SSLv2 DROWN detection with NSE

[Bertrand Bonnefoy-Claudet <bertrand () cryptosense com>]

Hi,

You may have heard of a recent attack on TLS and SSLv2 called DROWN [1].
 The company I work for, Cryptosense, has been interested in detecting
vulnerable servers with its public scanner [2] and we have used Nmap and
NSE for that purpose.  As I noticed some interest from Nmap given recent
issues raised on GitHub (notably #319 [3] and #320 [4]), I thought it
would be nice to contribute our work to Nmap.

As I implemented the detection of CVE-2015-3197 and CVE-2016-0703, I had
to refactor sslv2.nse significantly, which leads me to the following
questions:  Should we have an sslv2 library in "nselibs/", which both
"sslv2" and "sslv2-drown" would use?  Or replicate the common functions
in both scripts?  Or have only one script, maybe with flags to turn on
or off more DROWN detection (which can be a little intrusive)?

I'd like to submit PRs as soon as possible but I'd appreciate your
feedback on said questions first.  If you wish to have a look and maybe
comment on the current state of our work, you're welcome to do so.  You
can find the relevant commits on GitHub [5].

The script has been tested against a few real servers, as well as
against relevant OpenSSL versions (vulnerable and not vulnerable), and
its results have been compared to results obtained with the official
scanner [6].  That being said, more testing would not hurt at all.

Thanks,

[1] https://drownattack.com/
[2] https://discovery.cryptosense.com/
[3] https://github.com/nmap/nmap/issues/319
[4] https://github.com/nmap/nmap/pull/320
[5] https://github.com/nmap/nmap/compare/master...bbc2:cryptosense-sslv2
[6] https://github.com/nimia/public_drown_scanner

-- 
Bertrand

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/