TLSv1.2 service not matching due to hard match of SSLv3 handshake failure #2528
Labels
enhancement
expected-behavior
Behavior described is currently expected/documented, but that doesn't preclude improvements
Nmap
Describe the bug
Hi,
it seems like some SSL/TLS enabled applications that don't respond to probe "GetRequest", might be hard to detect, due to softmatch/hardmatch behaviour.
My example refers to an installation of AnyDesk, that opens port 7070/TCP on a workstation. It uses TLSv1.2 and discards SSLv3 (handshake failure).
The idea was to detect AnyDesk installations, by looking for the string "AnyDesk Client" in the Common Name of the TLS certificate, so I started with the following line, that I placed below
Probe TCP TLSSessionReq
:match anydesk m|\x0c\x0eAnyDesk Client| p/AnyDesk Client/
Starting a service scan on port 7070 and version-trace switch results in the following output:
The problem is, that the probe TLSSessionReq is never sent, because of a hard match for
SSLSessionReq
which is:So a SSLv3 handshake failure is matched (hard match) and no further probes are sent because of this.
AnyDesk accepts TLS1.2 only, but I won't get past SSLSessionReq.
Now I was wondering if the matching behaviour with different SSL/TLS versions could be tweaked, or if I was using a wrong approach to fingerprint this service.
Going with HTTP probes was not an option, because AnyDesk requires user certificates for authentication, so all I could match on is the handshake itself.
To Reproduce
match anydesk m|\x0c\x0eAnyDesk Client| p/AnyDesk Client/
below the SSLSessionReq Probe in nmap-service-probesExpected behavior
Version info (please complete the following information):
Nmap version:
The text was updated successfully, but these errors were encountered: