mirror of
https://github.com/nmap/nmap.git
synced 2025-12-07 13:11:28 +00:00
3c89e089fc
socket:connect(host.ip, port.number) socket:connect(host.ip, port.number, port.protocol) to this: socket:connect(host, port) connect can take host and port tables now, and the default protocol is taken from the port table if possible.
249 lines
7.7 KiB
Lua
249 lines
7.7 KiB
Lua
description = [[
|
|
Retrieves a server's SSL certificate. The amount of information printed
|
|
about the certificate depends on the verbosity level. With no extra
|
|
verbosity, the script prints the validity period and the commonName,
|
|
organizationName, stateOrProvinceName, and countryName of the subject.
|
|
|
|
<code>
|
|
443/tcp open https
|
|
| ssl-cert: Subject: commonName=www.paypal.com/organizationName=PayPal, Inc.\
|
|
/stateOrProvinceName=California/countryName=US
|
|
| Not valid before: 2009-05-28 00:00:00
|
|
|_ Not valid after: 2010-05-01 23:59:59
|
|
</code>
|
|
|
|
With <code>-v</code> it adds the issuer name and fingerprints.
|
|
|
|
<code>
|
|
443/tcp open https
|
|
| ssl-cert: Subject: commonName=www.paypal.com/organizationName=PayPal, Inc.\
|
|
/stateOrProvinceName=California/countryName=US
|
|
| Issuer: commonName=VeriSign Class 3 Extended Validation SSL CA\
|
|
/organizationName=VeriSign, Inc./countryName=US
|
|
| Not valid before: 2009-05-28 00:00:00
|
|
| Not valid after: 2010-05-01 23:59:59
|
|
| MD5: c5b8 7ddd ccc7 537f 8861 b476 078d e8fd
|
|
|_ SHA-1: dc5a cb8b 9eb9 b5de 7117 c536 8c15 0e75 ba88 702e
|
|
</code>
|
|
|
|
With <code>-vv</code> it adds the PEM-encoded contents of the entire
|
|
certificate.
|
|
|
|
<code>
|
|
443/tcp open https
|
|
| ssl-cert: Subject: commonName=www.paypal.com/organizationName=PayPal, Inc.\
|
|
/stateOrProvinceName=California/countryName=US/serialNumber=3014267\
|
|
/1.3.6.1.4.1.311.60.2.1.3=US/streetAddress=2211 N 1st St\
|
|
/1.3.6.1.4.1.311.60.2.1.2=Delaware/postalCode=95131-2021\
|
|
/localityName=San Jose/organizationalUnitName=Information Systems\
|
|
/2.5.4.15=V1.0, Clause 5.(b)
|
|
| Issuer: commonName=VeriSign Class 3 Extended Validation SSL CA\
|
|
/organizationName=VeriSign, Inc./countryName=US\
|
|
/organizationalUnitName=Terms of use at https://www.verisign.com/rpa (c)06
|
|
| Not valid before: 2009-05-28 00:00:00
|
|
| Not valid after: 2010-05-01 23:59:59
|
|
| MD5: c5b8 7ddd ccc7 537f 8861 b476 078d e8fd
|
|
| SHA-1: dc5a cb8b 9eb9 b5de 7117 c536 8c15 0e75 ba88 702e
|
|
| -----BEGIN CERTIFICATE-----
|
|
| MIIFxzCCBK+gAwIBAgIQX02QuADDB7CVjZdooVge+zANBgkqhkiG9w0BAQUFADCB
|
|
...
|
|
</code>
|
|
]]
|
|
|
|
---
|
|
-- @output
|
|
-- 443/tcp open https
|
|
-- | ssl-cert: Subject: commonName=www.paypal.com/organizationName=PayPal, Inc.\
|
|
-- /stateOrProvinceName=California/countryName=US
|
|
-- | Not valid before: 2009-05-28 00:00:00
|
|
-- |_ Not valid after: 2010-05-01 23:59:59
|
|
|
|
author = "David Fifield"
|
|
|
|
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
|
|
|
|
categories = { "safe", "discovery" }
|
|
|
|
require("nmap")
|
|
require("nsedebug")
|
|
require("stdnse")
|
|
|
|
local stringify_name
|
|
local date_to_string
|
|
local table_find
|
|
local s
|
|
|
|
local LIKELY_SSL_PORTS = { 443, 465, 989, 990, 992, 993, 994, 995, 587, 8443 }
|
|
local STARTTLS_PORTS = { 25, 587 }
|
|
|
|
portrule = function(host, port)
|
|
return port.version.service_tunnel == "ssl"
|
|
or table_find(LIKELY_SSL_PORTS, port.number) or table_find(STARTTLS_PORTS, port.number)
|
|
end
|
|
|
|
action = function(host, port)
|
|
s = nmap.new_socket()
|
|
|
|
if table_find(STARTTLS_PORTS, port.number) then
|
|
local status = starttls_negotiate(host,port)
|
|
|
|
if not status then
|
|
return nil
|
|
end
|
|
else
|
|
local status, error = s:connect(host, port, "ssl")
|
|
|
|
if not status then
|
|
if nmap.verbosity() > 0 then
|
|
return error
|
|
else
|
|
return nil
|
|
end
|
|
end
|
|
|
|
end
|
|
|
|
local cert = s:get_ssl_certificate()
|
|
s:close()
|
|
|
|
local lines = {}
|
|
lines[#lines + 1] = "Subject: " .. stringify_name(cert.subject)
|
|
|
|
if nmap.verbosity() > 0 then
|
|
lines[#lines + 1] = "Issuer: " .. stringify_name(cert.issuer)
|
|
end
|
|
|
|
lines[#lines + 1] = "Not valid before: " ..
|
|
date_to_string(cert.validity.notBefore)
|
|
lines[#lines + 1] = "Not valid after: " ..
|
|
date_to_string(cert.validity.notAfter)
|
|
|
|
if nmap.verbosity() > 0 then
|
|
lines[#lines + 1] = "MD5: " .. stdnse.tohex(cert:digest("md5"), { separator = " ", group = 4 })
|
|
lines[#lines + 1] = "SHA-1: " .. stdnse.tohex(cert:digest("sha1"), { separator = " ", group = 4 })
|
|
end
|
|
|
|
if nmap.verbosity() > 1 then
|
|
lines[#lines + 1] = cert.pem
|
|
end
|
|
|
|
return stdnse.strjoin("\n", lines)
|
|
end
|
|
|
|
-- Find the index of a value in an array.
|
|
function table_find(t, value)
|
|
local i, v
|
|
for i, v in ipairs(t) do
|
|
if v == value then
|
|
return i
|
|
end
|
|
end
|
|
return nil
|
|
end
|
|
|
|
-- These are the subject/issuer name fields that will be shown, in this order,
|
|
-- without a high verbosity.
|
|
local NON_VERBOSE_FIELDS = { "commonName", "organizationName",
|
|
"stateOrProvinceName", "countryName" }
|
|
|
|
function stringify_name(name)
|
|
local fields = {}
|
|
local _, k, v
|
|
if not name then
|
|
return nil
|
|
end
|
|
for _, k in ipairs(NON_VERBOSE_FIELDS) do
|
|
v = name[k]
|
|
if v then
|
|
fields[#fields + 1] = string.format("%s=%s", k, v)
|
|
end
|
|
end
|
|
if nmap.verbosity() > 1 then
|
|
for k, v in pairs(name) do
|
|
-- Don't include a field twice.
|
|
if not table_find(NON_VERBOSE_FIELDS, k) then
|
|
if type(k) == "table" then
|
|
k = stdnse.strjoin(".", k)
|
|
end
|
|
fields[#fields + 1] = string.format("%s=%s", k, v)
|
|
end
|
|
end
|
|
end
|
|
return stdnse.strjoin("/", fields)
|
|
end
|
|
|
|
function date_to_string(date)
|
|
if not date then
|
|
return "MISSING"
|
|
end
|
|
if type(date) == "string" then
|
|
return string.format("Can't parse; string is \"%s\"", date)
|
|
else
|
|
return os.date("%Y-%m-%d %H:%M:%S", os.time(date))
|
|
end
|
|
end
|
|
|
|
function starttls_negotiate(host, port)
|
|
-- Attempt to negotiate TLS over SMTP for services that support it
|
|
-- Works for SMTP (25) and SMTP Submission (587)
|
|
|
|
-- Open a standard TCP socket
|
|
local status, error = s:connect(host, port, "tcp")
|
|
|
|
if not status then
|
|
return nil
|
|
else
|
|
|
|
-- Loop until the service presents a banner to deal with server
|
|
-- load and timing issues. There may be a better way to handle this.
|
|
local i = 0
|
|
repeat
|
|
status, resultEHLO = s:receive_lines(1)
|
|
i = i + 1
|
|
until string.match(resultEHLO, "^220") or i == 5
|
|
|
|
-- Send EHLO because the the server expects it
|
|
-- We are not going to check for STARTTLS in the capabilities
|
|
-- list, sometimes it is not advertised.
|
|
local query = "EHLO example.org\r\n"
|
|
status = s:send(query)
|
|
status, resultEHLO = s:receive_lines(1)
|
|
|
|
if not (string.match(resultEHLO, "^250")) then
|
|
stdnse.print_debug("1","%s",resultEHLO)
|
|
stdnse.print_debug("1","EHLO with errors or timeout. Enable --script-trace to see what is happening.")
|
|
return nil
|
|
end
|
|
|
|
resultEHLO = ""
|
|
|
|
-- Send STARTTLS command ask the service to start encryption
|
|
local query = "STARTTLS\r\n"
|
|
status = s:send(query)
|
|
status, resultEHLO = s:receive_lines(1)
|
|
|
|
if not (string.match(resultEHLO, "^220")) then
|
|
stdnse.print_debug("1","%s",resultEHLO)
|
|
stdnse.print_debug("1","STARTTLS failed or unavailable. Enable --script-trace to see what is happening.")
|
|
|
|
-- Send QUIT to clean up server side connection
|
|
local query = "QUIT\r\n"
|
|
status = s:send(query)
|
|
resultEHLO = ""
|
|
|
|
return nil
|
|
end
|
|
|
|
-- Service supports STARTTLS, tell NSE start SSL negotiation
|
|
status, error = s:reconnect_ssl()
|
|
if not status then
|
|
stdnse.print_debug("1","Could not establish SSL session after STARTTLS command.")
|
|
s:close()
|
|
return nil
|
|
end
|
|
|
|
end
|
|
-- Should have a solid TLS over SMTP session now...
|
|
return "Connected"
|
|
end
|