Manually specified SNI values for ssl-* NSE scripts

[Bertrand Bonnefoy-Claudet <bertrand () cryptosense com>]

Hi,

Nmap uses the TLS SNI extension when provided with a domain name for the
host to scan.  For instance,

    nmap --script ssl-enum-ciphers -p443 <hostname>

will try to use <hostname> as the server name in the TLS ClientHello
message and find the IP address from a DNS resolution.  This is useful
when scanning a specific virtual host on a given target host.

However, I think there are cases when the DNS cannot or should not be
relied upon.  For instance, you might want to scan a specific host but
the A record for this host would rotate.  You could then do:

    nmap --script ssl-enum-ciphers -p443 <ip_address>

to make sure you would hit the right host.  In that case, no server name
would be specified and you would end up scanning the default virtual
host instead of the one you wanted.  I am not aware of any simple
workaround for this (i.e. modifying the hosts file would be a
painstaking thing to do).  Are you?

OpenSSL can do this with the "-servername" option.  What about having
those scripts honor some kind of ssl.servername argument?

-- 
Bertrand
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/