Mailing List Archive

> Hello,
>
> I just implemented a "pref" to restrict the SSL connections to known
> ports.
> Two reasons for this:
> - avoid a DoS against fragile programs
> - speed up the test
>
I suggest against it.
ANY program may be ssl wrapped (or not)

just like nessus (port 1241) you can wrap it in ssl or not.

Also, webmin (port 10000) can be ssl wrapped.

Also, using 'non standard' ports on services like nessus, webmin, telnets,
pop3s, ntps, smtps, etc to hide, stealth the ports will prevent nessus
from finding them.


> So far, I have found those ports:
> 115 SFTP
> 443 HTTPS
> 465 SMTPS
> 563 NNTPS
> 636 LDAPS
> 992 telnets
> 993 IMAPS
> 994 IRCS */
> 995 POP3S
> 1241 Nessus
>
> Does anybody know more standard/common SSL services?
>
> --
> mailto:arboi@bigfoot.com
> GPG Public keys: http://michel.arboi.free.fr/pubkey.txt
> http://michel.arboi.free.fr/ http://arboi.da.ru/
> FAQNOPI de fr.comp.securite : http://faqnopi.da.ru/
>

--
Michael Scheidell
SECNAP Network Security, LLC
(561) 368-9561 scheidell@secnap.net
http://www.secnap.net/

On Sun, Apr 07, 2002 at 08:23:26AM -0400, Michael Scheidell wrote:
> > Hello,
> >
> > I just implemented a "pref" to restrict the SSL connections to known
> > ports.
> > Two reasons for this:
> > - avoid a DoS against fragile programs
> > - speed up the test
> >
> I suggest against it.
> ANY program may be ssl wrapped (or not)

That's why this is an _optional_ preference, _disabled_ by default.

Michel's point (and observations) are that a lot of crappy services will
crash due to the SSL negociation, which is something you can't always
tolerate. So in that case, you may prefer to not take any risk and use
Nessus not to do a full audit, but to quickly get a lof of information
ready to be worked on by hands.


-- Renaud

I'd prefer to see HTTP(s) options like:
-- Test all
-- Test none
-- Test only: (with list field)

I've seen plenty of DOS's against ports with regular HTTP as well as
HTTPS, but I'm also finding HTTP(s) servers on the weirdest ports and
would prefer to know about them, as long as I realize I may be DOSing
normal services.

FWIW, I've commonly seen SSL web servers on ports:

444, 445, 8443 (developer test server ports)
2200 (I forget what this is)
2381 Compaq Management
8009 Netware Management Portal

-Sullo

___________________________________________________
http://www.cirt.net/
Home of the Nikto scanner, Default Passwords, Ports, SSIDs & more


> Hello,
>
> I just implemented a "pref" to restrict the SSL connections to known
> ports.
> Two reasons for this:
> - avoid a DoS against fragile programs
> - speed up the test
>
> So far, I have found those ports:
> 115 SFTP
> 443 HTTPS
> 465 SMTPS
> 563 NNTPS
> 636 LDAPS
> 992 telnets
> 993 IMAPS
> 994 IRCS */
> 995 POP3S
> 1241 Nessus
>
> Does anybody know more standard/common SSL services?
>
> --
> mailto:arboi@bigfoot.com
> GPG Public keys: http://michel.arboi.free.fr/pubkey.txt
> http://michel.arboi.free.fr/ http://arboi.da.ru/
> FAQNOPI de fr.comp.securite : http://faqnopi.da.ru/

"Sullo" <sq@cirt.net> writes:

> I'd prefer to see HTTP(s) options like:
> -- Test all
> -- Test none
> -- Test only: (with list field)

I thought about this but the GUI is very user-friendly in this case:
you can fill a text field that will be used _only_ if a radio is on
the right option.

> I've seen plenty of DOS's against ports with regular HTTP as well as
> HTTPS, but I'm also finding HTTP(s) servers on the weirdest ports and
> would prefer to know about them, as long as I realize I may be DOSing
> normal services.

In this case, just select "all ports" (the default)

> FWIW, I've commonly seen SSL web servers on ports:
> 444, 445, 8443 (developer test server ports)

I saw 444 too.

Looks like we have no choice but the text field :-\

--
mailto:arboi@bigfoot.com
GPG Public keys: http://michel.arboi.free.fr/pubkey.txt
http://michel.arboi.free.fr/ http://arboi.da.ru/
FAQNOPI de fr.comp.securite : http://faqnopi.da.ru/