So I think when SSL is running on
port 80, the result should be "ssl/http?", not "ssl/unknown".

# ncat -l localhost 80
$ nmap -sV -p 80 localhost
PORT   STATE SERVICE VERSION
80/tcp open  http?

For the record, this is what I get with your patch:

# openssl s_server -cert test-cert.pem -key test-key.pem -accept 80
$ ./nmap -sV -p 80 localhost
PORT   STATE SERVICE     VERSION
80/tcp open  ssl/unknown

# openssl s_server -cert test-cert.pem -key test-key.pem
$ ./nmap -sV -p 4433 localhost
PORT     STATE SERVICE     VERSION
4433/tcp open  ssl/unknown

I think those two cases should be, respectively

PORT   STATE SERVICE   VERSION
80/tcp open  ssl/http?

PORT     STATE SERVICE      VERSION
4433/tcp open  ssl/unknown?

Though you can also make a case for "ssl/unknown" in the second case.

However, while "ssl/http" would indeed not be acceptable, I think  
"ssl/unknown" is better than "ssl/unknown?", as we are sure that there  
is "something" behind ssl (and we are sure that we don't know what ;)).
I am afraid that displaying "ssl/unknown?" might give the impression  
that even the "ssl/" part is doubtful.

Maybe it's justified to treat a port named "unknown" as a special case
and not print the question mark, as if the port were not in
nmap-services at all. Changing "ssl/http?" to "ssl/unknown", however,
throws away information. Normally when Nmap can't determine the version
of a service, it at least gives you a guess based on the name from
nmap-services, and marks it as a guess by adding the question mark. This
should work the same way in the SSL case as in the non-SSL case.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault