Nmap Development mailing list archives

tls-nextprotoneg.nse and duckduckgo.com:443

From: Jacek Wielemborek <d33tah () gmail com>
Date: Sat, 15 Nov 2014 02:22:01 +0100

Hi,

I just tested tls-nextprotoneg.nse on duckduckgo.com and noticed that
their server replies with "handshake failed". Is it a bug in the hello
packet or does duckduckgo.com specifically blacklist packets generated
by this script?

Below is the -d9 log - I modified the script's debug "Server response
was not server_hello." message. By the way, isn't the "Raw packets sent"
message a bit confusing since --script="tls-nextprotoneg" generated much
more than 44 bytes of IP data? Perhaps something along the lines of
"(not including packets generated by connect())" would be appropriate there.

Cheers,
Jacek

$ nmap 176.34.131.233 -p 443 --script="tls-nextprotoneg" -d9 -Pn -n 2>&1


Starting Nmap 6.45 ( http://nmap.org ) at 2014-11-15 02:18 CET
Fetchfile found /usr/bin/../share/nmap/nmap-services
Fetchfile found /usr/bin/../share/nmap/nmap.xsl
The max # of sockets we are using is: 0
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
NSE: Using Lua 5.2.
Fetchfile found /usr/bin/../share/nmap/nse_main.lua
Fetchfile found /usr/bin/../share/nmap/nselib/stdnse.lua
Fetchfile found /usr/bin/../share/nmap/nselib/strict.lua
Fetchfile found /usr/bin/../share/nmap/scripts/script.db
NSE: Script Arguments seen from CLI:
NSE: {
}
Fetchfile found /usr/bin/../share/nmap/scripts/tls-nextprotoneg.nse
NSE: Script tls-nextprotoneg.nse was selected by name.
Fetchfile found /usr/bin/../share/nmap/nselib/shortport.lua
Fetchfile found /usr/bin/../share/nmap/nselib/tls.lua
NSE: Loaded 1 scripts for scanning.
NSE: Loaded '/usr/bin/../share/nmap/scripts/tls-nextprotoneg.nse'.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Fetchfile found /usr/bin/../share/nmap/nmap-payloads
Initiating SYN Stealth Scan at 02:18
Scanning 176.34.131.233 [1 port]
Packet capture filter (device wlp3s0): dst host 192.168.1.102 and (icmp
or icmp6 or ((tcp or udp or sctp) and (src host 176.34.131.233)))
SENT (0.1134s) TCP [192.168.1.102:55250 > 176.34.131.233:443 S
seq=3043839007 ack=0 off=6 res=0 win=1024 csum=0xC2F1 urp=0 <mss 1460>]
IP [ver=4 ihl=5 tos=0x00 iplen=44 id=36924 foff=0 ttl=48 proto=6
csum=0x0476]
**TIMING STATS** (0.1135s): IP, probes
active/freshportsleft/retry_stack/outstanding/retranwait/onbench,
cwnd/ssthresh/delay, timeout/srtt/rttvar/
   Groupstats (1/1 incomplete): 1/*/*/*/*/* 10.00/75/* 1000000/-1/-1
   176.34.131.233: 1/0/0/1/0/0 10.00/75/0 1000000/-1/-1
Current sending rates: 57.14 packets / s, 2514.00 bytes / s.
Overall sending rates: 57.14 packets / s, 2514.00 bytes / s.
RCVD (0.1651s) TCP [176.34.131.233:443 > 192.168.1.102:55250 SA
seq=3805700402 ack=3043839008 off=6 res=0 win=17922 csum=0x3CD5 urp=0
<mss 1460>] IP [ver=4 ihl=5 tos=0xc8 iplen=44 id=0 flg=D foff=0 ttl=47
proto=6 csum=0x54ea]
Found 176.34.131.233 in incomplete hosts list.
Discovered open port 443/tcp on 176.34.131.233
Timeout vals: srtt: -1 rttvar: -1 to: 1000000 delta 51860 ==> srtt:
51860 rttvar: 51860 to: 259300
Timeout vals: srtt: -1 rttvar: -1 to: 1000000 delta 51860 ==> srtt:
51860 rttvar: 51860 to: 259300
Changing ping technique for 176.34.131.233 to tcp to port 443; flags: S
Moving 176.34.131.233 to completed hosts list with 0 outstanding probes.
Changing global ping host to 176.34.131.233.
Completed SYN Stealth Scan at 02:18, 0.07s elapsed (1 total ports)
Overall sending rates: 14.43 packets / s, 634.80 bytes / s.
pcap stats: 1 packets received by filter, 0 dropped by kernel.
NSE: Script scanning 176.34.131.233.
NSE: Starting runlevel 1 (of 1) scan.
NSE: Starting 'tls-nextprotoneg' (thread: 0x7faf93489b20) against
176.34.131.233:443.
Initiating NSE at 02:18
NSOCK INFO [0.0630s] nsi_new2(): nsi_new (IOD #1)
NSOCK DEBUG [0.1780s] msevent_new(): msevent_new (IOD #1) (EID #8)
NSOCK INFO [0.1780s] nsock_connect_tcp(): TCP connection requested to
176.34.131.233:443 (IOD #1) EID 8
NSOCK DEBUG [0.1780s] nsp_add_event(): NSE #8: Adding event (timeout in
5000ms)
NSOCK DEBUG [0.1790s] nsock_loop(): nsock_loop() started (timeout=50ms).
1 events pending
NSOCK DEBUG FULL [0.1790s] epoll_loop(): wait for events
NSOCK DEBUG FULL [0.2280s] process_iod_events(): Processing events on
IOD 1 (ev=2)
NSOCK DEBUG FULL [0.2280s] process_event(): Processing event 8 (timeout
in 4951ms, done=0)
NSOCK DEBUG FULL [0.2280s] process_event(): NSE #8: Sending event
NSOCK INFO [0.2280s] nsock_trace_handler_callback(): Callback: CONNECT
SUCCESS for EID 8 [176.34.131.233:443]
NSE: TCP 192.168.1.102:60684 > 176.34.131.233:443 | CONNECT
NSOCK DEBUG [0.2280s] msevent_delete(): msevent_delete (IOD #1) (EID #8)
NSE: TCP 192.168.1.102:60684 > 176.34.131.233:443 | 00000000: 16 03 01
00 37 01 00 00 33 03 01 54 66 a9 cc 4e     7   3  Tf  N
00000010: 53 50 45 51 55 56 58 41 46 41 58 51 4a 56 4a 46 SPEQUVXAFAXQJVJF
00000020: 51 55 43 53 45 58 56 4f 57 4b 42 00 00 06 c0 11 QUCSEXVOWKB
00000030: 00 39 00 04 01 00 00 04 33 74 00 00              9      3t

NSOCK DEBUG [0.2280s] msevent_new(): msevent_new (IOD #1) (EID #19)
NSOCK DEBUG [0.2280s] nsock_write(): Write request for 60 bytes to IOD
#1 EID 19 [176.34.131.233:443]:
....7...3..Tf..NSPEQUVXAFAXQJVJFQUCSEXVOWKB......9......3t..
NSOCK DEBUG [0.2280s] nsp_add_event(): NSE #19: Adding event (timeout in
5000ms)
NSOCK DEBUG [0.2280s] nsock_loop(): nsock_loop() started (timeout=50ms).
1 events pending
NSOCK DEBUG FULL [0.2280s] epoll_loop(): wait for events
NSOCK DEBUG FULL [0.2280s] process_iod_events(): Processing events on
IOD 1 (ev=2)
NSOCK DEBUG FULL [0.2280s] process_event(): Processing event 19 (timeout
in 5000ms, done=0)
NSOCK DEBUG FULL [0.2280s] process_event(): NSE #19: Sending event
NSOCK INFO [0.2280s] nsock_trace_handler_callback(): Callback: WRITE
SUCCESS for EID 19 [176.34.131.233:443]
NSE: TCP 192.168.1.102:60684 > 176.34.131.233:443 | SEND
NSOCK DEBUG [0.2280s] msevent_delete(): msevent_delete (IOD #1) (EID #19)
NSOCK DEBUG [0.2280s] msevent_new(): msevent_new (IOD #1) (EID #26)
NSOCK INFO [0.2280s] nsock_readbytes(): Read request for 5 bytes from
IOD #1 [176.34.131.233:443] EID 26
NSOCK DEBUG [0.2280s] nsp_add_event(): NSE #26: Adding event (timeout in
5000ms)
NSOCK DEBUG [0.2280s] nsock_loop(): nsock_loop() started (timeout=50ms).
1 events pending
NSOCK DEBUG FULL [0.2280s] epoll_loop(): wait for events
NSOCK DEBUG [0.2780s] nsock_loop(): nsock_loop() started (timeout=50ms).
1 events pending
NSOCK DEBUG FULL [0.2780s] epoll_loop(): wait for events
NSOCK DEBUG FULL [0.2840s] process_iod_events(): Processing events on
IOD 1 (ev=1)
NSOCK DEBUG FULL [0.2840s] process_event(): Processing event 26 (timeout
in 4944ms, done=0)
NSOCK DEBUG FULL [0.2840s] process_event(): NSE #26: Sending event
NSOCK INFO [0.2840s] nsock_trace_handler_callback(): Callback: READ
SUCCESS for EID 26 [176.34.131.233:443] (7 bytes): ......(
NSE: TCP 192.168.1.102:60684 < 176.34.131.233:443 | 00000000: 15 03 01
00 02 02 28                                  (

NSOCK DEBUG [0.2840s] msevent_delete(): msevent_delete (IOD #1) (EID #26)
NSE: tls-nextprotoneg: Server response was not server_hello.
record.type='alert', record.body[1].type='nil'
NSE: Finished 'tls-nextprotoneg' (thread: 0x7faf93489b20) against
176.34.131.233:443.
NSE: TCP 192.168.1.102:60684 > 176.34.131.233:443 | CLOSE
NSOCK INFO [0.2840s] nsi_delete(): nsi_delete (IOD #1)
NSOCK DEBUG [0.2850s] nsock_loop(): nsock_loop() started (timeout=50ms).
0 events pending
Completed NSE at 02:18, 0.11s elapsed
Nmap scan report for 176.34.131.233
Host is up, received user-set (0.052s latency).
Scanned at 2014-11-15 02:18:04 CET for 0s
PORT    STATE SERVICE REASON
443/tcp open  https   syn-ack
Final times for host: srtt: 51860 rttvar: 51860  to: 259300

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Read from /usr/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 0.29 seconds
           Raw packets sent: 1 (44B) | Rcvd: 1 (44B)

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Current thread:

tls-nextprotoneg.nse and duckduckgo.com:443 Jacek Wielemborek (Nov 14)
- Re: tls-nextprotoneg.nse and duckduckgo.com:443 Daniel Miller (Nov 14)
  - Re: tls-nextprotoneg.nse and duckduckgo.com:443 Jacek Wielemborek (Nov 14)