New NSE script for POODLE vulnerability discovery

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

New NSE script for POODLE vulnerability discovery

Daniel Miller-10
Hey list,

I just pushed a new script, stripped down from ssl-enum-ciphers,
called ssl-poodle [1]. People have been recommending ssl-enum-ciphers
for detecting POODLE, since it affects all implementations of SSLv3
that allow CBC ciphersuites, but between enumerating *all*
ciphersuites for 4 different SSL/TLS versions and sorting those by
server preference, ssl-enum-ciphers needs to send at least 24 and
usually many more requests to finish.

ssl-poodle, on the other hand, needs only 4 requests maximum (and only
1 in the majority of vulnerable cases). It also uses the vulns library
[2] to display vulnerability output.

In addition to advertising this script, I wanted to ask some questions
of the devs who have been using and developing the vulns library:

1. Is there a reason why check_results and extra_info are not
displayed when the state is NOT_VULN? I wanted to distinguish "No CBC
ciphersuites found" vs "SSLv3 not supported" when reporting
not-vulnerable hosts with vulns.showall.

2. Can we unify the handling of whitespace within the description
field? The script author shouldn't have to worry about formatting,
word wrapping, indent level, etc. We can probably collapse all
whitespace other than double-newline and then word-wrap appropriately
for screen output (and not at all for XML output).

Thanks, and happy scanning!
Dan

[1] http://nmap.org/nsedoc/scripts/ssl-poodle.html
[2] http://nmap.org/nsedoc/lib/vulns.html
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Reply | Threaded
Open this post in threaded view
|

Re: New NSE script for POODLE vulnerability discovery

Henri Doreau
2014-10-21 18:47 GMT+02:00 Daniel Miller <[hidden email]>:

> Hey list,
>
> I just pushed a new script, stripped down from ssl-enum-ciphers,
> called ssl-poodle [1]. People have been recommending ssl-enum-ciphers
> for detecting POODLE, since it affects all implementations of SSLv3
> that allow CBC ciphersuites, but between enumerating *all*
> ciphersuites for 4 different SSL/TLS versions and sorting those by
> server preference, ssl-enum-ciphers needs to send at least 24 and
> usually many more requests to finish.
>
> ssl-poodle, on the other hand, needs only 4 requests maximum (and only
> 1 in the majority of vulnerable cases). It also uses the vulns library
> [2] to display vulnerability output.
>
> In addition to advertising this script, I wanted to ask some questions
> of the devs who have been using and developing the vulns library:
>
> 1. Is there a reason why check_results and extra_info are not
> displayed when the state is NOT_VULN? I wanted to distinguish "No CBC
> ciphersuites found" vs "SSLv3 not supported" when reporting
> not-vulnerable hosts with vulns.showall.
>
> 2. Can we unify the handling of whitespace within the description
> field? The script author shouldn't have to worry about formatting,
> word wrapping, indent level, etc. We can probably collapse all
> whitespace other than double-newline and then word-wrap appropriately
> for screen output (and not at all for XML output).
>
> Thanks, and happy scanning!
> Dan
>
> [1] http://nmap.org/nsedoc/scripts/ssl-poodle.html
> [2] http://nmap.org/nsedoc/lib/vulns.html

Hello,

thanks Dan for the script.

Regarding vulns.lua IIRC the reason why we don't display the fields
you mention when in NOT_VULN state is to prevent from flooding the
output with too much information. Feel fee to change it if you think
it makes more sense. Maybe based on the verbosity level?

Automatically handle description formatting sounds good and safe.

Regards

--
Henri
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/