PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-06 04:31:29 +00:00
Code Issues Projects Releases Wiki Activity

Let ssl-cert grab certs from DTLS services. Fix rules for TCP-only scripts

Browse Source
This commit is contained in:
dmiller
2024-06-03 19:00:33 +00:00
parent ff0b70f6dd
commit 74a88c0804
17 changed files with 39 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
nselib/sslcert.lua
View File

@@ -1004,18 +1004,26 @@ function getCertificate(host, port)
local mutex = nmap.mutex("sslcert-cache-mutex") local mutex = nmap.mutex("sslcert-cache-mutex")
mutex "lock" mutex "lock"
if ( host.registry["ssl-cert"] and local cache = host.registry["ssl-cert"]
host.registry["ssl-cert"][port.number] ) then if not cache then
cache = {}
host.registry["ssl-cert"] = cache
end
local key = ("%d%s"):format(port.number, port.protocol)
local cert = cache[key]
if cert then
stdnse.debug2("sslcert: Returning cached SSL certificate") stdnse.debug2("sslcert: Returning cached SSL certificate")
mutex "done" mutex "done"
return true, host.registry["ssl-cert"][port.number] return true, cert
end end
local cert local wrapper, specialized
if (port.protocol == "tcp") then
local wrapper = SPECIALIZED_WRAPPED_TLS_WITHOUT_RECONNECT[port.service] or SPECIALIZED_WRAPPED_TLS_WITHOUT_RECONNECT[port.number] wrapper = SPECIALIZED_WRAPPED_TLS_WITHOUT_RECONNECT[port.service] or SPECIALIZED_WRAPPED_TLS_WITHOUT_RECONNECT[port.number]
local special_table = have_openssl and SPECIALIZED_PREPARE_TLS or SPECIALIZED_PREPARE_TLS_WITHOUT_RECONNECT local special_table = have_openssl and SPECIALIZED_PREPARE_TLS or SPECIALIZED_PREPARE_TLS_WITHOUT_RECONNECT
local specialized = special_table[port.service] or special_table[port.number] specialized = special_table[port.service] or special_table[port.number]
end
local status = false local status = false
@@ -1051,10 +1059,8 @@ function getCertificate(host, port)
-- Now try to connect with Nsock's SSL connection -- Now try to connect with Nsock's SSL connection
if not status and have_openssl then if not status and have_openssl then
local socket = nmap.new_socket() local socket, errmsg = comm.opencon(host, port, nil, {proto="ssl"})
local errmsg if not socket then
status, errmsg = socket:connect(host, port, "ssl")
if not status then
stdnse.debug1("SSL connect error: %s", errmsg) stdnse.debug1("SSL connect error: %s", errmsg)
else else
cert = socket:get_ssl_certificate() cert = socket:get_ssl_certificate()
@@ -1065,7 +1071,8 @@ function getCertificate(host, port)
-- Finally, try to connect and manually handshake (maybe more tolerant of TLS -- Finally, try to connect and manually handshake (maybe more tolerant of TLS
-- insecurity than OpenSSL) -- insecurity than OpenSSL)
if not status then -- TODO: DTLS handshaking
if not status and port.protocol == "tcp" then
local socket = nmap.new_socket() local socket = nmap.new_socket()
local errmsg local errmsg
status, errmsg = socket:connect(host, port) status, errmsg = socket:connect(host, port)
@@ -1082,9 +1089,7 @@ function getCertificate(host, port)
return false, "No certificate found" return false, "No certificate found"
end end
host.registry["ssl-cert"] = host.registry["ssl-cert"] or {} cache[key] = cert
host.registry["ssl-cert"][port.number] = host.registry["ssl-cert"][port.number] or {}
host.registry["ssl-cert"][port.number] = cert
mutex "done" mutex "done"
return true, cert return true, cert
end end

2
scripts/http-vuln-cve2014-2126.nse
View File

@@ -38,7 +38,7 @@ license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"vuln", "safe"} categories = {"vuln", "safe"}
portrule = function(host, port) portrule = function(host, port)
return shortport.ssl(host, port) or sslcert.isPortSupported(port) return port.protocol == "tcp" and (shortport.ssl(host, port) or sslcert.isPortSupported(port))
end end
action = function(host, port) action = function(host, port)

2
scripts/http-vuln-cve2014-2127.nse
View File

@@ -37,7 +37,7 @@ license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"vuln", "safe"} categories = {"vuln", "safe"}
portrule = function(host, port) portrule = function(host, port)
return shortport.ssl(host, port) or sslcert.isPortSupported(port) return port.protocol == "tcp" and (shortport.ssl(host, port) or sslcert.isPortSupported(port))
end end
action = function(host, port) action = function(host, port)

2
scripts/http-vuln-cve2014-2128.nse
View File

@@ -37,7 +37,7 @@ license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"vuln", "safe"} categories = {"vuln", "safe"}
portrule = function(host, port) portrule = function(host, port)
return shortport.ssl(host, port) or sslcert.isPortSupported(port) return port.protocol == "tcp" and (shortport.ssl(host, port) or sslcert.isPortSupported(port))
end end
action = function(host, port) action = function(host, port)

2
scripts/http-vuln-cve2014-2129.nse
View File

@@ -37,7 +37,7 @@ license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"vuln", "safe"} categories = {"vuln", "safe"}
portrule = function(host, port) portrule = function(host, port)
return shortport.ssl(host, port) or sslcert.isPortSupported(port) return port.protocol == "tcp" and (shortport.ssl(host, port) or sslcert.isPortSupported(port))
end end
action = function(host, port) action = function(host, port)

2
scripts/ssl-ccs-injection.nse
View File

@@ -69,7 +69,7 @@ categories = { "vuln", "safe" }
dependencies = {"https-redirect"} dependencies = {"https-redirect"}
portrule = function(host, port) portrule = function(host, port)
return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port) return port.protocol == "tcp" and (shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port))
end end
local Error = { local Error = {

2
scripts/ssl-date.nse
View File

@@ -40,7 +40,7 @@ categories = {"discovery", "safe", "default"}
dependencies = {"https-redirect"} dependencies = {"https-redirect"}
portrule = function(host, port) portrule = function(host, port)
return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port) return port.protocol == "tcp" and (shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port))
end end
-- Miscellaneous script-wide constants -- Miscellaneous script-wide constants

2
scripts/ssl-dh-params.nse
View File

@@ -788,7 +788,7 @@ end
portrule = function(host, port) portrule = function(host, port)
return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port) return port.protocol == "tcp" and (shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port))
end end
local function format_check(t, label) local function format_check(t, label)

2
scripts/ssl-enum-ciphers.nse
View File

@@ -1095,7 +1095,7 @@ local function try_protocol(host, port, protocol, upresults)
end end
portrule = function (host, port) portrule = function (host, port)
return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port) return port.protocol == "tcp" and (shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port))
end end
action = function(host, port) action = function(host, port)

2
scripts/ssl-heartbleed.nse
View File

@@ -47,7 +47,7 @@ dependencies = {"https-redirect"}
local arg_protocols = stdnse.get_script_args(SCRIPT_NAME .. ".protocols") or {'TLSv1.0', 'TLSv1.1', 'TLSv1.2'} local arg_protocols = stdnse.get_script_args(SCRIPT_NAME .. ".protocols") or {'TLSv1.0', 'TLSv1.1', 'TLSv1.2'}
portrule = function(host, port) portrule = function(host, port)
return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port) return port.protocol == "tcp" and (shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port))
end end
local function recvhdr(s) local function recvhdr(s)

4
scripts/ssl-known-key.nse
View File

@@ -103,7 +103,9 @@ local get_fingerprints = function(path)
return true, fingerprints return true, fingerprints
end end
portrule = shortport.ssl portrule = function(host, port)
return shortport.ssl(host, port) or sslcert.isPortSupported(port) or sslcert.getPrepareTLSWithoutReconnect(port)
end
action = function(host, port) action = function(host, port)
-- Get script arguments. -- Get script arguments.

2
scripts/ssl-poodle.nse
View File

@@ -308,7 +308,7 @@ local function check_fallback_scsv(host, port, protocol, ciphers)
end end
portrule = function (host, port) portrule = function (host, port)
return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port) return port.protocol == "tcp" and (shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port))
end end
action = function(host, port) action = function(host, port)

2
scripts/sslv2-drown.nse
View File

@@ -95,7 +95,7 @@ for k, v in pairs(sslv2.SSL_CIPHERS) do
end end
portrule = function(host, port) portrule = function(host, port)
return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port) return port.protocol == "tcp" and (shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port))
end end
-- Return whether all values of "t1" are also values in "t2". -- Return whether all values of "t1" are also values in "t2".

2
scripts/sslv2.nse
View File

@@ -40,7 +40,7 @@ categories = {"default", "safe"}
portrule = function(host, port) portrule = function(host, port)
return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port) return port.protocol == "tcp" and (shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port))
end end
action = function(host, port) action = function(host, port)

2
scripts/tls-alpn.nse
View File

@@ -40,7 +40,7 @@ categories = {"discovery", "safe", "default"}
dependencies = {"https-redirect"} dependencies = {"https-redirect"}
portrule = function(host, port) portrule = function(host, port)
return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port) return port.protocol == "tcp" and (shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port))
end end

2
scripts/tls-nextprotoneg.nse
View File

@@ -43,7 +43,7 @@ categories = {"discovery", "safe", "default"}
dependencies = {"https-redirect"} dependencies = {"https-redirect"}
portrule = function(host, port) portrule = function(host, port)
return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port) return port.protocol == "tcp" and (shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port))
end end

2
scripts/tls-ticketbleed.nse
View File

@@ -68,7 +68,7 @@ portrule = function(host, port)
return false return false
end end
return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port) return port.protocol == "tcp" and (shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port))
end end
local function is_vuln(host, port, version) local function is_vuln(host, port, version)