New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
7.7+ issue with ssl-cert returning certificate when http-title returns "401 Authorization Required" #1685
Comments
Here are the scans with more detailed debug parameters: Attached as txt files: Version 7.8: Scan7dot8Error.txt |
I installed every version of Nmap and determined 6.47 is the first version the issue begins to occur. |
I have sampled a handful of sites with the following scan:
All of the sites return HTTP status 401 while script The test environments were:
These results suggest that the issue is not universal but rather related to your scanning environment or specific targets. The following part of your output is the key:
This shows that the HTTP status plays no role here. The TLS connection never completed the initial handshake. |
What is odd is that version 6.46 works but 6.47+ does not.
I am running CentOS 7.6.1810 on VMware. I have also tried it on Windows 10 x64 physical. I can provide -d 9 if that would help determine the cause. |
The detailed log will probably not help. I have casually reviewed the SVN commits between 6.46 and 6.47, noting these culprit candidates:
I would suggest the following:
|
Below is the result of the ssl-enum-ciphers. Is there a list of what cipher suites are offered?
|
At first glance the cipher suites do not appear to be a problem. The first one, There are two known issues related to connecting to some older TLS implementations:
The second case you can generally test for by trying to connect with OpenSSL. This typically works:
However, the following does not:
For the first case you need to inspect the Nmap TLS handshake in Wireshark, looking for symptoms described in issue #511. |
Ok I tested those two issues. The second case had 0 errors with both openssl connections. The first case I am seeing Client Hello with no Server Hello. I attached a screenshot below. Does this mean that I will be unable to use Nmap 6.47+ if I would like to retrieve certificates from hosts that only support TLS 1.0? |
No, it does not. If a client proposes TLS 1.2 then the server is free to reply with any version up to 1.2, such as 1.0. It is then up to the client to decide if it is willing to continue with lower version. These days Nmap typically accept TLS 1.0, 1.1, and 1.2. Support for SSLv3 is spotty, depending on the OpenSSL library used. What it does mean is that some TLS implementations are not fully compliant with the TLS standard and Nmap is not compensating for all the quirks that are out there. |
I can actually see the certificate inside of Wireshark when I run |
I do not believe I can help with throubleshooting the issue any further without having access to the target. I have validated that the original claim of "This (issue) occurs on every device" is not true. |
@nnposter I would be willing to provide you with network access to the host, or mail you the hardware as it's very small if you would like to help further. |
I cannot make promises that I will be able to help but feel free to send me a pertinent IP address and port. |
Please let me know if you have further questions. |
@nnposter Can you provide an email address I can contact you at? I would still like to continue working on this issue. |
Just scroll down to the bottom of this README |
I have tested nmap against Bosch NDC-265-P, which is the target reported by the OP. One clear issue is that Debian and a few derivatives, including Kali, are shipping with pretty unforgiving OpenSSL configuration. The connectivity with with this target fails because the minimum acceptable TLS version is 1.2, while the target supports only 1.0. Once this restriction is removed then nmap is performing as expected. To confirm that your environment is suffering from the same issue you can check with Wireshark if nmap responds to the Server Hello message with a "Protocol Version" fatal alert. You can then adjust the OpenSSL configuration as needed. Another observed issue is that the target is taking 7 to 8 seconds to complete the TLS handshake, which is something that you need to be mindful of when tuning your scans. |
I don't understand why that would be a clear issue if installing nmap version 6.46 work perfectly fine but 6.47 and up do not. Doesn't matter what OS either, Windows 10, Debian, or Red Hat. I have not had any issues with response timeout while using version 6.46. This obviously isn't getting fixed anytime soon so I am going to continue using version 6.46. |
I am not saying that this OpenSSL minimum TLS protocol issue is your issue. It is just one clear issue you might be running into. I have also offered a second possible explanation. Your initial claim (as stated in the title of this issue) has turned out to be false. I have then offered to troubleshoot the issue further if I get access to one of the problematic targets. You have declined and instead disclosed which target hardware is not working for you. I have tested this hardware, identifying two potential scan dependencies listed above, and confirming that nmap is working correctly even with this specific hardware. At this moment I do not believe that I can assist you any further. |
I did make a slightly related change today that may help in situations where the linked OpenSSL routines are being too strict to complete the handshake. In those situations, ssl-cert will fall back to a raw TCP connection and attempt to use the handshake routines from tls.lua to extract a certificate. See 81ceee4 |
On version 6.4 ssl-cert (nmap -sV -sC) will return a certificate when the http-title returns "401 Authorization Required" but on verison 7.7 or 7.8 it stops after the title and does not return a certificate. This occurs on every device that has a pop-up sign in window before you can access it's HTTP page. I have to continue running version 6.4 until this is corrected because this severely limits Nmaps abilities.
Example of 'nmap -sV -sC'
Version 6.4:
Version 7.8:
The text was updated successfully, but these errors were encountered: