current community

your communities

more stack exchange communities

Stack Exchange
tour help
Take the 2-minute tour ×
Information Security Stack Exchange is a question and answer site for Information security professionals. It's 100% free, no registration required.
up vote 0 down vote favorite

I am running nmap to probe services that use SSL.¹

In order to detect vulnerability in non-standard ports, I am using the -sV option to perform service discovery. But it is very slow since it runs several probes per open port. How to make it more efficient and quicker by running only SSL probes?

¹ Specifically, I am evaluating Heartbleed vulnerability at our site by running the nmap ssl-heartbleed script.

share|improve this question
    
possible duplicate of HeartBleed - How to detect compromised websites –  Eric G 2 days ago
    
If you're talking about a website (I don't know what else you'd be talking about) you can just use this: ssllabs.com/ssltest/index.html –  KnightOfNi 2 days ago
    
You can use the -p <port> option to limit the test to only a specific port. For example nmap -p 443 -sV --script=ssl-heartbleed <IP> –  void_in 2 days ago
    
@void_in: The question specifically asks about websites running on non-standard ports (i.e ports other than 443). Your answer only scans port 443. –  Matt 2 days ago
1  
Sorry, this isn't a duplicate. This question is about the usage of nmap and heartbleed reference is just an example use case. The generic answer would help anyone who wants to run a customized nmap scan for discovering hosts running SSL service or any subset of the nmap-services. P.S: the linked question only addresses issue of scanning public sites. I need to scan my internal LAN and metasploit isn't an option. –  Benny 2 days ago
show 2 more comments

1 Answer

up vote 1 down vote accepted

You can reduce the number of probes that Nmap sends by using the --version-intensity option. This option takes an integer argument between 1 and 9, limiting the number of probes sent to open ports to those with a rarity of that number or less.

The probe for SSL/TLS (SSLv3 and newer) has a rarity of 1, so you could get away with a simple --version-intensity 1. As a convenience, here are some mnemonic options and their intensity equivalences:

  • --version-light = --version-intensity 2
  • --version-all = --version-intensity 9
  • default = --version-intensity 7

If this is still too much, you can copy the probes (and matches!) you are interested in into a separate file and specify it with the --versiondb option.

share|improve this answer
    
Even with rarity 1, Nmap sends a whole lot of probes which are unnecessary since I know what service I am interested in. I can create another nmap-service-probes file and include only SSL probes ( I could find two SSLv3 ClientHello & SSLv2 ClientHello ) and then hard reference it while launching nmap. But I am not sure whether it will cover all instances of SSL implementation such as IMAP, POP3 etc., –  Benny yesterday
    
@Benny Comment addressed in edited answer. –  bonsaiviking yesterday
    
Could you advise which probes can provide comprehensive SSL service detection? Since my understanding of SSL is rudimentary, I am not sure. As mentioned before, I could see SSLv3 ClientHello & SSLv2 ClientHello probes detects SSL. –  Benny yesterday
    
With some perl scripting I determined that the following probes check for SSL: -AFSVersionRequest -LDAPBindReq -NessusTPv12 -NULL -SSLSessionReq -NessusTPv10 -GetRequest -GenericLines -RPCCheck -SIPOptions -Hello -SSLv23SessionReq -HTTPOptions -metasploit-xmlrpc -NessusTPv11 -dominoconsole -metasploit-msgrpc –  Benny yesterday
add comment

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.