tls-extended-random.nse

## tls-extended-random.nse
local nmap = require "nmap"
local shortport = require "shortport"
local stdnse = require "stdnse"
local bin = require "bin"
local tls = require "tls"

description = [[
Checks for server support of the Extended Random TLS extension, which was
allegedly created to make exploitation of the Dual EC DRBG weakness easier. The
extension was never widely adopted, and IANA did not assign an ExtensionType
number, but the RSA BSAFE library uses 0x0028 for this purpose. Note that if
this extension number is used for some other purpose, it is possible that this
script will return a false-positive.

References:
* http://tools.ietf.org/html/draft-rescorla-tls-extended-random-02
* https://developer-content.emc.com/docs/rsashare/share_for_c/1.1/api_guide/group___t_l_s___e_x_t___t_y_p_e.html
* https://projectbullrun.org/dual-ec/ext-rand.html
]]

---
-- @usage
-- nmap --script=tls-extended-random <targets>
--
--@output
-- 443/tcp open  https
-- |_tls-extended-random: Supported.
--
-- @xmloutput
-- <elem>true</elem>


author = "Daniel Miller"

license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

categories = {"discovery", "safe"}

portrule = shortport.ssl

local RANDDATA = "DUAL_EC DRBG YO!"
--- Function that sends a client hello packet with the TLS Extended Random extension to the
-- target host and returns the response
--@args host The target host table.
--@args port The target port table.
--@return status true if response, false else.
--@return response if status is true.
local client_hello = function(host, port)
  local sock, status, response, err, cli_h

  cli_h = tls.client_hello({
    ["protocol"] = "TLSv1.0",
    ["ciphers"] = {
      "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
      "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
      "TLS_RSA_WITH_RC4_128_MD5",
    },
    ["compressors"] = {"NULL"},
    ["extensions"] = {
      [0x0028] = bin.pack(">P", RANDDATA)
    },
  })

  -- Connect to the target server
  sock = nmap.new_socket()
  sock:set_timeout(5000)
  status, err = sock:connect(host, port)
  if not status then
    sock:close()
    stdnse.print_debug("Can't send: %s", err)
    return false
  end

  -- Send Client Hello to the target server
  status, err = sock:send(cli_h)
  if not status then
    stdnse.print_debug("Couldn't send: %s", err)
    sock:close()
    return false
  end

  -- Read response
  status, response, err = tls.record_buffer(sock)
  if not status then
    stdnse.print_debug("Couldn't receive: %s", err)
    sock:close()
    return false
  end

  return true, response
end

--- Function that checks for the response to a Extended Random extension request.
--@args response Response to parse.
--@return results The random data generated by the server, or nil if the extension is not supported
  local check_rand = function(response)
  local i, record = tls.record_read(response, 0)
  if record == nil then
    stdnse.print_debug("%s: Unknown response from server", SCRIPT_NAME)
    return nil
  end

  if record.type == "handshake" and record.body[1].type == "server_hello" then
    if record.body[1].extensions == nil then
      stdnse.print_debug("%s: Server does not support TLS Extended Random extension.", SCRIPT_NAME)
      return nil
    end
    local randdata = record.body[1].extensions[0x0028]
    if randdata == nil then
      stdnse.print_debug("%s: Server does not support TLS Extended Random extension.", SCRIPT_NAME)
      return nil
    end
    -- Parse data
    local _, results = bin.unpack(">P", randdata, 0)

    return results
  else
    stdnse.print_debug("%s: Server response was not server_hello", SCRIPT_NAME)
    return nil
  end
end

action = function(host, port)
  local status, response

  -- Send crafted client hello
  status, response = client_hello(host, port)
  if status and response then
    -- Analyze response
    local results = check_rand(response)
    if results then --#results == #RANDDATA then
      return true, "Supported."
    end
  end
  return nil
end