Add valid TLS1.2 probe and move checks to rule in ssl-enum-ciphers (#168)

2025-12-09 14:11:29 +00:00 · 2015-06-19 12:02:31 +00:00
parent 06e6062dba
commit a881712e6b
1 changed files with 33 additions and 21 deletions
--- a/scripts/ssl-enum-ciphers.nse
+++ b/scripts/ssl-enum-ciphers.nse
@@ -1,3 +1,4 @@
+local comm = require "comm"
 local coroutine = require "coroutine"
 local math = require "math"
 local nmap = require "nmap"
@@ -829,9 +830,39 @@ local function try_protocol(host, port, protocol, upresults)
 end

 portrule = function (host, port)
-  return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port)
+  if shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port) then
+    return true
+  end
  -- selected by name and we didn't detect something *not* SSL
-  or (port.version.name_confidence <= 3 and nmap.version_intensity() == 9)
+  if (port.version.name_confidence <= 3 and nmap.version_intensity() == 9) then
+    -- check whether it's an SSL service
+    local is_ssl = false
+    -- probes from nmap-service-probes
+    for _, probe in ipairs({
+        --TLSSessionReq
+        "\x16\x03\0\x00g\x01\0\x001\x03\x03U\x1c\xa7\xe4random1random2random3\z
+        random4\0\x00\x0a\0/\0\x0a\0\x13\x009\0\x04\x01\0\0\x30\0\x0d\0,\0*\0\z
+        \x01\0\x03\0\x02\x06\x01\x06\x03\x06\x02\x02\x01\x02\x03\x02\x02\x03\x01\z
+        \x03\x03\x03\x02\x04\x01\x04\x03\x04\x02\x01\x01\x01\x03\x01\x02\x05\x01\z
+        \x05\x03\x05\x02",
+        -- SSLSessionReq
+        "\x16\x03\0\0S\x01\0\0O\x03\0?G\xd7\xf7\xba,\xee\xea\xb2`~\xf3\0\xfd\z
+        \x82{\xb9\xd5\x96\xc8w\x9b\xe6\xc4\xdb<=\xdbo\xef\x10n\0\0(\0\x16\0\x13\z
+        \0\x0a\0f\0\x05\0\x04\0e\0d\0c\0b\0a\0`\0\x15\0\x12\0\x09\0\x14\0\x11\0\z
+        \x08\0\x06\0\x03\x01\0",
+      }) do
+      local status, resp = comm.exchange(host, port, probe)
+      if status and resp and (
+          resp:match("^\x16\x03[\0-\x03]..\x02...\x03[\0-\x03]") or
+          resp:match("^\x15\x03[\0-\x03]\0\x02\x02[F\x28]")
+          ) then
+        is_ssl = true
+        break
+      end
+    end
+    return is_ssl
+  end
+  return false
 end

 --- Return a table that yields elements sorted by key when iterated over with pairs()
@@ -854,26 +885,7 @@ function sorted_by_key(t)
  return out
 end

-local comm = require "comm"
 action = function(host, port)
-
-  -- If we're selected by name, we might have to check whether it's even an SSL port
-  if not (shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port)) then
-    -- SSLSessionReq probe from nmap-service-probes
-    local status, resp = comm.exchange(host, port,
-      "\x16\x03\0\0S\x01\0\0O\x03\0?G\xd7\xf7\xba,\xee\xea\xb2`~\xf3\0\xfd\z
-      \x82{\xb9\xd5\x96\xc8w\x9b\xe6\xc4\xdb<=\xdbo\xef\x10n\0\0(\0\x16\0\x13\z
-      \0\x0a\0f\0\x05\0\x04\0e\0d\0c\0b\0a\0`\0\x15\0\x12\0\x09\0\x14\0\x11\0\z
-      \x08\0\x06\0\x03\x01\0")
-    if not status or not resp or not (
-        resp:match("^\x16\x03[\0-\x03]..\x02...\x03[\0-\x03]") or
-        resp:match("^\x15\x03[\0-\x03]\0\x02\x02[F\x28]")
-        ) then
-      stdnse.debug1("Not an SSL service.")
-      return nil
-    end
-  end
-
  local results = {}

  local condvar = nmap.condvar(results)