From f974b625d25116008cd6c6ce391668a22f40a3c4 Mon Sep 17 00:00:00 2001
From: dmiller <dmiller@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Fri, 10 Jan 2020 05:32:08 +0000
Subject: [PATCH] New, broader portrule for SSH scripts. Closes #1825

---
 CHANGELOG                            |  4 ++++
 nselib/shortport.lua                 | 29 ++++++++++++++++++++++++++++
 scripts/ssh-auth-methods.nse         |  2 +-
 scripts/ssh-brute.nse                |  2 +-
 scripts/ssh-hostkey.nse              |  2 +-
 scripts/ssh-publickey-acceptance.nse |  2 +-
 scripts/ssh-run.nse                  |  2 +-
 scripts/ssh2-enum-algos.nse          |  2 +-
 scripts/sshv1.nse                    |  2 +-
 9 files changed, 40 insertions(+), 7 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 4e12fd7e5..7a03ffa3c 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,5 +1,9 @@
 #Nmap Changelog ($Id$); -*-text-*-
 
+o [NSE][GH#1825] SSH scripts now run on several ports likely to be SSH based on
+  empirical data from Shodan.io, as well as the netconf-ssh service.
+  [Lim Shi Min Jonathan, Daniel Miller]
+
 o [Zenmap][GH#1777] Stop creating a debugging output file 'tmp.txt' on the
   desktop in macOS. [Roland Linder]
 
diff --git a/nselib/shortport.lua b/nselib/shortport.lua
index 7ca8e756c..bb0da9e19 100644
--- a/nselib/shortport.lua
+++ b/nselib/shortport.lua
@@ -292,6 +292,35 @@ function ssl(host, port)
   return false
 end
 
+local LIKELY_SSH_PORTS = {
+  -- Top ssh ports on shodanhq.com
+  22,
+  2222,
+  55554,
+  --666, -- 86% SSH, but we'd like to be more certain.
+  22222,
+  2382,
+  -- And others reported by users
+  830, -- netconf-ssh
+}
+
+-- This part isn't really necessary, since -sV will reliably detect SSH
+local LIKELY_SSH_SERVICES = {
+  'ssh', 'netconf-ssh'
+}
+
+-- A portrule that matches likely SSH services.
+--
+-- @name ssh
+-- @class function
+-- @param host The host table to match against.
+-- @param port The port table to match against.
+-- @return <code>true</code> if the port is likely to be SSH,
+-- <code>false</code> otherwise.
+-- @usage
+-- portrule = shortport.ssh
+
+ssh = port_or_service(LIKELY_SSH_PORTS, LIKELY_SSH_SERVICES)
 
 --- Return a portrule that returns true when given an open port matching a port range
 --
diff --git a/scripts/ssh-auth-methods.nse b/scripts/ssh-auth-methods.nse
index 61249eb93..dd6621334 100644
--- a/scripts/ssh-auth-methods.nse
+++ b/scripts/ssh-auth-methods.nse
@@ -26,7 +26,7 @@ license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
 categories = {"auth", "intrusive"}
 
 local username = stdnse.get_script_args("ssh.user") or rand.random_alpha(5)
-portrule = shortport.port_or_service(22, 'ssh')
+portrule = shortport.ssh
 
 function action (host, port)
   local result = stdnse.output_table()
diff --git a/scripts/ssh-brute.nse b/scripts/ssh-brute.nse
index f71b09f62..d5f26a0a0 100644
--- a/scripts/ssh-brute.nse
+++ b/scripts/ssh-brute.nse
@@ -31,7 +31,7 @@ categories = {
   'intrusive',
 }
 
-portrule = shortport.port_or_service(22, 'ssh')
+portrule = shortport.ssh
 
 local arg_timeout = stdnse.get_script_args(SCRIPT_NAME .. ".timeout") or "5s"
 
diff --git a/scripts/ssh-hostkey.nse b/scripts/ssh-hostkey.nse
index 042d96691..5b5069777 100644
--- a/scripts/ssh-hostkey.nse
+++ b/scripts/ssh-hostkey.nse
@@ -139,7 +139,7 @@ license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
 categories = {"safe","default","discovery"}
 
 
-portrule = shortport.port_or_service(22, "ssh")
+portrule = shortport.ssh
 
 postrule = function() return (nmap.registry.sshhostkey ~= nil) end
 
diff --git a/scripts/ssh-publickey-acceptance.nse b/scripts/ssh-publickey-acceptance.nse
index db903223b..a006325ed 100644
--- a/scripts/ssh-publickey-acceptance.nse
+++ b/scripts/ssh-publickey-acceptance.nse
@@ -46,7 +46,7 @@ local usernames = stdnse.get_script_args "ssh.usernames"
 local knownbad = stdnse.get_script_args "knownbad"
 local publickeys = stdnse.get_script_args "ssh.publickeys"
 local publickeydb = stdnse.get_script_args "publickeydb" or nmap.fetchfile("nselib/data/publickeydb")
-portrule = shortport.port_or_service(22, 'ssh')
+portrule = shortport.ssh
 
 function action (host, port)
   local result = stdnse.output_table()
diff --git a/scripts/ssh-run.nse b/scripts/ssh-run.nse
index 16522fc32..e91fdbefe 100644
--- a/scripts/ssh-run.nse
+++ b/scripts/ssh-run.nse
@@ -43,7 +43,7 @@ categories = {
   'intrusive',
 }
 
-portrule = shortport.port_or_service(22, 'ssh')
+portrule = shortport.ssh
 
 local username = stdnse.get_script_args 'ssh-run.username'
 local cmd = stdnse.get_script_args 'ssh-run.cmd'
diff --git a/scripts/ssh2-enum-algos.nse b/scripts/ssh2-enum-algos.nse
index 1830c0b44..e634f62ee 100644
--- a/scripts/ssh2-enum-algos.nse
+++ b/scripts/ssh2-enum-algos.nse
@@ -103,7 +103,7 @@ license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
 categories = {"safe", "discovery"}
 
 
-portrule = shortport.port_or_service(22, "ssh")
+portrule = shortport.ssh
 
 -- Build onto lists{} and possibly modify parsed{} based on whether the
 -- algorithm name-lists are identical between the server-to-client and
diff --git a/scripts/sshv1.nse b/scripts/sshv1.nse
index b285cb698..260b2c7cd 100644
--- a/scripts/sshv1.nse
+++ b/scripts/sshv1.nse
@@ -19,7 +19,7 @@ categories = {"default", "safe"}
 -- true
 
 
-portrule = shortport.port_or_service(22, "ssh")
+portrule = shortport.ssh
 
 action = function(host, port)
   local socket = nmap.new_socket()