1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
|
local nmap = require "nmap"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
local table = require "table"
local sslcert = require "sslcert"
local tls = require "tls"
description = [[
Enumerates a TLS server's supported protocols by using the next protocol
negotiation extension.
This works by adding the next protocol negotiation extension in the client
hello packet and parsing the returned server hello's NPN extension data.
For more information, see:
* https://tools.ietf.org/html/draft-agl-tls-nextprotoneg-03
]]
---
-- @usage
-- nmap --script=tls-nextprotoneg <targets>
--
--@output
-- 443/tcp open https
-- | tls-nextprotoneg:
-- | spdy/3
-- | spdy/2
-- |_ http/1.1
--
-- @xmloutput
-- <elem>spdy/4a4</elem>
-- <elem>spdy/3.1</elem>
-- <elem>spdy/3</elem>
-- <elem>http/1.1</elem>
author = "Hani Benhabiles"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"discovery", "safe", "default"}
dependencies = {"https-redirect"}
portrule = function(host, port)
return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port)
end
--- Function that sends a client hello packet with the TLS NPN extension to the
-- target host and returns the response
--@args host The target host table.
--@args port The target port table.
--@return status true if response, false else.
--@return response if status is true.
local client_hello = function(host, port)
local sock, status, response, err, cli_h
cli_h = tls.client_hello({
-- TLSv1.3 does not send this extension plaintext.
-- TODO: implement key exchange crypto to retrieve encrypted extensions
protocol = "TLSv1.2",
["extensions"] = {
["next_protocol_negotiation"] = "",
},
})
-- Connect to the target server
local status, err
local sock
local specialized = sslcert.getPrepareTLSWithoutReconnect(port)
if specialized then
status, sock = specialized(host, port)
if not status then
stdnse.debug1("Connection to server failed: %s", sock)
return false
end
else
sock = nmap.new_socket()
status, err = sock:connect(host, port)
if not status then
stdnse.debug1("Connection to server failed: %s", err)
return false
end
end
sock:set_timeout(5000)
-- Send Client Hello to the target server
status, err = sock:send(cli_h)
if not status then
stdnse.debug1("Couldn't send: %s", err)
sock:close()
return false
end
-- Read response
status, response, err = tls.record_buffer(sock)
if not status then
stdnse.debug1("Couldn't receive: %s", err)
sock:close()
return false
end
return true, response
end
--- Function that checks for the returned protocols to a npn extension request.
--@args response Response to parse.
--@return results List of found protocols.
local check_npn = function(response)
local i, record = tls.record_read(response, 1)
if record == nil then
stdnse.debug1("Unknown response from server")
return nil
end
if record.type == "handshake" and record.body[1].type == "server_hello" then
if record.body[1].extensions == nil then
stdnse.debug1("Server does not support TLS NPN extension.")
return nil
end
local results = {}
local npndata = record.body[1].extensions["next_protocol_negotiation"]
if npndata == nil then
stdnse.debug1("Server does not support TLS NPN extension.")
return nil
end
-- Parse data
i = 1
local protocol
while i <= #npndata do
protocol, i = string.unpack(">s1", npndata, i)
table.insert(results, protocol)
end
if next(results) then
return results
else
stdnse.debug1("Server supports TLS NPN extension, but no protocols were offered.")
return "<empty>"
end
else
stdnse.debug1("Server response was not server_hello")
return nil
end
end
action = function(host, port)
local status, response
-- Send crafted client hello
status, response = client_hello(host, port)
if status and response then
-- Analyze response
local results = check_npn(response)
return results
end
end
|
