TLSv1.2 service not matching due to hard match of SSLv3 handshake failure

[bka-dev]

Describe the bug
Hi,

it seems like some SSL/TLS enabled applications that don't respond to probe "GetRequest", might be hard to detect, due to softmatch/hardmatch behaviour.

My example refers to an installation of AnyDesk, that opens port 7070/TCP on a workstation. It uses TLSv1.2 and discards SSLv3 (handshake failure).

The idea was to detect AnyDesk installations, by looking for the string "AnyDesk Client" in the Common Name of the TLS certificate, so I started with the following line, that I placed below Probe TCP TLSSessionReq:

match anydesk m|\x0c\x0eAnyDesk Client| p/AnyDesk Client/

Starting a service scan on port 7070 and version-trace switch results in the following output:

Starting Nmap 7.93SVN ( https://nmap.org ) at 2022-09-25 20:50 CEST
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
NSE: Using Lua 5.3.
NSE: Arguments from CLI: 
NSE: Loaded 45 scripts for scanning.
Initiating Ping Scan at 20:50
Scanning 127.1 (127.0.0.1) [2 ports]
Completed Ping Scan at 20:50, 0.00s elapsed (1 total hosts)
Overall sending rates: 16666.67 packets / s.
Initiating Connect Scan at 20:50
Scanning 127.1 (127.0.0.1) [1 port]
Discovered open port 7070/tcp on 127.0.0.1
Completed Connect Scan at 20:50, 0.00s elapsed (1 total ports)
Overall sending rates: 14285.71 packets / s.
Initiating Service scan at 20:50
Scanning 1 service on 127.1 (127.0.0.1)
NSOCK INFO [0.1510s] nsock_iod_new2(): nsock_iod_new (IOD #1)
NSOCK INFO [0.1510s] nsock_connect_tcp(): TCP connection requested to 127.0.0.1:7070 (IOD #1) EID 8
NSOCK INFO [0.1510s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [127.0.0.1:7070]
Service scan sending probe NULL to 127.0.0.1:7070 (tcp)
NSOCK INFO [0.1510s] nsock_read(): Read request from IOD #1 [127.0.0.1:7070] (timeout: 6000ms) EID 18
NSOCK INFO [6.1580s] nsock_trace_handler_callback(): Callback: READ TIMEOUT for EID 18 [127.0.0.1:7070]
Service scan sending probe GetRequest to 127.0.0.1:7070 (tcp)
NSOCK INFO [6.1580s] nsock_write(): Write request for 18 bytes to IOD #1 EID 27 [127.0.0.1:7070]
NSOCK INFO [6.1580s] nsock_read(): Read request from IOD #1 [127.0.0.1:7070] (timeout: 5000ms) EID 34
NSOCK INFO [6.1580s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 27 [127.0.0.1:7070]
NSOCK INFO [6.1590s] nsock_trace_handler_callback(): Callback: READ EOF for EID 34 [127.0.0.1:7070]
NSOCK INFO [6.1590s] nsock_iod_delete(): nsock_iod_delete (IOD #1)
NSOCK INFO [6.1590s] nsock_iod_new2(): nsock_iod_new (IOD #2)
NSOCK INFO [6.1590s] nsock_connect_tcp(): TCP connection requested to 127.0.0.1:7070 (IOD #2) EID 40
NSOCK INFO [6.1600s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 40 [127.0.0.1:7070]
Service scan sending probe RTSPRequest to 127.0.0.1:7070 (tcp)
NSOCK INFO [6.1600s] nsock_write(): Write request for 22 bytes to IOD #2 EID 51 [127.0.0.1:7070]
NSOCK INFO [6.1600s] nsock_read(): Read request from IOD #2 [127.0.0.1:7070] (timeout: 5000ms) EID 58
NSOCK INFO [6.1600s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 51 [127.0.0.1:7070]
NSOCK INFO [6.1620s] nsock_trace_handler_callback(): Callback: READ EOF for EID 58 [127.0.0.1:7070]
NSOCK INFO [6.1620s] nsock_iod_delete(): nsock_iod_delete (IOD #2)
NSOCK INFO [6.1620s] nsock_iod_new2(): nsock_iod_new (IOD #3)
NSOCK INFO [6.1620s] nsock_connect_tcp(): TCP connection requested to 127.0.0.1:7070 (IOD #3) EID 64
NSOCK INFO [6.1620s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 64 [127.0.0.1:7070]
Service scan sending probe GenericLines to 127.0.0.1:7070 (tcp)
NSOCK INFO [6.1620s] nsock_write(): Write request for 4 bytes to IOD #3 EID 75 [127.0.0.1:7070]
NSOCK INFO [6.1630s] nsock_read(): Read request from IOD #3 [127.0.0.1:7070] (timeout: 5000ms) EID 82
NSOCK INFO [6.1630s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 75 [127.0.0.1:7070]
NSOCK INFO [11.1680s] nsock_trace_handler_callback(): Callback: READ TIMEOUT for EID 82 [127.0.0.1:7070]
NSOCK INFO [11.1680s] nsock_iod_delete(): nsock_iod_delete (IOD #3)
NSOCK INFO [11.1680s] nsock_iod_new2(): nsock_iod_new (IOD #4)
NSOCK INFO [11.1680s] nsock_connect_tcp(): TCP connection requested to 127.0.0.1:7070 (IOD #4) EID 88
NSOCK INFO [11.1690s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 88 [127.0.0.1:7070]
Service scan sending probe HTTPOptions to 127.0.0.1:7070 (tcp)
NSOCK INFO [11.1690s] nsock_write(): Write request for 22 bytes to IOD #4 EID 99 [127.0.0.1:7070]
NSOCK INFO [11.1690s] nsock_read(): Read request from IOD #4 [127.0.0.1:7070] (timeout: 5000ms) EID 106
NSOCK INFO [11.1690s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 99 [127.0.0.1:7070]
NSOCK INFO [11.1750s] nsock_trace_handler_callback(): Callback: READ EOF for EID 106 [127.0.0.1:7070]
NSOCK INFO [11.1750s] nsock_iod_delete(): nsock_iod_delete (IOD #4)
NSOCK INFO [11.1750s] nsock_iod_new2(): nsock_iod_new (IOD #5)
NSOCK INFO [11.1750s] nsock_connect_tcp(): TCP connection requested to 127.0.0.1:7070 (IOD #5) EID 112
NSOCK INFO [11.1760s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 112 [127.0.0.1:7070]
Service scan sending probe RPCCheck to 127.0.0.1:7070 (tcp)
NSOCK INFO [11.1760s] nsock_write(): Write request for 44 bytes to IOD #5 EID 123 [127.0.0.1:7070]
NSOCK INFO [11.1760s] nsock_read(): Read request from IOD #5 [127.0.0.1:7070] (timeout: 5000ms) EID 130
NSOCK INFO [11.1760s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 123 [127.0.0.1:7070]
NSOCK INFO [11.1780s] nsock_trace_handler_callback(): Callback: READ EOF for EID 130 [127.0.0.1:7070]
NSOCK INFO [11.1780s] nsock_iod_delete(): nsock_iod_delete (IOD #5)
NSOCK INFO [11.1780s] nsock_iod_new2(): nsock_iod_new (IOD #6)
NSOCK INFO [11.1780s] nsock_connect_tcp(): TCP connection requested to 127.0.0.1:7070 (IOD #6) EID 136
NSOCK INFO [11.1780s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 136 [127.0.0.1:7070]
Service scan sending probe DNSVersionBindReqTCP to 127.0.0.1:7070 (tcp)
NSOCK INFO [11.1780s] nsock_write(): Write request for 32 bytes to IOD #6 EID 147 [127.0.0.1:7070]
NSOCK INFO [11.1780s] nsock_read(): Read request from IOD #6 [127.0.0.1:7070] (timeout: 5000ms) EID 154
NSOCK INFO [11.1780s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 147 [127.0.0.1:7070]
NSOCK INFO [11.1800s] nsock_trace_handler_callback(): Callback: READ EOF for EID 154 [127.0.0.1:7070]
NSOCK INFO [11.1800s] nsock_iod_delete(): nsock_iod_delete (IOD #6)
NSOCK INFO [11.1800s] nsock_iod_new2(): nsock_iod_new (IOD #7)
NSOCK INFO [11.1810s] nsock_connect_tcp(): TCP connection requested to 127.0.0.1:7070 (IOD #7) EID 160
NSOCK INFO [11.1810s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 160 [127.0.0.1:7070]
Service scan sending probe DNSStatusRequestTCP to 127.0.0.1:7070 (tcp)
NSOCK INFO [11.1810s] nsock_write(): Write request for 14 bytes to IOD #7 EID 171 [127.0.0.1:7070]
NSOCK INFO [11.1810s] nsock_read(): Read request from IOD #7 [127.0.0.1:7070] (timeout: 5000ms) EID 178
NSOCK INFO [11.1810s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 171 [127.0.0.1:7070]
NSOCK INFO [11.1830s] nsock_trace_handler_callback(): Callback: READ EOF for EID 178 [127.0.0.1:7070]
NSOCK INFO [11.1830s] nsock_iod_delete(): nsock_iod_delete (IOD #7)
NSOCK INFO [11.1830s] nsock_iod_new2(): nsock_iod_new (IOD #8)
NSOCK INFO [11.1830s] nsock_connect_tcp(): TCP connection requested to 127.0.0.1:7070 (IOD #8) EID 184
NSOCK INFO [11.1830s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 184 [127.0.0.1:7070]
Service scan sending probe Help to 127.0.0.1:7070 (tcp)
NSOCK INFO [11.1830s] nsock_write(): Write request for 6 bytes to IOD #8 EID 195 [127.0.0.1:7070]
NSOCK INFO [11.1830s] nsock_read(): Read request from IOD #8 [127.0.0.1:7070] (timeout: 7500ms) EID 202
NSOCK INFO [11.1830s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 195 [127.0.0.1:7070]
NSOCK INFO [11.1840s] nsock_trace_handler_callback(): Callback: READ EOF for EID 202 [127.0.0.1:7070]
NSOCK INFO [11.1840s] nsock_iod_delete(): nsock_iod_delete (IOD #8)
NSOCK INFO [11.1840s] nsock_iod_new2(): nsock_iod_new (IOD #9)
NSOCK INFO [11.1840s] nsock_connect_tcp(): TCP connection requested to 127.0.0.1:7070 (IOD #9) EID 208
NSOCK INFO [11.1840s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 208 [127.0.0.1:7070]
Service scan sending probe SSLSessionReq to 127.0.0.1:7070 (tcp)
NSOCK INFO [11.1840s] nsock_write(): Write request for 88 bytes to IOD #9 EID 219 [127.0.0.1:7070]
NSOCK INFO [11.1840s] nsock_read(): Read request from IOD #9 [127.0.0.1:7070] (timeout: 5000ms) EID 226
NSOCK INFO [11.1840s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 219 [127.0.0.1:7070]
NSOCK INFO [11.1840s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 226 [127.0.0.1:7070] (7 bytes): ......(
Service scan hard match (Probe SSLSessionReq matched with SSLSessionReq line 13470): 127.0.0.1:7070 is ssl
NSOCK INFO [11.1840s] nsock_iod_delete(): nsock_iod_delete (IOD #9)
NSOCK INFO [11.1840s] nsock_iod_new2(): nsock_iod_new (IOD #10)
NSOCK INFO [11.1840s] nsock_connect_ssl(): SSL connection requested to 127.0.0.1:7070/tcp (IOD #10) EID 233
NSOCK INFO [11.1920s] handle_connect_result(): EID 233 error:0A000410:SSL routines::sslv3 alert handshake failure
NSOCK INFO [11.1920s] nsock_trace_handler_callback(): Callback: SSL-CONNECT ERROR [Input/output error (5)] for EID 233 [127.0.0.1:7070]
Got nsock CONNECT response with status ERROR - aborting this service
NSOCK INFO [11.1920s] nsock_iod_delete(): nsock_iod_delete (IOD #10)
NSOCK INFO [11.1920s] nsock_iod_delete(): nsock_iod_delete: SSL shutdown failed ((null)) on NSI 10
Completed Service scan at 20:51, 11.04s elapsed (1 service on 1 host)
NSE: Script scanning 127.0.0.1.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 20:51
Completed NSE at 20:51, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 20:51
NSE: Starting rpc-grind against 127.1 (127.0.0.1:7070).
NSE: [rpc-grind 127.0.0.1:7070] isRPC didn't receive response.
NSE: [rpc-grind 127.0.0.1:7070] Target port 7070 is not a RPC port.
NSE: Finished rpc-grind against 127.1 (127.0.0.1:7070).
Completed NSE at 20:51, 0.00s elapsed
Nmap scan report for 127.1 (127.0.0.1)
Host is up (0.000080s latency).
Scanned at 2022-09-25 20:50:54 CEST for 11s

PORT     STATE SERVICE         VERSION
7070/tcp open  ssl/realserver?
Final times for host: srtt: 80 rttvar: 3761  to: 100000

The problem is, that the probe TLSSessionReq is never sent, because of a hard match for SSLSessionReq which is:

# Alert (Level: Fatal, Description: Protocol Version|Handshake Failure)
match ssl m|^\x15\x03[\x00-\x03]\0\x02\x02[F\x28]|

So a SSLv3 handshake failure is matched (hard match) and no further probes are sent because of this.

AnyDesk accepts TLS1.2 only, but I won't get past SSLSessionReq.

Now I was wondering if the matching behaviour with different SSL/TLS versions could be tweaked, or if I was using a wrong approach to fingerprint this service.

Going with HTTP probes was not an option, because AnyDesk requires user certificates for authentication, so all I could match on is the handshake itself.

To Reproduce

• Place match anydesk m|\x0c\x0eAnyDesk Client| p/AnyDesk Client/ below the SSLSessionReq Probe in nmap-service-probes
• Install AnyDesk
• Scan the service with nmap -vvv -n -sV --version-trace -p 7070

Expected behavior

PORT     STATE SERVICE VERSION
7070/tcp open  ssl/anydesk AnyDesk Client

Version info (please complete the following information):

• OS: Ubuntu MATE 22.04

Nmap version:

Nmap version 7.93SVN ( https://nmap.org )
Platform: x86_64-unknown-linux-gnu
Compiled with: liblua-5.3.6 openssl-3.0.2 nmap-libssh2-1.10.0 libz-1.2.11 libpcre-8.39 libpcap-1.10.1 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select

[dmiller-nmap]

Thanks for bringing this up. It is important for Nmap to detect TLS of any kind (the "ssl/" tunnel identification in the output) and then attempt to connect in order to do further probes. However, if we detect a TLS handshake issue, maybe we could fall back to continuing to send probes to the TLS service itself. That would allow your match line to succeed. It would require some significant changes to the service scan engine.

An easier approach that would work with the current version of Nmap would be to use NSE scripts to get the information you want. The ssl-cert script would show the server's certificate, which may be enough to identify the service you are probing. It could be further enhanced to detect the Certificate Request message and parse out the parameters (client certificate types, supported signature algorithms, and certificate authorities accepted), which would also be helpful information for any TLS service that requests client certificates.

[bka-dev]

Thanks a lot. The approach using ssl-cert works fine indeed. My initial idea was to go through the Service Information column in my workflow, which wouldn't be updated this way. However this is more a problem of my workflow rather than with the service probing mechanism itself.

I see that this feature would be hard to implement, and would probably result in relatively few additional probes compared to the effort that needs to be spent.

Going for additional NSE scripts is sufficient as well