Check more common IRC ports by default. Send SSL probes to ircs ports. See #941

2025-12-06 04:31:29 +00:00 · 2017-07-27 18:21:12 +00:00
parent 9d90970c61
commit 1c79000aeb
7 changed files with 44 additions and 11 deletions
--- a/2
+++ b/2
@@ -12978,7 +12978,7 @@ softmatch ftp m|^220[\s-].*ftp[^\r]*\r\n214[\s-]|i
 # TLSv1-only servers, based on a failed handshake alert.
 Probe TCP SSLSessionReq q|\x16\x03\0\0S\x01\0\0O\x03\0?G\xd7\xf7\xba,\xee\xea\xb2`~\xf3\0\xfd\x82{\xb9\xd5\x96\xc8w\x9b\xe6\xc4\xdb<=\xdbo\xef\x10n\0\0(\0\x16\0\x13\0\x0a\0f\0\x05\0\x04\0e\0d\0c\0b\0a\0`\0\x15\0\x12\0\x09\0\x14\0\x11\0\x08\0\x06\0\x03\x01\0|
 rarity 1
-ports 322,443,444,465,548,636,989,990,992,993,994,995,1241,1311,1443,2000,2252,2443,3443,4433,4443,4444,4911,5061,5443,5550,6443,7210,7272,7443,8009,8181,8194,8443,8531,8883,9001,9443,10443,14443,44443,60443
+ports 322,443,444,465,548,636,989,990,992,993,994,995,1241,1311,1443,2000,2252,2443,3443,4433,4443,4444,4911,5061,5443,5550,6443,6679,6697,7000,7210,7272,7443,8009,8181,8194,8443,8531,8883,9001,9443,10443,14443,44443,60443
 fallback GetRequest

 # OpenSSL/0.9.7aa, 0.9.8e
--- a/nselib/irc.lua
+++ b/nselib/irc.lua
@@ -0,0 +1,29 @@
+---
+-- IRC functions.
+--
+-- @copyright Same as Nmap--See https://nmap.org/book/man-legal.html
+
+local stdnse = require "stdnse"
+_ENV = stdnse.module("irc", stdnse.seeall)
+
+portrule = (require "shortport").port_or_service(
+  {
+    -- Shodan.io top 3 IRC ports
+    6667,
+    6666,
+    6664,
+    -- other ports in the "ircu" assignment block
+    6665,
+    6668,
+    6669,
+    -- common SSL irc ports
+    6679,
+    6697,
+    7000,
+    -- other common ports
+    8067,
+  },
+  { "irc", "ircs", "ircs-u", "ircd", "irc-serv" } -- this covers ports 194, 529, and 994
+  )
+
+return _ENV
--- a/scripts/irc-botnet-channels.nse
+++ b/scripts/irc-botnet-channels.nse
@@ -1,5 +1,5 @@
 local comm = require "comm"
-local shortport = require "shortport"
+local irc = require "irc"
 local stdnse = require "stdnse"
 local string = require "string"
 local table = require "table"
@@ -73,7 +73,7 @@ local DEFAULT_CHANNELS = {
  "RxBot",
 }

-portrule = shortport.port_or_service({6666, 6667, 6697, 6679}, {"irc", "ircs"})
+portrule = irc.portrule

 -- Parse an IRC message. Returns nil, errmsg in case of error. Otherwise returns
 -- true, prefix, command, params. prefix may be nil. params is an array of
@@ -277,6 +277,10 @@ function action(host, port)
  end

  irc = irc_connect(host, port)
+  if not irc then
+    stdnse.debug1("Could not connect")
+    return nil
+  end
  irc_send_message(irc, "LIST", concat_channel_list(search_channels))

  channels = {}
--- a/scripts/irc-brute.nse
+++ b/scripts/irc-brute.nse
@@ -2,7 +2,7 @@ local brute = require "brute"
 local comm = require "comm"
 local creds = require "creds"
 local match = require "match"
-local shortport = require "shortport"
+local irc = require "irc"
 local stdnse = require "stdnse"

 description=[[
@@ -33,7 +33,7 @@ author = "Patrik Karlsson"
 license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
 categories={"brute","intrusive"}

-portrule = shortport.port_or_service({6666,6667,6697,6679},{"irc","ircs"})
+portrule = irc.portrule

 Driver = {

--- a/scripts/irc-info.nse
+++ b/scripts/irc-info.nse
@@ -1,6 +1,6 @@
 local comm = require "comm"
 local nmap = require "nmap"
-local shortport = require "shortport"
+local irc = require "irc"
 local stdnse = require "stdnse"

 description = [[
@@ -43,7 +43,7 @@ license = "Same as Nmap--See https://nmap.org/book/man-legal.html"

 categories = {"default", "discovery", "safe"}

-portrule = shortport.port_or_service({6666,6667,6697,6679},{"irc","ircs"})
+portrule = irc.portrule

 local banner_timeout = 60

--- a/scripts/irc-sasl-brute.nse
+++ b/scripts/irc-sasl-brute.nse
@@ -3,7 +3,7 @@ local brute = require "brute"
 local comm = require "comm"
 local creds = require "creds"
 local sasl = require "sasl"
-local shortport = require "shortport"
+local irc = require "irc"
 local stdnse = require "stdnse"
 local string = require "string"
 local table = require "table"
@@ -40,7 +40,7 @@ author = "Piotr Olma"
 license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
 categories={"brute","intrusive"}

-portrule = shortport.port_or_service({6666,6667,6697,6679},{"irc","ircs"})
+portrule = irc.portrule

 local dbg = stdnse.debug

--- a/scripts/irc-unrealircd-backdoor.nse
+++ b/scripts/irc-unrealircd-backdoor.nse
@@ -1,7 +1,7 @@
 local comm = require "comm"
 local nmap = require "nmap"
 local os = require "os"
-local shortport = require "shortport"
+local irc = require "irc"
 local stdnse = require "stdnse"
 local string = require "string"

@@ -61,7 +61,7 @@ license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
 categories = {"exploit", "intrusive", "malware", "vuln"}


-portrule = shortport.port_or_service({6666,6667,6697,6679,8067},{"irc","ircs"})
+portrule = irc.portrule


 action = function(host, port)