Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: [PATCH] Extended SSL support in Nmap, review
From: David Fifield <david () bamsoftware com>
Date: Mon, 30 Mar 2009 14:09:29 -0600

On Sun, Mar 22, 2009 at 04:26:50PM +0100, Kristof Boeynaems wrote:
Kristof Boeynaems wrote:
On Tue, Mar 3, 2009 at 6:34 AM, David Fifield <david () bamsoftware com> wrote:
I especially want to thank you for these test results. They are an
indication of intellectual honesty and rigor as a developer. The results
(with the typo correction in http://seclists.org/nmap-dev/2009/q1/0485.html),
show that this SSL fix, while not urgent, is worthwhile.

Thanks again. By the way, I still owe the list the results of my
(little) more extensive scanning, I'll post them later on, when I have
again access to the data.

Here are the results of that slightly more extensive test. Note that
this was still done with nmap-4.85BETA3.

Command: nmap -T4 -v -n -PN -sV -p443,465,636,990,995,993 -iL <list of 
about 700 random SSL servers collected earlier via an iR scan> -d -oA 
<filename>

Results:
# nmap-4.85BETA3 - scanned in 1866.96 seconds
- Total number of hosts with at least one port open: 611
- Total number of SSL hosts (hosts with at least one ' ssl/' result): 541
- Total of open SSL ports detected (' ssl/'): 781,
- Number of open SSL ports detected and successfully investigated (' ssl/something'): 709
- Number of open SSL ports detected and not successfully investigated (' ssl/unknown'): 72

#  nmap-4.85BETA3 with two extra general SSL lines in nmap-service-probes file (see below)
- scanned in 1832.99 seconds
- Total number of hosts with at least one port open: 615
- Total number of SSL hosts (hosts with at least one ' ssl/' result): 593
- Total of open SSL ports detected (' ssl/'): 888,
- Number of open SSL ports detected and successfully investigated (' ssl/something'): 801
- Number of open SSL ports detected and not successfully investigated (' ssl/unknown'): 87

These results are impressive. I have just a few questions before
integrating your nmap-service-probes patch.

The TLSv1 handshake error match line is identical to a match line that
already existed:

# These Nessus match lines might be problematic:
match ssl m|^\x15\x03\0\0\x02\x02\($| p/Nessus security scanner/ 
# Generic: TLSv1 Handshake error:
match ssl m|^\x15\x03\0\0\x02\x02\($| p/TLSv1/

So the increase in the number of detected servers must have been
completely because of the new SSLv3 ServerHello line:

# Generic: SSLv3 ServerHello:
match ssl m|^\x16\x03\0..\x02...\x03\0| p/SSLv3/

Is it reasonable that all the change is due to this match line? Should
we just get rid of the Nessus line if we adopt this patch?

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]