New, broader portrule for SSH scripts. Closes #1825

CHANGELOG

@@ -1,5 +1,9 @@
 #Nmap Changelog ($Id$); -*-text-*-
 
+o [NSE][GH#1825] SSH scripts now run on several ports likely to be SSH based on
+  empirical data from Shodan.io, as well as the netconf-ssh service.
+  [Lim Shi Min Jonathan, Daniel Miller]
+
 o [Zenmap][GH#1777] Stop creating a debugging output file 'tmp.txt' on the
   desktop in macOS. [Roland Linder]
 

nselib/shortport.lua

@@ -292,6 +292,35 @@ function ssl(host, port)
   return false
 end
 
+local LIKELY_SSH_PORTS = {
+  -- Top ssh ports on shodanhq.com
+  22,
+  2222,
+  55554,
+  --666, -- 86% SSH, but we'd like to be more certain.
+  22222,
+  2382,
+  -- And others reported by users
+  830, -- netconf-ssh
+}
+
+-- This part isn't really necessary, since -sV will reliably detect SSH
+local LIKELY_SSH_SERVICES = {
+  'ssh', 'netconf-ssh'
+}
+
+-- A portrule that matches likely SSH services.
+--
+-- @name ssh
+-- @class function
+-- @param host The host table to match against.
+-- @param port The port table to match against.
+-- @return <code>true</code> if the port is likely to be SSH,
+-- <code>false</code> otherwise.
+-- @usage
+-- portrule = shortport.ssh
+
+ssh = port_or_service(LIKELY_SSH_PORTS, LIKELY_SSH_SERVICES)
 
 --- Return a portrule that returns true when given an open port matching a port range
 --

scripts/ssh-auth-methods.nse

@@ -26,7 +26,7 @@ license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
 categories = {"auth", "intrusive"}
 
 local username = stdnse.get_script_args("ssh.user") or rand.random_alpha(5)
-portrule = shortport.port_or_service(22, 'ssh')
+portrule = shortport.ssh
 
 function action (host, port)
   local result = stdnse.output_table()

scripts/ssh-brute.nse

@@ -31,7 +31,7 @@ categories = {
   'intrusive',
 }
 
-portrule = shortport.port_or_service(22, 'ssh')
+portrule = shortport.ssh
 
 local arg_timeout = stdnse.get_script_args(SCRIPT_NAME .. ".timeout") or "5s"
 

scripts/ssh-hostkey.nse

@@ -139,7 +139,7 @@ license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
 categories = {"safe","default","discovery"}
 
 
-portrule = shortport.port_or_service(22, "ssh")
+portrule = shortport.ssh
 
 postrule = function() return (nmap.registry.sshhostkey ~= nil) end
 

scripts/ssh-publickey-acceptance.nse

@@ -46,7 +46,7 @@ local usernames = stdnse.get_script_args "ssh.usernames"
 local knownbad = stdnse.get_script_args "knownbad"
 local publickeys = stdnse.get_script_args "ssh.publickeys"
 local publickeydb = stdnse.get_script_args "publickeydb" or nmap.fetchfile("nselib/data/publickeydb")
-portrule = shortport.port_or_service(22, 'ssh')
+portrule = shortport.ssh
 
 function action (host, port)
   local result = stdnse.output_table()

scripts/ssh-run.nse

@@ -43,7 +43,7 @@ categories = {
   'intrusive',
 }
 
-portrule = shortport.port_or_service(22, 'ssh')
+portrule = shortport.ssh
 
 local username = stdnse.get_script_args 'ssh-run.username'
 local cmd = stdnse.get_script_args 'ssh-run.cmd'

scripts/ssh2-enum-algos.nse

@@ -103,7 +103,7 @@ license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
 categories = {"safe", "discovery"}
 
 
-portrule = shortport.port_or_service(22, "ssh")
+portrule = shortport.ssh
 
 -- Build onto lists{} and possibly modify parsed{} based on whether the
 -- algorithm name-lists are identical between the server-to-client and

scripts/sshv1.nse

@@ -19,7 +19,7 @@ categories = {"default", "safe"}
 -- true
 
 
-portrule = shortport.port_or_service(22, "ssh")
+portrule = shortport.ssh
 
 action = function(host, port)
   local socket = nmap.new_socket()