diff --git a/nselib/shortport.lua b/nselib/shortport.lua index 879fdcd4d..e1c785403 100644 --- a/nselib/shortport.lua +++ b/nselib/shortport.lua @@ -226,11 +226,48 @@ local LIKELY_SSL_PORTS = { 9001, -- tor-orport 8883, -- secure-mqtt } +local LIKELY_DTLS_PORTS = { + 443, + 853, -- domain-s + 2221, -- rockwell-csp1 + 4740, -- ipfixs + 4755, -- gre-udp-dtls + 5349, -- stuns + 5684, -- coaps + 6514, -- syslog-tls + 6699, -- babel-dtls + 8232, -- hncp-dtls + 10161, -- snmpdtls + 10162, -- snmpdtls-trap + 41230, -- z-wave-s +} local LIKELY_SSL_SERVICES = { "ftps", "ftps-data", "ftps-control", "https", "https-alt", "imaps", "ircs", "ldapssl", "ms-wbt-server", "pop3s", "sip-tls", "smtps", "telnets", "tor-orport", } +local ssl_probes = { + tcp = { + --TLSSessionReq + "\x16\x03\0\0\x69\x01\0\0\x65\x03\x03U\x1c\xa7\xe4random1random2random3\z + random4\0\0\x0c\0/\0\x0a\0\x13\x009\0\x04\0\xff\x01\0\0\x30\0\x0d\0,\0*\0\z + \x01\0\x03\0\x02\x06\x01\x06\x03\x06\x02\x02\x01\x02\x03\x02\x02\x03\x01\z + \x03\x03\x03\x02\x04\x01\x04\x03\x04\x02\x01\x01\x01\x03\x01\x02\x05\x01\z + \x05\x03\x05\x02", + -- SSLSessionReq + "\x16\x03\0\0S\x01\0\0O\x03\0?G\xd7\xf7\xba,\xee\xea\xb2`~\xf3\0\xfd\z + \x82{\xb9\xd5\x96\xc8w\x9b\xe6\xc4\xdb<=\xdbo\xef\x10n\0\0(\0\x16\0\x13\z + \0\x0a\0f\0\x05\0\x04\0e\0d\0c\0b\0a\0`\0\x15\0\x12\0\x09\0\x14\0\x11\0\z + \x08\0\x06\0\x03\x01\0", + }, + udp = { + --DTLSSessionReq + "\x16\xfe\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x36\x01\x00\x00\x2a\x00\z + \x00\x00\x00\x00\x00\x00\x2a\xfe\xfd\x00\x00\x00\x00\x7c\x77\x40\x1e\x8a\z + \xc8\x22\xa0\xa0\x18\xff\x93\x08\xca\xac\x0a\x64\x2f\xc9\x22\x64\xbc\x08\z + \xa8\x16\x89\x19\x30\x00\x00\x00\x02\x00\x2f\x01\x00" + } +} --- -- A portrule that matches likely SSL services. -- @@ -242,7 +279,8 @@ local LIKELY_SSL_SERVICES = { -- portrule = shortport.ssl function ssl(host, port) if (port.version and port.version.service_tunnel == "ssl") or - port_or_service(LIKELY_SSL_PORTS, LIKELY_SSL_SERVICES, {"tcp", "sctp"})(host, port) then + port_or_service(LIKELY_SSL_PORTS, LIKELY_SSL_SERVICES, {"tcp", "sctp"})(host, port) or + portnumber(LIKELY_DTLS_PORTS, {"udp"})(host, port) then return true end -- If we're just looking up port info, stop here. @@ -258,30 +296,31 @@ function ssl(host, port) local v = host.registry.ssl[port.number .. port.protocol] if v == nil then -- probes from nmap-service-probes - for _, probe in ipairs({ - --TLSSessionReq - "\x16\x03\0\0\x69\x01\0\0\x65\x03\x03U\x1c\xa7\xe4random1random2random3\z - random4\0\0\x0c\0/\0\x0a\0\x13\x009\0\x04\0\xff\x01\0\0\x30\0\x0d\0,\0*\0\z - \x01\0\x03\0\x02\x06\x01\x06\x03\x06\x02\x02\x01\x02\x03\x02\x02\x03\x01\z - \x03\x03\x03\x02\x04\x01\x04\x03\x04\x02\x01\x01\x01\x03\x01\x02\x05\x01\z - \x05\x03\x05\x02", - -- SSLSessionReq - "\x16\x03\0\0S\x01\0\0O\x03\0?G\xd7\xf7\xba,\xee\xea\xb2`~\xf3\0\xfd\z - \x82{\xb9\xd5\x96\xc8w\x9b\xe6\xc4\xdb<=\xdbo\xef\x10n\0\0(\0\x16\0\x13\z - \0\x0a\0f\0\x05\0\x04\0e\0d\0c\0b\0a\0`\0\x15\0\x12\0\x09\0\x14\0\x11\0\z - \x08\0\x06\0\x03\x01\0", - }) do + for _, probe in ipairs(ssl_probes[port.protocol]) do local status, resp = comm.exchange(host, port, probe) if status and resp then - if resp:match("^\x16\x03[\0-\x03]..\x02...\x03[\0-\x03]") - or resp:match("^\x15\x03[\0-\x03]\0\x02\x02[F\x28]") then - -- Definitely SSL - v = true - break - elseif not resp:match("^[\x16\x15]\x03") then - -- Something definitely not SSL - v = false - break + if port.protocol == "udp" then + if resp:match("^\x16\xfe[\xfd\xff]\0\0\0\0\0\0\0\0..[\x02\x03]...\0\0\0\0\0...\xfe[\xfd\xff].") + then + -- Definitely SSL + v = true + break + elseif not resp:match("^[\x16\x15]\xfe[\xfd\xff]") then + -- Something definitely not SSL + v = false + break + end + else + if resp:match("^\x16\x03[\0-\x03]..\x02...\x03[\0-\x03]") + or resp:match("^\x15\x03[\0-\x03]\0\x02\x02[F\x28]") then + -- Definitely SSL + v = true + break + elseif not resp:match("^[\x16\x15]\x03") then + -- Something definitely not SSL + v = false + break + end end -- Something else? better try the other probes end