Discussion:
Nmap service detection and guessed services?
Chris
2014-10-07 09:31:14 UTC
Permalink
Hi,

recently i have seen entries like:

Services/ssl|snpp=444
SentData/1.3.6.1.4.1.25623.1.0.66286/LOG=Nmap service detection result for this port: ssl|snpp\nThis is a guess. A confident identification of the service was not possible.

Services/ssl|krb524=4444
SentData/1.3.6.1.4.1.25623.1.0.66286/LOG=Nmap service detection result for this port: ssl|krb524\nThis is a guess. A confident identification of the service was not possible.

Services/ssl|https=443
SentData/1.3.6.1.4.1.25623.1.0.66286/LOG=Nmap service detection result for this port: ssl|https\nThis is a guess. A confident identification of the service was not possible.

in the KB of some scans.

As far as i can see (while grepping through all .nasl NVTs) there are no get_kb_item on Services/snpp and Services/krb524 and only one on Services/https which is probably missing Services/ssl|https.

How are such guessed services handled during an OpenVAS scan? They probably needs an manual investigation with tools like sslscan?

Thanks in advance for a reply.
Chris
2014-10-07 09:56:11 UTC
Permalink
Hi,
Post by Chris
How are such guessed services handled during an OpenVAS scan? They probably needs an manual investigation with tools like sslscan?
ok should have a deeper look first. Seems most of the ssl/https services are replying with a:

ssl_error_handshake_failure_alert

when opening a browser connection to them. But the SSL cipher checks are still running and showing
results as they are not using the Services/www but the ports.

So it seems there is no chance that Nmap/OpenVAS can do more than checking for weak ciphers
if the service is replying with an ssl_error_handshake_failure_alert.
Loading...