Re: NSE: Need advice on pulling SSL cert used for TLS connection over SMTP port 25

[Tom Sellers <nmap () fadedcode net>]

Well, I thought I was making progress on this but I think I have hit a road
block that I can't get around.

I found that the NSE sockets were being created by the l_sock_connect function
in nse_nsock.cc.  This fuction will create sockets for TCP, UDP and SSL as
requested by calling one of three functions:

nsock_connect_tcp
nsock_connect_udp
nsock_connect_ssl

These functions are defined in nsock_connect.c.  While looking at these I found
that this file also contains what I thought was EXACTLY what I was looking for:
nsock_reconnect_ssl.

Based on the description this will request an SSL connection over an established
connection.

I modified l_sock_connect and added a call to nsock_connect_ssl, edited ssl-cert.nse
to call this, but I cannot seem to get it working.  It dies with the following
when I run it against a SMTP server that supports TLS:

Assertion failed: (nse->iod->sd >= 0), function nsp_add_event, file nsock_core.c, line 1122

Here is my command line:

        nmap -p 587 --script=ssl-cert.nse smtp.gmail.com

I am pretty much out of my depth here.  I am going to attach a patch containing
the changes I made in case anyone is interested in looking at the code.


Thanks,

Tom


Tom Sellers wrote:
> Ok, I have been messing around with trying to pull the SSL cert that is
> being used for the TLS connection over port 25.  After a couple questions
> from David I have basically decided that I am probably making this much
> harder than it has to be and wasting time.
>
> Basically I am trying to gather information about the SSL certificate that
> is being used for a SMTP over TLS connection on port 25.  The problem is 
> that
> the session starts out non-SSL.  Once the connection is made, and if the
> server supports it, the client issues the STARTTLS command and then a TLS
> connection is negotiated.
>
> This port is different than 465 where the whole conversation starts out and
> is encapsulated with SSL/TLS.
>
> I have tried connecting to port 25 with a socket, getting to STARTTLS and
> then trying to use get_ssl_certificate() but I think at that point it 
> expects
> that the SSL tunnel has already been negotiated.
>
> My last effort involved modifying ssl-cert.nse to work on port 25, then
> if the SSL session errored out on port 25/smtp I would open a fresh socket,
> toss EHLO at it, vet the response and then send STARTTLS.  If that is all
> good I tried grabbing the cert..
>
> Any thoughts on kicking off the SSL negotiation on a existing socket or any
> thing else that would help for that matter.
>
> Thanks much,
> Tom

Attachment: tls_broken.patch
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org