4

I am running nmap to probe services that use SSL.¹

In order to detect vulnerability in non-standard ports, I am using the -sV option to perform service discovery. But it is very slow since it runs several probes per open port. How to make it more efficient and quicker by running only SSL probes?

¹ Specifically, I am evaluating Heartbleed vulnerability at our site by running the nmap ssl-heartbleed script.

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
Benny
  • 151
  • 1
  • 1
  • 4
  • possible duplicate of [HeartBleed - How to detect compromised websites](http://security.stackexchange.com/questions/55138/heartbleed-how-to-detect-compromised-websites) – Eric G Apr 17 '14 at 02:01
  • If you're talking about a website (I don't know what else you'd be talking about) you can just use this: https://www.ssllabs.com/ssltest/index.html – KnightOfNi Apr 17 '14 at 03:20
  • You can use the -p option to limit the test to only a specific port. For example nmap -p 443 -sV --script=ssl-heartbleed – void_in Apr 17 '14 at 05:02
  • @void_in: The question specifically asks about websites running on non-standard ports (i.e ports other than 443). Your answer only scans port 443. – Matt Apr 17 '14 at 07:43
  • 1
    Sorry, this isn't a duplicate. This question is about the usage of nmap and heartbleed reference is just an example use case. The generic answer would help anyone who wants to run a customized nmap scan for discovering hosts running SSL service or any subset of the nmap-services. P.S: the linked question only addresses issue of scanning public sites. I need to scan my internal LAN and metasploit isn't an option. – Benny Apr 17 '14 at 08:10
  • @void_in the script doesn't work on non-standard ssl ports. Try it for yourself. The port rule for the script is [shortport.ssl(host, port)](http://nmap.org/nsedoc/lib/shortport.html#ssl) which determines whether port is likely to run ssl or not. Only with service discovery, which runs multiple probes, not just performing TCP connect, it can determine whether ssl is running or not. This activity is costly when you run it for multiple open ports. – Benny Apr 18 '14 at 01:51

1 Answers1

4

You can reduce the number of probes that Nmap sends by using the --version-intensity option. This option takes an integer argument between 1 and 9, limiting the number of probes sent to open ports to those with a rarity of that number or less.

The probe for SSL/TLS (SSLv3 and newer) has a rarity of 1, so you could get away with a simple --version-intensity 1. As a convenience, here are some mnemonic options and their intensity equivalences:

  • --version-light = --version-intensity 2
  • --version-all = --version-intensity 9
  • default = --version-intensity 7

If this is still too much, you can copy the probes (and matches!) you are interested in into a separate file and specify it with the --versiondb option.

bonsaiviking
  • 11,316
  • 1
  • 27
  • 50
  • Even with rarity 1, Nmap sends a whole lot of probes which are unnecessary since I know what service I am interested in. I can create another nmap-service-probes file and include only SSL probes ( I could find two SSLv3 ClientHello & SSLv2 ClientHello ) and then hard reference it while launching nmap. But I am not sure whether it will cover all instances of SSL implementation such as IMAP, POP3 etc., – Benny Apr 18 '14 at 02:05
  • @Benny Comment addressed in edited answer. – bonsaiviking Apr 18 '14 at 03:20
  • Could you advise which probes can provide comprehensive SSL service detection? Since my understanding of SSL is rudimentary, I am not sure. As mentioned before, I could see SSLv3 ClientHello & SSLv2 ClientHello probes detects SSL. – Benny Apr 18 '14 at 04:31
  • With some perl scripting I determined that the following probes check for SSL: -AFSVersionRequest -LDAPBindReq -NessusTPv12 -NULL -SSLSessionReq -NessusTPv10 -GetRequest -GenericLines -RPCCheck -SIPOptions -Hello -SSLv23SessionReq -HTTPOptions -metasploit-xmlrpc -NessusTPv11 -dominoconsole -metasploit-msgrpc – Benny Apr 18 '14 at 06:05