From f93cab84ebf1f513175cb4fbdccf6157aee54dfd Mon Sep 17 00:00:00 2001
From: dmiller <dmiller@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Thu, 2 Apr 2015 04:40:27 +0000
Subject: [PATCH] Add TLS-compatible version probe for services (like MS RDP)
 that silently drop SSLv3 handshakes

---
 nmap-service-probes | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/nmap-service-probes b/nmap-service-probes
index c69456b17..7e812ecfe 100644
--- a/nmap-service-probes
+++ b/nmap-service-probes
@@ -11263,7 +11263,7 @@ match xmpp-transport m|^\x05\xff$| p/Spectrum XMPP file transfer/
 # TLSv1-only servers, based on a failed handshake alert.
 Probe TCP SSLSessionReq q|\x16\x03\0\0S\x01\0\0O\x03\0?G\xd7\xf7\xba,\xee\xea\xb2`~\xf3\0\xfd\x82{\xb9\xd5\x96\xc8w\x9b\xe6\xc4\xdb<=\xdbo\xef\x10n\0\0(\0\x16\0\x13\0\x0a\0f\0\x05\0\x04\0e\0d\0c\0b\0a\0`\0\x15\0\x12\0\x09\0\x14\0\x11\0\x08\0\x06\0\x03\x01\0|
 rarity 1
-ports 443,444,548,636,993,1241,1311,2000,4444,5550,7210,7272,8009,8181,8194,8443,9001
+ports 443,444,465,548,636,989,990,992,993,994,995,1241,1311,2000,4444,5061,5550,7210,7272,8009,8181,8194,8443,9001
 fallback GetRequest
 
 match adabas m|^,\0,\0\x03\x02\0\0G\xd7\xf7\xbaO\x03\0\?\x05\0\0\0\0\x02\x18\0\xfd\x0b\0\0<=\xdbo\xef\x10n \xd5\x96\xc8w\x9b\xe6\xc4\xdb$| p/ADABAS database/
@@ -11431,6 +11431,21 @@ match storagecraft-image m|^\x15\x01\0\0\x08\0\0\0\0\x80\t\x03\x08\.NET\x01\0\x0
 
 match xamarin m|^ERROR: Another instance is running\n| p/Xamarin MonoTouch/
 
+##############################NEXT PROBE##############################
+# TLSv1.2 ClientHello probe. TLS implementations may choose to ignore (close
+# silently) incompatible ClientHello messages like the one in SSLSessionReq.
+# This one should be widely compatible, and if we avoid adding non-ssl service
+# matches here, we can continue to upgrade it (bytes 10 and 11 and the ranges
+# in the match lines)
+Probe TCP TLSSessionReq q|\x16\x03\0\x00g\x01\0\x001\x03\x03U\x1c\xa7\xe4random1random2random3random4\0\x00\x0a\0/\0\x0a\0\x13\x009\0\x04\x01\0\0\x30\0\x0d\0,\0*\0\x01\0\x03\0\x02\x06\x01\x06\x03\x06\x02\x02\x01\x02\x03\x02\x02\x03\x01\x03\x03\x03\x02\x04\x01\x04\x03\x04\x02\x01\x01\x01\x03\x01\x02\x05\x01\x05\x03\x05\x02|
+rarity 2
+ports 443,444,465,636,989,990,992,993,994,995,1241,1311,3389,4444,5061,6679,6697,8443,9001
+
+# SSLv3 - TLSv1.2 ServerHello
+match ssl m|^\x16\x03[\0-\x03]..\x02\0\0.\x03[\0-\x03]|s
+# SSLv3 - TLSv1.2 Alert
+match ssl m|^\x15\x03[\0-\x03]\0\x02[\x01\x02].$|s
+
 ##############################NEXT PROBE##############################
 # SSLv2-compatible ClientHello, 39 ciphers offered.
 # Will elicit a ServerHello from most SSL implementations, apart from those