PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-11 10:19:03 +00:00
Code Issues Projects Releases Wiki Activity

Add valid TLS1.2 probe and move checks to rule in ssl-enum-ciphers (#168)

Browse Source
This commit is contained in:
dmiller
2015-06-19 12:02:31 +00:00
parent 06e6062dba
commit a881712e6b
1 changed files with 33 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
scripts/ssl-enum-ciphers.nse
View File

@@ -1,3 +1,4 @@
local comm = require "comm"
local coroutine = require "coroutine" local coroutine = require "coroutine"
local math = require "math" local math = require "math"
local nmap = require "nmap" local nmap = require "nmap"
@@ -829,9 +830,39 @@ local function try_protocol(host, port, protocol, upresults)
end end
portrule = function (host, port) portrule = function (host, port)
return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port) if shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port) then
return true
end
-- selected by name and we didn't detect something *not* SSL -- selected by name and we didn't detect something *not* SSL
or (port.version.name_confidence <= 3 and nmap.version_intensity() == 9) if (port.version.name_confidence <= 3 and nmap.version_intensity() == 9) then
-- check whether it's an SSL service
local is_ssl = false
-- probes from nmap-service-probes
for _, probe in ipairs({
--TLSSessionReq
"\x16\x03\0\x00g\x01\0\x001\x03\x03U\x1c\xa7\xe4random1random2random3\z
random4\0\x00\x0a\0/\0\x0a\0\x13\x009\0\x04\x01\0\0\x30\0\x0d\0,\0*\0\z
\x01\0\x03\0\x02\x06\x01\x06\x03\x06\x02\x02\x01\x02\x03\x02\x02\x03\x01\z
\x03\x03\x03\x02\x04\x01\x04\x03\x04\x02\x01\x01\x01\x03\x01\x02\x05\x01\z
\x05\x03\x05\x02",
-- SSLSessionReq
"\x16\x03\0\0S\x01\0\0O\x03\0?G\xd7\xf7\xba,\xee\xea\xb2`~\xf3\0\xfd\z
\x82{\xb9\xd5\x96\xc8w\x9b\xe6\xc4\xdb<=\xdbo\xef\x10n\0\0(\0\x16\0\x13\z
\0\x0a\0f\0\x05\0\x04\0e\0d\0c\0b\0a\0`\0\x15\0\x12\0\x09\0\x14\0\x11\0\z
\x08\0\x06\0\x03\x01\0",
}) do
local status, resp = comm.exchange(host, port, probe)
if status and resp and (
resp:match("^\x16\x03[\0-\x03]..\x02...\x03[\0-\x03]") or
resp:match("^\x15\x03[\0-\x03]\0\x02\x02[F\x28]")
) then
is_ssl = true
break
end
end
return is_ssl
end
return false
end end
--- Return a table that yields elements sorted by key when iterated over with pairs() --- Return a table that yields elements sorted by key when iterated over with pairs()
@@ -854,26 +885,7 @@ function sorted_by_key(t)
return out return out
end end
local comm = require "comm"
action = function(host, port) action = function(host, port)
-- If we're selected by name, we might have to check whether it's even an SSL port
if not (shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port)) then
-- SSLSessionReq probe from nmap-service-probes
local status, resp = comm.exchange(host, port,
"\x16\x03\0\0S\x01\0\0O\x03\0?G\xd7\xf7\xba,\xee\xea\xb2`~\xf3\0\xfd\z
\x82{\xb9\xd5\x96\xc8w\x9b\xe6\xc4\xdb<=\xdbo\xef\x10n\0\0(\0\x16\0\x13\z
\0\x0a\0f\0\x05\0\x04\0e\0d\0c\0b\0a\0`\0\x15\0\x12\0\x09\0\x14\0\x11\0\z
\x08\0\x06\0\x03\x01\0")
if not status or not resp or not (
resp:match("^\x16\x03[\0-\x03]..\x02...\x03[\0-\x03]") or
resp:match("^\x15\x03[\0-\x03]\0\x02\x02[F\x28]")
) then
stdnse.debug1("Not an SSL service.")
return nil
end
end
local results = {} local results = {}
local condvar = nmap.condvar(results) local condvar = nmap.condvar(results)