PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-17 13:09:02 +00:00
Code Issues Projects Releases Wiki Activity

NSE add STARTTLS to sslv2 improving detection of SSLv2 and DROWN oracles. Closes #320

Browse Source
This commit is contained in:
tomsellers
2016-03-03 02:06:05 +00:00
parent 13006aea4d
commit 318accba6e
3 changed files with 52 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
CHANGELOG
View File

@@ -1,5 +1,11 @@
# Nmap Changelog ($Id$); -*-text-*- # Nmap Changelog ($Id$); -*-text-*-
o [NSE][GH#320] Add STARTTLS support to sslv2 to enable SSLv2 detection
against services that are not TLS encrypted by default but that support
post connection upgrade. This will enable more comprehensive detection
of SSLv2 and DROWN (CVE-2016-0800) attack oracles. [Tom Sellers]
o [NSE][GH#301] Added default credential checks for RICOH Web Image Monitor and o [NSE][GH#301] Added default credential checks for RICOH Web Image Monitor and
BeEF to http-default-accounts. [nnposter] BeEF to http-default-accounts. [nnposter]

4
nping/configure vendored
View File

@@ -2229,6 +2229,10 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
# Check whether --with-localdirs was given. # Check whether --with-localdirs was given.
if test "${with_localdirs+set}" = set; then : if test "${with_localdirs+set}" = set; then :
withval=$with_localdirs; case "$with_localdirs" in withval=$with_localdirs; case "$with_localdirs" in

61
scripts/sslv2.nse
View File

@@ -4,6 +4,7 @@ local string = require "string"
local table = require "table" local table = require "table"
local bin = require "bin" local bin = require "bin"
local stdnse = require "stdnse" local stdnse = require "stdnse"
local sslcert = require "sslcert"
description = [[ description = [[
Determines whether the server supports obsolete and less secure SSLv2, and discovers which ciphers it Determines whether the server supports obsolete and less secure SSLv2, and discovers which ciphers it
@@ -42,7 +43,9 @@ license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"default", "safe"} categories = {"default", "safe"}
portrule = shortport.ssl portrule = function(host, port)
return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port)
end
local ssl_ciphers = { local ssl_ciphers = {
-- (cut down) table of codes with their corresponding ciphers. -- (cut down) table of codes with their corresponding ciphers.
@@ -80,8 +83,28 @@ local ciphers = function(cipher_list)
end end
action = function(host, port) action = function(host, port)
local timeout = stdnse.get_timeout(host, 10000, 5000)
local socket = nmap.new_socket(); -- Create socket.
local status, sock, err
local starttls = sslcert.getPrepareTLSWithoutReconnect(port)
if starttls then
status, socket = starttls(host, port)
if not status then
stdnse.debug(1, "Can't connect using STARTTLS: %s", socket)
return nil
end
else
socket = nmap.new_socket()
socket:set_timeout(timeout)
status, err = socket:connect(host, port)
if not status then
stdnse.debug(1, "Can't connect: %s", err)
return nil
end
end
socket:set_timeout(timeout)
-- build client hello packet (contents inspired by -- build client hello packet (contents inspired by
-- http://mail.nessus.org/pipermail/plugins-writers/2004-October/msg00041.html ) -- http://mail.nessus.org/pipermail/plugins-writers/2004-October/msg00041.html )
@@ -101,49 +124,49 @@ action = function(host, port)
.. "\x02\x00\x80" -- SSL2_RC4_128_EXPORT40_WITH_MD5 .. "\x02\x00\x80" -- SSL2_RC4_128_EXPORT40_WITH_MD5
.. "\xe4\xbd\x00\x00\xa4\x41\xb6\x74\x71\x2b\x27\x95\x44\xc0\x3d\xc0" -- challenge .. "\xe4\xbd\x00\x00\xa4\x41\xb6\x74\x71\x2b\x27\x95\x44\xc0\x3d\xc0" -- challenge
socket:connect(host, port); socket:send(ssl_v2_hello)
socket:send(ssl_v2_hello);
local status, server_hello = socket:receive_bytes(2); local status, server_hello = socket:receive_bytes(2)
if (not status) then if (not status) then
socket:close(); socket:close()
return; return
end end
local idx, server_hello_len = bin.unpack(">S", server_hello) local idx, server_hello_len = bin.unpack(">S", server_hello)
-- length record doesn't include its own length, and is "broken". -- length record doesn't include its own length, and is "broken".
server_hello_len = server_hello_len - (128 * 256) + 2; server_hello_len = server_hello_len - (128 * 256) + 2
-- the hello needs to be at least 13 bytes long to be of any use -- the hello needs to be at least 13 bytes long to be of any use
if (server_hello_len < 13) then if (server_hello_len < 13) then
socket:close(); socket:close()
return; stdnse.debug(1, "Server Hello too short")
return
end end
--try to get entire hello, if we don't already --try to get entire hello, if we don't already
if (#server_hello < server_hello_len) then if (#server_hello < server_hello_len) then
local status, tmp = socket:receive_bytes(server_hello_len - #server_hello); local status, tmp = socket:receive_bytes(server_hello_len - #server_hello)
if (not status) then if (not status) then
socket:close(); socket:close()
return; return
end end
server_hello = server_hello .. tmp; server_hello = server_hello .. tmp
end; end
socket:close(); socket:close()
-- split up server hello into components -- split up server hello into components
local idx, message_type, SID_hit, certificate_type, ssl_version, certificate_len, ciphers_len, connection_ID_len = bin.unpack(">CCCSSSS", server_hello, idx) local idx, message_type, SID_hit, certificate_type, ssl_version, certificate_len, ciphers_len, connection_ID_len = bin.unpack(">CCCSSSS", server_hello, idx)
-- some sanity checks: -- some sanity checks:
-- is response a server hello? -- is response a server hello?
if (message_type ~= 4) then if (message_type ~= 4) then
return; return
end end
-- is certificate in X.509 format? -- is certificate in X.509 format?
if (certificate_type ~= 1) then if (certificate_type ~= 1) then
return; return
end end
local idx, certificate = bin.unpack("A" .. certificate_len, server_hello, idx) local idx, certificate = bin.unpack("A" .. certificate_len, server_hello, idx)
@@ -160,5 +183,5 @@ action = function(host, port)
o["ciphers"] = available_ciphers o["ciphers"] = available_ciphers
end end
return o; return o
end end