Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add tls.servername script-arg for TLS SNI without DNS #540

Closed
wants to merge 3 commits into from

Conversation

bbc2
Copy link

@bbc2 bbc2 commented Sep 5, 2016

As explained in http://seclists.org/nmap-dev/2016/q1/46, when the DNS cannot be used, or for testing purposes, it can be useful to force the TLS server name indicated by Nmap. This pull request should thus address #276.

Examples of how this is achieved:

nmap --script ssl-cert --script-args=tls.servername=example.net 192.0.2.1
nmap --script ssl-cert --script-args=tls.servername=example.net example.org
nmap --script ssl-enum-ciphers --script-args=tls.servername=example.net example.org

The script-arg has precedence over host.targetname and there is no support for supplying multiple servernames to be attempted. It basically behaves the same as

openssl s_client -servername <tls.servername> -connect example.net:<port> <host.targetname>

The script argument is supported by all scripts already benefiting from Nmap's existing TLS SNI support. Those using the tls.lua library were easy to adapt because of the modularity of that library. By the way, I think this reduced the complexity of ssl-enum-ciphers.nse. Those relying on sslcert.getCertificate were adapted with just:

host.targetname = tls.servername(host)

The reason is that sslcert.getCertificate uses Nmap's nsock implementation of TLS with OpenSSL, which would have been trickier to modify.

My main use case is building a script that scans the right IP address of a host even if the DNS of that host rotates, which is a common way of performing load-balancing. It is about to be used (merged into Nmap or not) by https://discovery.cryptosense.com.

I hope this is useful!

@nmap-bot nmap-bot closed this in e4717fa Dec 5, 2016
suraj51k pushed a commit to suraj51k/nmap that referenced this pull request Jan 31, 2017
@bbc2 bbc2 deleted the tls-servername-arg branch May 5, 2020 16:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

1 participant