False negatives in some cases

[colmmacc]

I think the scanner is returning false negatives in some cases. I've isolated the problem to the line:

if not SSLv2ServerHello in server_hello:

this branch isn't being triggered, even when the server does respond with valid SSLv2 Server Hello message (per tcpdump). This is with scapy 2.2.0-1 on ubuntu.

If I precede the above line with:

print server_hello
SSL(server_hello_raw).show()

it's clearly a valid and parseable hello message. But the end result is that the script reports ... "Case 3d; Server hello did not contain server hello" incorrectly :/

[colmmacc]

Further testing shows that the version of scapy installed doesn't seem to do a great job of parsing SSLv2 hello messages. All it can get at is ...

###[ SSL/TLS ]###
  \records   \
   |###[ SSLv2 Record ]###
   |  length    = 0x3c5
   |  content_type= server_hello
   |###[ Raw ]###
   |     load      = 

I think the upshot of that is that it's probably wise to use a later version of scapy - not sure how to modify the script to be avoid the misleading false negative.

[sailorfred]

Every host I tested is reported clean due to this.

Example:
$ python ./scanner.py lockerdome.com 443
Testing lockerdome.com on port 443
lockerdome.com: Case 3d; Server hello did not contain server hello
lockerdome.com: Server is NOT vulnerable with cipher RC2_128_CBC_EXPORT40_WITH_MD5, Message: 3d: no tls

lockerdome.com: Case 3d; Server hello did not contain server hello
lockerdome.com: Server is NOT vulnerable with cipher RC4_128_EXPORT40_WITH_MD5, Message: 3d: no tls

lockerdome.com: Case 3d; Server hello did not contain server hello
lockerdome.com: Server is NOT vulnerable with cipher RC4_128_WITH_MD5, Message: 3d: no tls

lockerdome.com: Case 3d; Server hello did not contain server hello
lockerdome.com: Server is NOT vulnerable with cipher DES_64_CBC_WITH_MD5, Message: 3d: no tls

I am running python 2.7.6 on an Ubuntu 14.04TLS machine.

Here are the pip packages that were installed in the virtualenv I created to run this scanner:

$ pip freeze
argparse==1.2.1
enum==0.4.6
pyasn1==0.1.9
pycrypto==2.6.1
scapy==2.3.2
scapy-ssl-tls==1.2.2
tinyec==0.3.1
wsgiref==0.1.2

[celesteking]

In some cases? How about in all cases.

Take for ex, 84.204.79.83:443, https://www.ssllabs.com/ssltest/analyze.html?d=agl.spb.ru

openssl s_client -connect 84.204.79.83:443 -cipher RC4 -ssl2
New, SSLv2, Cipher is RC4-MD5

Testing 84.204.79.83 on port 443
84.204.79.83: Case 3d; Server hello did not contain server hello
84.204.79.83: Server is NOT vulnerable with cipher RC2_128_CBC_EXPORT40_WITH_MD5, Message: 3d: no tls

84.204.79.83: Case 3d; Server hello did not contain server hello
84.204.79.83: Server is NOT vulnerable with cipher RC4_128_EXPORT40_WITH_MD5, Message: 3d: no tls

84.204.79.83: Case 3d; Server hello did not contain server hello
84.204.79.83: Server is NOT vulnerable with cipher RC4_128_WITH_MD5, Message: 3d: no tls

84.204.79.83: Case 3d; Server hello did not contain server hello
84.204.79.83: Server is NOT vulnerable with cipher DES_64_CBC_WITH_MD5, Message: 3d: no tls

You should revoke your scanner from public access immediately, it asserts false sense of security.

[bobmclaren]

Unfortunately I would have to agree. Using the test.drownattack.com to test one of my servers, it was shown as supporting SSLv2 (and therefore vulnerable), however testing it with this tool, I received the clean bill of health along with the "Case 3d; Server hello did not contain server hello".

[c0verfire]

Confirmed... +1

[Matt3o12]

Is there any workaround yet? I tried using a clean debian docker image and installed all dependencies from apt-get and can't get it to work. Any ideas?

[outrayjus]

Confirmed... +1

[nimia]

Thank you all for bringing this to my attention.
The problem started when I removed the local copy of scapy-ssl_tls from the repo, in order to fix the import error.
I've quickly reverted the relevant commits, and now at least the scanner does its job. I'll try to get to the bottom of the import error more carefully now.
Thanks again, and please do keep your feedback, suggestions or issues coming!
Nimrod

[colmmacc]

Just to confirm - works for me now. Thanks for the rollback!

[Matt3o12]

Though I now get the ImportError, I still can't get it to work. I tried it on a minimal install of CentOS, and Debian (inside a docker container). I followed #17 but that doesn't seem to help. Any suggests what I did wrong?

[nimia]

@Matt3o12 Could you please open another issue, and include the output of the script, and the output of sudo dpkg -l | grep python ?