False positives from ssl-ccs-injection.nse

[hoodoer]

Recently I was getting false positives from the ssl-ccs-injection.nse script. The tripwire script and metasploit module pointed at the same servers did not report the vulnerability like the nse script did, further investigation determined the nse script was throwing false positives.

Nmap version 7.70SVN latest on Kali repos.

I'm afraid I can't share my clients server info that this was happening on. Anyone else seen this behavior?

[dmiller-nmap]

There's not a lot of information to go on here. Could you provide output with -d2 added so that we can see what the script is returning and what it claims it is seeing?

My guess is that it's some implementation of TLS that returns a different fatal alert than "unexpected_message" when it receives the out-of-order ChangeCipherSpec message. I'm going to try improving the script to bail out early (non-vulnerable) if any fatal error is received upon sending the first CCS message, and only send the second one to be sure. I'll also dig through the history on this one: none of the other check scripts out there send more than one CCS message.

[hoodoer]

Sorry, I should have snagged this output before. Here's the debug messages. I confirmed with the metasploit modules just now that the same IP isn't listed as vulnerable.

nmap -sT -p 443 --script ssl-ccs-injection -d2 IPADDY
Starting Nmap 7.70SVN ( https://nmap.org ) at 2018-09-11 16:31 EDT
Fetchfile found /usr/local/bin/../share/nmap/nmap-services
Fetchfile found /usr/local/bin/../share/nmap/nmap.xsl
The max # of sockets we are using is: 0
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0

NSE: Using Lua 5.3.
Fetchfile found /usr/local/bin/../share/nmap/nse_main.lua
Fetchfile found /usr/local/bin/../share/nmap/nselib/lpeg-utility.lua
Fetchfile found /usr/local/bin/../share/nmap/nselib/stdnse.lua
Fetchfile found /usr/local/bin/../share/nmap/nselib/strict.lua
Fetchfile found /usr/local/bin/../share/nmap/scripts/script.db
NSE: Arguments from CLI:
Fetchfile found /usr/local/bin/../share/nmap/scripts/ssl-ccs-injection.nse
NSE: Script ssl-ccs-injection.nse was selected by name.
Fetchfile found /usr/local/bin/../share/nmap/nselib/shortport.lua
Fetchfile found /usr/local/bin/../share/nmap/nselib/sslcert.lua
Fetchfile found /usr/local/bin/../share/nmap/nselib/asn1.lua
Fetchfile found /usr/local/bin/../share/nmap/nselib/unittest.lua
Fetchfile found /usr/local/bin/../share/nmap/nselib/nsedebug.lua
Fetchfile found /usr/local/bin/../share/nmap/nselib/listop.lua
Fetchfile found /usr/local/bin/../share/nmap/nselib/bin.lua
Fetchfile found /usr/local/bin/../share/nmap/nselib/comm.lua
Fetchfile found /usr/local/bin/../share/nmap/nselib/ftp.lua
Fetchfile found /usr/local/bin/../share/nmap/nselib/ipOps.lua
Fetchfile found /usr/local/bin/../share/nmap/nselib/ldap.lua
Fetchfile found /usr/local/bin/../share/nmap/nselib/match.lua
Fetchfile found /usr/local/bin/../share/nmap/nselib/mssql.lua
Fetchfile found /usr/local/bin/../share/nmap/nselib/bit.lua
Fetchfile found /usr/local/bin/../share/nmap/nselib/smb.lua
Fetchfile found /usr/local/bin/../share/nmap/nselib/netbios.lua
Fetchfile found /usr/local/bin/../share/nmap/nselib/dns.lua
Fetchfile found /usr/local/bin/../share/nmap/nselib/base32.lua
Fetchfile found /usr/local/bin/../share/nmap/nselib/smbauth.lua
Fetchfile found /usr/local/bin/../share/nmap/nselib/unicode.lua
Fetchfile found /usr/local/bin/../share/nmap/nselib/smb2.lua
Fetchfile found /usr/local/bin/../share/nmap/nselib/strbuf.lua
Fetchfile found /usr/local/bin/../share/nmap/nselib/smtp.lua
Fetchfile found /usr/local/bin/../share/nmap/nselib/base64.lua
Fetchfile found /usr/local/bin/../share/nmap/nselib/sasl.lua
Fetchfile found /usr/local/bin/../share/nmap/nselib/tls.lua
Fetchfile found /usr/local/bin/../share/nmap/nselib/vnc.lua
Fetchfile found /usr/local/bin/../share/nmap/nselib/bits.lua
Fetchfile found /usr/local/bin/../share/nmap/nselib/xmpp.lua
Fetchfile found /usr/local/bin/../share/nmap/nselib/vulns.lua
NSE: Loaded 1 scripts for scanning.
NSE: Loaded '/usr/local/bin/../share/nmap/scripts/ssl-ccs-injection.nse'.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 16:31
Completed NSE at 16:31, 0.00s elapsed
Fetchfile found /usr/local/bin/../share/nmap/nmap-payloads
Initiating Ping Scan at 16:31
Scanning IPADDY[4 ports]
Packet capture filter (device tun0): dst host IPADDY and (icmp or icmp6 or ((tcp or udp or sctp) and (src host IPADDY)))
We got a TCP ping packet back from IPADDY port 443 (trynum = 0)
ultrascan_host_probe_update called for machine IPADDY state UNKNOWN -> HOST_UP (trynum 0 time: 177000)
Changing ping technique for IPADDY to tcp to port 443; flags: S
Changing global ping host to IPADDY.
Completed Ping Scan at 16:31, 0.23s elapsed (1 total hosts)
Overall sending rates: 17.52 packets / s, 665.89 bytes / s.
mass_rdns: Using DNS server IPADDY
NSOCK INFO [0.7240s] nsock_iod_new2(): nsock_iod_new (IOD #1)
NSOCK INFO [0.7240s] nsock_connect_udp(): UDP connection requested to IPADDY:53 (IOD #1) EID 8
NSOCK INFO [0.7240s] nsock_read(): Read request from IOD #1 [IPADDY:53] (timeout: -1ms) EID 18
Initiating Parallel DNS resolution of 1 host. at 16:31
NSOCK INFO [0.7240s] nsock_write(): Write request for 43 bytes to IOD #1 EID 27 [IPADDY:53]
NSOCK INFO [0.7240s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [IPADDY:53]
NSOCK INFO [0.7240s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 27 [IPADDY:53]
NSOCK INFO [1.7760s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 18 [IPADDY:53] (115 bytes)
NSOCK INFO [1.7760s] nsock_read(): Read request from IOD #1 [IPADDY:53] (timeout: -1ms) EID 34
NSOCK INFO [1.7760s] nsock_iod_delete(): nsock_iod_delete (IOD #1)
NSOCK INFO [1.7760s] nevent_delete(): nevent_delete on event #34 (type READ)
mass_rdns: 1.05s 0/1 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 16:31, 1.05s elapsed
DNS resolution of 1 IPs took 1.05s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 16:31
IPADDY pingprobe type TCP is inappropriate for this scan type; resetting.
Scanning IPADDY [1 port]
Discovered open port 443/tcp on IPADDY
Changing ping technique for IPADDY to connect to port 443
Changing global ping host to IPADDY.
Completed Connect Scan at 16:31, 0.04s elapsed (1 total ports)
Overall sending rates: 28.45 packets / s.
NSE: Script scanning IPADDY.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 16:31
NSE: Starting ssl-ccs-injection M:55d0aeef6768 against IPADDY:443.
NSOCK INFO [1.7760s] nsock_iod_new2(): nsock_iod_new (IOD #1)
NSOCK INFO [1.8120s] nsock_connect_tcp(): TCP connection requested to IPADDY:443 (IOD #1) EID 8
NSOCK INFO [1.8440s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [IPADDY:443]
NSOCK INFO [1.8440s] nsock_write(): Write request for 818 bytes to IOD #1 EID 19 [IPADDY:443]
NSOCK INFO [1.8450s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 19 [IPADDY:443]
NSOCK INFO [1.8450s] nsock_readbytes(): Read request for 5 bytes from IOD #1 [IPADDY:443] EID 26
NSOCK INFO [1.8770s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 26 [IPADDY:443] (1340 bytes)
NSOCK INFO [1.8770s] nsock_readbytes(): Read request for 3576 bytes from IOD #1 [IPADDY:443] EID 34
NSOCK INFO [1.9100s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 34 [IPADDY:443] (4115 bytes)
NSE: [ssl-ccs-injection M:55d0aeef6768 IPADDY:443] Unknown handshake message type: server_key_exchange
NSE: [ssl-ccs-injection M:55d0aeef6768 IPADDY:443] Unknown handshake message type: server_hello_done
NSE: [ssl-ccs-injection M:55d0aeef6768 IPADDY:443] Handshake completed (TLSv1.1)
NSOCK INFO [1.9110s] nsock_write(): Write request for 6 bytes to IOD #1 EID 43 [IPADDY:443]
NSOCK INFO [1.9110s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 43 [IPADDY:443]
NSOCK INFO [1.9110s] nsock_write(): Write request for 6 bytes to IOD #1 EID 51 [IPADDY:443]
NSOCK INFO [1.9110s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 51 [IPADDY:443]
NSOCK INFO [1.9110s] nsock_readbytes(): Read request for 5 bytes from IOD #1 [IPADDY:443] EID 58
NSOCK INFO [1.9400s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 58 [IPADDY:443] (7 bytes): ......(
NSE: [ssl-ccs-injection M:55d0aeef6768 IPADDY:443] Vulnerable - alert is not UNEXPECTED_MESSAGE
NSOCK INFO [1.9400s] nsock_iod_delete(): nsock_iod_delete (IOD #1)
NSE: Finished ssl-ccs-injection M:55d0aeef6768 against IPADDY:443.
Completed NSE at 16:31, 0.13s elapsed
Nmap scan report for IPADDY
Host is up, received syn-ack ttl 247 (0.070s latency).
Scanned at 2018-09-11 16:31:07 EDT for 1s

PORT STATE SERVICE REASON
443/tcp open https syn-ack
| ssl-ccs-injection:
| VULNERABLE:
| SSL/TLS MITM vulnerability (CCS Injection)
| State: VULNERABLE
| Risk factor: High
| OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h
| does not properly restrict processing of ChangeCipherSpec messages,
| which allows man-in-the-middle attackers to trigger use of a zero
| length master key in certain OpenSSL-to-OpenSSL communications, and
| consequently hijack sessions or obtain sensitive information, via
| a crafted TLS handshake, aka the "CCS Injection" vulnerability.
|
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
| http://www.cvedetails.com/cve/2014-0224
|_ http://www.openssl.org/news/secadv_20140605.txt
Final times for host: srtt: 69891 rttvar: 66102 to: 334299

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 16:31
Completed NSE at 16:31, 0.00s elapsed
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 1.94 seconds
Raw packets sent: 4 (152B) | Rcvd: 1 (44B)