NMAP cipher checks is not using SNI
Closed this issue · 2 comments
Describe the bug
If using SNI routing (yes this is possible), it is expected to have different SSL responses for the same IP address if provided server name is different.
However, this option is not propagated to NMAP when checking ciphers, leading to incorrect report.
To Reproduce
Not really reproducible unless you have such stup, but I can perform the test for your
Expected behavior
NMAP implemented proper option since release Nmap 7.40 [2016-12-20]:
o [NSE][GH#540] Add tls.servername script-arg for forcing a name to be used for
TLS Server Name Indication extension. The argument overrides the default use
of the host's targetname. [Bertrand Bonnefoy-Claudet]
Quick and dirty fix (on old version):
diff --git a/check_ssl_cert b/check_ssl_cert
index 935870f..57a427a 100755
--- a/check_ssl_cert
+++ b/check_ssl_cert
@@ -4504,9 +4504,13 @@ main() {
# see https://github.com/matteocorti/check_ssl_cert/issues/378
- debuglog "Executing ${NMAP_BIN} -Pn -p \"${PORT}\" \"${NMAP_INETPROTO}\" --script +ssl-enum-ciphers \"${HOST_ADDR}\" 2>&1 | grep '^|'"
-
- OFFERED_PROTOCOLS=$(${NMAP_BIN} -Pn -p "${PORT}" "${NMAP_INETPROTO}" --script +ssl-enum-ciphers "${HOST_ADDR}" 2>&1 | grep '^|')
+ if [ -n ${SNI} ]; then # https://github.com/matteocorti/check_ssl_cert/issues/505
+ debuglog "Executing ${NMAP_BIN} -Pn -p \"${PORT}\" \"${NMAP_INETPROTO}\" --script +ssl-enum-ciphers --script-args=tls.servername=\"${SNI}\" \"${HOST_ADDR}\" 2>&1 | grep '^|'"
+ OFFERED_PROTOCOLS=$(${NMAP_BIN} -Pn -p "${PORT}" "${NMAP_INETPROTO}" --script +ssl-enum-ciphers --script-args=tls.servername="${SNI}" "${HOST_ADDR}" 2>&1 | grep '^|')
+ else
+ debuglog "Executing ${NMAP_BIN} -Pn -p \"${PORT}\" \"${NMAP_INETPROTO}\" --script +ssl-enum-ciphers \"${HOST_ADDR}\" 2>&1 | grep '^|'"
+ OFFERED_PROTOCOLS=$(${NMAP_BIN} -Pn -p "${PORT}" "${NMAP_INETPROTO}" --script +ssl-enum-ciphers "${HOST_ADDR}" 2>&1 | grep '^|')
+ fi
debuglog "offered ciphers and protocols:"
debuglog "${OFFERED_PROTOCOLS}" | sed 's/^|/[DBG] /'
@@ -5391,7 +5395,11 @@ EOF
# -Pn is needed even if we specify a port
TIMEOUT_REASON="checking ciphers"
- exec_with_timeout "${NMAP_BIN} -Pn --script +ssl-enum-ciphers ${NMAP_INETPROTO} ${HOST_ADDR} -p ${PORT}" "${NMAP_OUT}" "${NMAP_ERR}"
+ if [ -n ${SNI} ]; then
+ exec_with_timeout "${NMAP_BIN} -Pn --script +ssl-enum-ciphers ${NMAP_INETPROTO} --script-args=tls.servername="${SNI}" ${HOST_ADDR} -p ${PORT}" "${NMAP_OUT}" "${NMAP_ERR}"
+ else
+ exec_with_timeout "${NMAP_BIN} -Pn --script +ssl-enum-ciphers ${NMAP_INETPROTO} ${HOST_ADDR} -p ${PORT}" "${NMAP_OUT}" "${NMAP_ERR}"
+ fi
if [ "${DEBUG}" -ge 1 ]; then
debuglog 'nmap output:'
System (please complete the following information):
Not relevant
Thanks, I never thought about this and didn't think about the possibility to have different setting for different names. But you are right it could be possible.
I'll try to integrate the fix (maybe with a check on the nmap version to see if the option is there)
Seems that nmap doesn't care if a script-arg does not exist (no errors or warnings)