Re: Unable to get SSL Certificate info for SNMP seriver with nmap ssl-cert

[knare k <knarelinux () gmail com>]

Thanks Dan.

I configured a local snmp server on an Ubuntu machine with tls support.

# snmpd dtlsudp:10161 tlstcp:10161

Created a Self-Signed certificate and used it.

And the output from the command: "openssl s_client -connect localhost:10161"

# openssl s_client -connect localhost:10161
CONNECTED(00000003)
depth=0 C = IN, ST = AP, L = HYD, O = xyz, OU = embedded, CN = venky,
emailAddress = venky@localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 C = IN, ST = AP, L = HYD, O = xyz, OU = embedded, CN = venky,
emailAddress = venky@localhost
verify return:1
140536960857760:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3
alert handshake failure:s3_pkt.c:1262:SSL alert number 40
140536960857760:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:177:
---
Certificate chain
 0 s:/C=IN/ST=AP/L=HYD/O=xyz/OU=embedded/CN=venky/emailAddress=venky@localhost
   i:/C=IN/ST=AP/L=HYD/O=xyz/OU=embedded/CN=venky/emailAddress=venky@localhost
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICaTCCAdICCQCqllznqB/5gjANBgkqhkiG9w0BAQsFADB5MQswCQYDVQQGEwJJ
TjELMAkGA1UECAwCQVAxDDAKBgNVBAcMA0hZRDEMMAoGA1UECgwDeHl6MREwDwYD
VQQLDAhlbWJlZGRlZDEOMAwGA1UEAwwFdmVua3kxHjAcBgkqhkiG9w0BCQEWD3Zl
bmt5QGxvY2FsaG9zdDAeFw0xNTA5MTkwOTI1MDhaFw0xNjA5MTgwOTI1MDhaMHkx
CzAJBgNVBAYTAklOMQswCQYDVQQIDAJBUDEMMAoGA1UEBwwDSFlEMQwwCgYDVQQK
DAN4eXoxETAPBgNVBAsMCGVtYmVkZGVkMQ4wDAYDVQQDDAV2ZW5reTEeMBwGCSqG
SIb3DQEJARYPdmVua3lAbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
iQKBgQDA0+Aiqpx9fk/wH9Hg8wQLhEOs9ysC7ASemmv+0u+axru6nsxZTpM7OnMf
vFgGjAataERxenNVkt2IuRAWIO4p+A6J/H7WrnW3AqEFqovJoWVucAOkqzZfzIuD
bnVdrksyjJoz2KNdamT/C4PLvUp4ksM1cjEHCE5e9EuNe++uQQIDAQABMA0GCSqG
SIb3DQEBCwUAA4GBAFFx8mA0mJSr79n1hKlX8SpWYKfZ415Rt/Od3Pa9HFyb4sjl
pqZHiF82KlAZNJBhdNcp8rnO+bsjJHd1KK/ECFO3ZFL4apKKaQ+6R4rNTTltLCVe
OuHUEptj0ARghnJdSzy4huurwrMurzooZOk6oJ9px4O4MKW9UThGtxr684FZ
-----END CERTIFICATE-----
subject=/C=IN/ST=AP/L=HYD/O=xyz/OU=embedded/CN=venky/emailAddress=venky@localhost
issuer=/C=IN/ST=AP/L=HYD/O=xyz/OU=embedded/CN=venky/emailAddress=venky@localhost
---
No client certificate CA names sent
---
SSL handshake has read 725 bytes and written 210 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID:
    Session-ID-ctx:
    Master-Key:
AA5C362000AE942C8584A8AD153F4D2592AAD5172A2D4D5FE3457FDB5331982AE0739130A72DB3D86CDC1AAAFB30A13B
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1442654860
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---



And the output from the command: "nmap -sV -p <snmpport>
--script=+ssl-cert <host>"

# nmap -sV -p 10161 --script=+ssl-cert localhost

Starting Nmap 6.40 ( http://nmap.org ) at 2015-09-19 14:59 IST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00014s latency).
PORT      STATE SERVICE     VERSION
10161/tcp open  ssl/unknown

Service detection performed. Please report any incorrect results at
http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.23 seconds


Thanks
Venky

On Sat, Sep 19, 2015 at 4:41 AM, Daniel Miller <bonsaiviking () gmail com> wrote:
> Venky,
>
> Can you confirm that the SNMP service is actually running SSL? This would be
> a highly unusual configuration, but you could test with an independent tool.
> What is the output of this command?
>
> openssl s_client -connect <host>:<snmpport>
>
> Instead of SSL do you perhaps have SNMPv3 with encryption enabled?
>
> Dan
>
> On Fri, Sep 18, 2015 at 8:25 AM, knare k <knarelinux () gmail com> wrote:
> > Hi Ulrik,
> >
> > Thanks for your response. We tried with the '+' option, but no luck.
> > We have set up  snmp server locally on our ubuntu machine and tried
> > it. Checking if we configured the snmp server properly, I will let you
> > know if it works.
> >
> > Thanks
> > Venky.
> >
> >
> > ---------- Forwarded message ----------
> > From: Ulrik Haugen <qha () lysator liu se>
> > Date: Mon, Sep 14, 2015 at 9:56 PM
> > Subject: Re: Unable to get SSL Certificate info for SNMP seriver with
> > nmap ssl-cert
> > To: knare k <knarelinux () gmail com>
> >
> >
> > knare k <knarelinux () gmail com> wrote:
> > > I am not able to get SSL certificate for snmp using ssl-cert script of
> > > nmap, able to get for all others. I tried the following command with
> > > the snmp port.
> > >
> > > # nmap  -sU -Pn -p <snmpport> <host> --script=ssl-cert
> >
> > You might have more luck with:
> >
> > # nmap -sU -Pn -p <snmpport> --script=+ssl-cert <host>
> >
> > The "+" before the script name makes it run even though the portrule
> > doesn't fire. Unfortunately i can't find the documentation for it right
> > now so i can't show how you should have discovered it.
> >
> > Please report if this works, i have some scripts that need tuning if it
> > does!
> >
> > Best regards
> > /Ulrik Haugen
> > _______________________________________________
> > Sent through the dev mailing list
> > https://nmap.org/mailman/listinfo/dev
> > Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/