Vulners
Lucene search
ssl-date NSE Script
| Reporter | Title | Published | Views | Family All 998 |
|---|---|---|---|---|
 | Exploit for Code Injection in Samba | 2 Dec 202509:55 | – | githubexploit |
| Exploit for Code Injection in Samba | 25 May 201713:20 | – | githubexploit |
| Exploit for Code Injection in Samba | 15 May 202106:52 | – | githubexploit |
| Exploit for Code Injection in Samba | 30 May 201715:08 | – | githubexploit |
| Exploit for Code Injection in Samba | 25 May 201713:20 | – | githubexploit |
| Exploit for CVE-2017-0143 | 16 May 201719:34 | – | githubexploit |
| Exploit for Code Injection in Samba | 9 May 202102:32 | – | githubexploit |
| Exploit for Code Injection in Samba | 5 Jun 201716:25 | – | githubexploit |
| Exploit for Code Injection in Samba | 26 May 201700:58 | – | githubexploit |
| Exploit for Code Injection in Samba | 1 Nov 202223:17 | – | githubexploit |
10
local shortport = require "shortport"
local stdnse = require "stdnse"
local math = require "math"
local nmap = require "nmap"
local os = require "os"
local string = require "string"
local sslcert = require "sslcert"
local tls = require "tls"
local datetime = require "datetime"
description = [[
Retrieves a target host's time and date from its TLS ServerHello response.
In many TLS implementations, the first four bytes of server randomness
are a Unix timestamp. The script will test whether this is indeed true
and report the time only if it passes this test.
Original idea by Jacob Appelbaum and his TeaTime and tlsdate tools:
* https://github.com/ioerror/TeaTime
* https://github.com/ioerror/tlsdate
]]
---
-- @usage
-- nmap <target> --script=ssl-date
--
-- @output
-- PORT STATE SERVICE REASON
-- 5222/tcp open xmpp-client syn-ack
-- |_ssl-date: 2012-08-02T18:29:31Z; +4s from local time.
--
-- @xmloutput
-- <elem key="date">2012-08-02T18:29:31+00:00</elem>
-- <elem key="delta">4</elem>
author = {"Aleksandar Nikolic", "nnposter"}
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"discovery", "safe", "default"}
dependencies = {"https-redirect"}
portrule = function(host, port)
return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port)
end
-- Miscellaneous script-wide constants
local conn_timeout = 5 -- connection timeout (seconds)
local max_clock_skew = 90*60 -- maximum acceptable difference between target
-- and scanner clocks to avoid additional
-- testing (seconds)
local max_clock_jitter = 5 -- maximum acceptable target clock jitter
-- Logically should be 50-100% of conn_timeout
-- (seconds)
local detail_debug = 2 -- debug level for printing detailed steps
--- Function that sends a client hello packet
-- target host and returns the response
--@args host The target host table.
--@args port The target port table.
--@return status true if response, false else.
--@return response if status is true.
local client_hello = function(host, port)
local sock, status, response, err, cli_h
-- Craft Client Hello
cli_h = tls.client_hello()
-- Connect to the target server
local specialized_function = sslcert.getPrepareTLSWithoutReconnect(port)
if not specialized_function then
sock = nmap.new_socket()
sock:set_timeout(1000 * conn_timeout)
status, err = sock:connect(host, port)
if not status then
sock:close()
stdnse.debug("Can't connect: %s", err)
return false
end
else
status,sock = specialized_function(host,port)
if not status then
return false
end
end
repeat -- only once
-- Send Client Hello to the target server
status, err = sock:send(cli_h)
if not status then
stdnse.debug("Couldn't send: %s", err)
break
end
-- Read response
status, response, err = tls.record_buffer(sock)
if not status then
stdnse.debug("Couldn't receive: %s", err)
break
end
until true
sock:close()
return status, response
end
-- extract time from ServerHello response
local extract_time = function(response)
local i, record = tls.record_read(response, 1)
if record == nil then
stdnse.debug("Unknown response from server")
return nil
end
if record.type == "handshake" then
for _, body in ipairs(record.body) do
if body.type == "server_hello" then
return true, body.time
end
end
end
stdnse.debug("Server response was not server_hello")
return nil
end
---
-- Retrieve a timestamp from a TLS port and compare it to the scanner clock
--
-- @param host TLS host
-- @param port TLS port
-- @return Timestamp sample object or nil (if the operation failed)
local get_time_sample = function (host, port)
-- Send crafted client hello
local rstatus, response = client_hello(host, port)
local stm = os.time()
if not (rstatus and response) then return nil end
-- extract time from response
local tstatus, ttm = extract_time(response)
if not tstatus then return nil end
stdnse.debug(detail_debug, "TLS sample: %s", datetime.format_timestamp(ttm, 0))
return {target=ttm, scanner=stm, delta=os.difftime(ttm, stm)}
end
local result = { STAGNANT = "stagnant",
ACCEPTED = "accepted",
REJECTED = "rejected" }
---
-- Obtain a new timestamp sample and validate it against a reference sample
--
-- @param host TLS host
-- @param port TLS port
-- @param reftm Reference timestamp sample
-- @return Result code
-- @return New timestamp sample object or nil (if the operation failed)
local test_time_sample = function (host, port, reftm)
local tm = get_time_sample(host, port)
if not tm then return nil end
local tchange = os.difftime(tm.target, reftm.target)
local schange = os.difftime(tm.scanner, reftm.scanner)
local status =
-- clock cannot run backwards or drift rapidly
(tchange < 0 or math.abs(tchange - schange) > max_clock_jitter)
and result.REJECTED
-- the clock did not advance
or tchange == 0
and result.STAGNANT
-- plausible enough
or result.ACCEPTED
stdnse.debug(detail_debug, "TLS sample verdict: %s", status)
return status, tm
end
action = function(host, port)
local tm = get_time_sample(host, port)
if not tm then
return stdnse.format_output(false, "Unable to obtain data from the target")
end
if math.abs(tm.delta) > max_clock_skew then
-- The target clock differs substantially from the scanner
-- Let's take another sample to eliminate cases where the TLS field
-- contains either random or fixed data instead of the timestamp
local reftm = tm
local status
status, tm = test_time_sample(host, port, reftm)
if status and status == result.STAGNANT then
-- The target clock did not advance between the two samples (reftm, tm)
-- Let's wait long enough for the target clock to advance
-- and then re-take the second sample
stdnse.sleep(1.1)
status, tm = test_time_sample(host, port, reftm)
end
if not status then
return nil
end
if status ~= result.ACCEPTED then
return {}, "TLS randomness does not represent time"
end
end
datetime.record_skew(host, tm.target, tm.scanner)
local output = {
date = datetime.format_timestamp(tm.target, 0),
delta = tm.delta,
}
return output,
string.format("%s; %s from scanner time.", output.date,
datetime.format_difftime(os.date("!*t", tm.target),
os.date("!*t", tm.scanner)))
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 Jul 2021 20:01Current
0.2Low risk
Vulners AI Score0.2
EPSS0.94176