Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
False positives from ssl-ccs-injection.nse #1322
Recently I was getting false positives from the ssl-ccs-injection.nse script. The tripwire script and metasploit module pointed at the same servers did not report the vulnerability like the nse script did, further investigation determined the nse script was throwing false positives.
Nmap version 7.70SVN latest on Kali repos.
I'm afraid I can't share my clients server info that this was happening on. Anyone else seen this behavior?
There's not a lot of information to go on here. Could you provide output with
My guess is that it's some implementation of TLS that returns a different fatal alert than "unexpected_message" when it receives the out-of-order ChangeCipherSpec message. I'm going to try improving the script to bail out early (non-vulnerable) if any fatal error is received upon sending the first CCS message, and only send the second one to be sure. I'll also dig through the history on this one: none of the other check scripts out there send more than one CCS message.
Sorry, I should have snagged this output before. Here's the debug messages. I confirmed with the metasploit modules just now that the same IP isn't listed as vulnerable.
nmap -sT -p 443 --script ssl-ccs-injection -d2 IPADDY