PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-26 17:39:03 +00:00
Code Issues Projects Releases Wiki Activity

Let all ssl scripts check for SSL and cache/check SSL status. https://security.stackexchange.com/q/189268/9209

Browse Source
This commit is contained in:
dmiller
2018-07-11 05:03:13 +00:00
parent 33f0f050cf
commit 073a3efb23
3 changed files with 45 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
nselib/comm.lua
View File

@@ -23,7 +23,7 @@
-- @copyright Same as Nmap--See https://nmap.org/book/man-legal.html
local nmap = require "nmap"
local shortport = require "shortport"
local shortport
local stdnse = require "stdnse"
_ENV = stdnse.module("comm", stdnse.seeall)
@@ -165,6 +165,7 @@ end
-- @param port The port table to check
-- @return bool True if port is usually ssl, otherwise false
local function is_ssl(port)
shortport = shortport or require "shortport"
return shortport.ssl(nil, port)
end

44
nselib/shortport.lua
View File

@@ -8,6 +8,7 @@
local nmap = require "nmap"
local stdnse = require "stdnse"
local comm
_ENV = stdnse.module("shortport", stdnse.seeall)
---
@@ -229,8 +230,47 @@ local LIKELY_SSL_SERVICES = {
-- @usage
-- portrule = shortport.ssl
function ssl(host, port)
return (port.version and port.version.service_tunnel == "ssl") or
port_or_service(LIKELY_SSL_PORTS, LIKELY_SSL_SERVICES, {"tcp", "sctp"})(host, port)
if (port.version and port.version.service_tunnel == "ssl") or
port_or_service(LIKELY_SSL_PORTS, LIKELY_SSL_SERVICES, {"tcp", "sctp"})(host, port) then
return true
end
-- if we didn't detect something *not* SSL, check it ourselves
if port.version.name_confidence <= 3 and host.registry then
comm = comm or require "comm"
host.registry.ssl = host.registry.ssl or {}
local mtx = nmap.mutex(host.registry.ssl)
mtx "lock"
local v = host.registry.ssl[port.number .. port.protocol]
if v == nil then
-- probes from nmap-service-probes
for _, probe in ipairs({
--TLSSessionReq
"\x16\x03\0\0\x69\x01\0\0\x65\x03\x03U\x1c\xa7\xe4random1random2random3\z
random4\0\0\x0c\0/\0\x0a\0\x13\x009\0\x04\0\xff\x01\0\0\x30\0\x0d\0,\0*\0\z
\x01\0\x03\0\x02\x06\x01\x06\x03\x06\x02\x02\x01\x02\x03\x02\x02\x03\x01\z
\x03\x03\x03\x02\x04\x01\x04\x03\x04\x02\x01\x01\x01\x03\x01\x02\x05\x01\z
\x05\x03\x05\x02",
-- SSLSessionReq
"\x16\x03\0\0S\x01\0\0O\x03\0?G\xd7\xf7\xba,\xee\xea\xb2`~\xf3\0\xfd\z
\x82{\xb9\xd5\x96\xc8w\x9b\xe6\xc4\xdb<=\xdbo\xef\x10n\0\0(\0\x16\0\x13\z
\0\x0a\0f\0\x05\0\x04\0e\0d\0c\0b\0a\0`\0\x15\0\x12\0\x09\0\x14\0\x11\0\z
\x08\0\x06\0\x03\x01\0",
}) do
local status, resp = comm.exchange(host, port, probe)
if status and resp and (
resp:match("^\x16\x03[\0-\x03]..\x02...\x03[\0-\x03]") or
resp:match("^\x15\x03[\0-\x03]\0\x02\x02[F\x28]")
) then
v = true
break
end
end
host.registry.ssl[port.number .. port.protocol] = v or false
end
mtx "done"
return v
end
return false
end
return _ENV;

34
scripts/ssl-enum-ciphers.nse
View File

@@ -1065,39 +1065,7 @@ local function try_protocol(host, port, protocol, upresults)
end
portrule = function (host, port)
if shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port) then
return true
end
-- selected by name and we didn't detect something *not* SSL
if (port.version.name_confidence <= 3 and nmap.version_intensity() == 9) then
-- check whether it's an SSL service
local is_ssl = false
-- probes from nmap-service-probes
for _, probe in ipairs({
--TLSSessionReq
"\x16\x03\0\0\x69\x01\0\0\x65\x03\x03U\x1c\xa7\xe4random1random2random3\z
random4\0\0\x0c\0/\0\x0a\0\x13\x009\0\x04\0\xff\x01\0\0\x30\0\x0d\0,\0*\0\z
\x01\0\x03\0\x02\x06\x01\x06\x03\x06\x02\x02\x01\x02\x03\x02\x02\x03\x01\z
\x03\x03\x03\x02\x04\x01\x04\x03\x04\x02\x01\x01\x01\x03\x01\x02\x05\x01\z
\x05\x03\x05\x02",
-- SSLSessionReq
"\x16\x03\0\0S\x01\0\0O\x03\0?G\xd7\xf7\xba,\xee\xea\xb2`~\xf3\0\xfd\z
\x82{\xb9\xd5\x96\xc8w\x9b\xe6\xc4\xdb<=\xdbo\xef\x10n\0\0(\0\x16\0\x13\z
\0\x0a\0f\0\x05\0\x04\0e\0d\0c\0b\0a\0`\0\x15\0\x12\0\x09\0\x14\0\x11\0\z
\x08\0\x06\0\x03\x01\0",
}) do
local status, resp = comm.exchange(host, port, probe)
if status and resp and (
resp:match("^\x16\x03[\0-\x03]..\x02...\x03[\0-\x03]") or
resp:match("^\x15\x03[\0-\x03]\0\x02\x02[F\x28]")
) then
is_ssl = true
break
end
end
return is_ssl
end
return false
return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port)
end
--- Return a table that yields elements sorted by key when iterated over with pairs()