Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: NMap Behavior Differences (HTTPS + Ubuntu 10.04LTS & Ubuntu 12.04LTS)
From: Daniel Miller <bonsaiviking () gmail com>
Date: Thu, 5 Sep 2013 08:04:05 -0500

I can replicate the behavior on Ubuntu 12.04 against www.itslearning.com.
I've created pastes with debugging output from 2 versions of Nmap:

* http://pastebin.com/HqFCcYai - Nmap 6.41SVN with -d4
* http://pastebin.com/bCfdqFh3 - Nmap 6.02 with -d3

I also ran a scan without the NSE script immediately followed by openssl
s_client, which was able to connect with no timeout.

Dan


On Wed, Sep 4, 2013 at 3:47 PM, Nmap User1 <nmapuser1 () gmail com> wrote:

Hello,

I've been observing some odd nmap behavior lately when it comes to scanning
SSL services, typically HTTPS, under Ubuntu 12.04 LTS.

In summary, nmap under Ubuntu 12.04 LTS is often unable to complete a SSL
scan due to an apparent timeout issue.  Nmap does not behave this way with
all HTTPS services, only some, around 5% from my observations.
Additionally, this behavior is only exhibited under Ubuntu 12.04 LTS and
not
10.04 LTS.  Nmap versions 6.25, 6.40, and 6.41 all demonstrate the same
behavior.  Additionally, I've recompiled nmap to use the same version of
OpenSSL on both versions of Ubuntu with no change in behavior.

Randomly selected hosts (from Google):

* www.bwin.com

* home.eease.com

* www.itslearning.com


For example, on any of the above hosts (sudo nmap -v -sS -Pn -p 443
--script=ssl-cert <host>):
* Scanning port 443 with nmap v6.41 under Ubuntu 10.04 LTS, takes 1 second
and correctly displays the ssl-certificate information.
* Scanning port 443 with nmap v6.41 under Ubuntu 12.04 LTS, takes 30
seconds
and is unable to negotiate the SSL connection during NSE.

According to the debug logs, it appears to be timing out:  "NSOCK INFO
[30.4340s] nsock_trace_handler_callback(): Callback: SSL-CONNECT TIMEOUT
for
EID 9".

I have verified this behavior on numerous installations of Ubuntu 12.04
LTS.

Thoughts?  Can anyone else replicate this behavior (with the above random
hosts or otherwise)?

Thanks!



_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]