Add tls.servername script-arg for TLS SNI without DNS #540

wants to merge 3 commits into


None yet
1 participant

bbc2 commented Sep 5, 2016

As explained in, when the DNS cannot be used, or for testing purposes, it can be useful to force the TLS server name indicated by Nmap. This pull request should thus address #276.

Examples of how this is achieved:

nmap --script ssl-cert
nmap --script ssl-cert
nmap --script ssl-enum-ciphers

The script-arg has precedence over host.targetname and there is no support for supplying multiple servernames to be attempted. It basically behaves the same as

openssl s_client -servername <tls.servername> -connect<port> <host.targetname>

The script argument is supported by all scripts already benefiting from Nmap's existing TLS SNI support. Those using the tls.lua library were easy to adapt because of the modularity of that library. By the way, I think this reduced the complexity of ssl-enum-ciphers.nse. Those relying on sslcert.getCertificate were adapted with just:

host.targetname = tls.servername(host)

The reason is that sslcert.getCertificate uses Nmap's nsock implementation of TLS with OpenSSL, which would have been trickier to modify.

My main use case is building a script that scans the right IP address of a host even if the DNS of that host rotates, which is a common way of performing load-balancing. It is about to be used (merged into Nmap or not) by

I hope this is useful!

@nmap-bot nmap-bot closed this in e4717fa Dec 5, 2016

suraj51k added a commit to suraj51k/nmap that referenced this pull request Jan 31, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment