lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.BSF.4.58.0401082132180.28704@sd3.mailbank.com>
Date: Thu, 8 Jan 2004 21:44:04 -0500 (EST)
From: John Lampe <jwlampe@...sus.org>
To: "Lachniet, Mark" <mlachniet@...uoianet.com>
Cc: cisspforum@...oogroups.com, bugtraq@...urityfocus.com,
   pen-test@...urityfocus.com, full-disclosure@...ts.netsys.com
Subject: Re: Openssl proof of concept code?


On Thu, 8 Jan 2004, Lachniet, Mark wrote:

> Alternately, has anyone written a good program to
> remotely identify what SSL codebase is in use, other than looking for it
> in HTTP server headers?  Nessus' ssltest.nasl can allegedly distinguish
> between a openssl and MS CryptoAPI or Novell, but this isn't really
> enough in my opinion.

and, so we're clear.  The Nessus test is a *specific* test which looks for
SSL servers which will accept unrequested client-side certs (as opposed
to a more general test which either fingerprints or fuzzes SSL
servers...both of which seem very interesting, btw).  And, if you look at
the code, the section where we weed out MS and Novell SSL servers just
leads to an exit().  i.e. the plugin will never flag or report on an "SSL
type or version".

So, it was incidental that we found certain systems (Microsoft and
Netware, to name two) which responded (how shall I say)...anomalously.
It was never the intent of the plugin to do anything more than test for
one specific bug.

John Lampe
jwlampe -at- nessus.org
http://f00dikator.aceryder.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ