I ran the script against the same servers as in the cipherscan blog. You can see that you don't get quite as much information but if you updating your server's list of ciphers or inspecting a new version of IOS you get enough and it's pretty quick. Notice that you can test any port. In the OWASP example they were testing a mail server so they included smtps, imaps and pop3s ports.
Here is nmap running against my ISE server. The scan took 1.53 seconds:
1S1K-930:~ mhubbard$ nmap --script ssl-cert,ssl-enum-ciphers -p 443,465,993,995 192.168.10.21
Starting Nmap 6.40 ( http://nmap.org ) at 2015-07-13 18:48 PDT
Nmap scan report for 192.168.10.21
Host is up (0.00091s latency).
PORT STATE SERVICE
443/tcp open https
| ssl-cert: Subject: commonName=RANISE01.pu.pri
| Issuer: commonName=ProgrammingUnlimited
| Public Key type: rsa
| Public Key bits: 2048
| Not valid before: 2015-07-12T02:38:27+00:00
| Not valid after: 2017-07-11T02:38:27+00:00
| MD5: fab4 235e fa7d 9f4a d10a 6b24 9764 0cdd
|_SHA-1: 539e 2a03 14b3 c265 1e41 ebf9 c987 77e5 8d63 783c
| ssl-enum-ciphers:
| SSLv3:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.0:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| compressors:
| NULL
|_ least strength: strong
465/tcp filtered smtps
993/tcp filtered imaps
995/tcp filtered pop3s
Nmap done: 1 IP address (1 host up) scanned in 1.53 seconds
*****************************************Here is the HP OfficeJet Pro 8600. The scan took .75 seconds.
1S1K-930:~ mhubbard$ nmap --script ssl-cert,ssl-enum-ciphers -p 443,465,993,995 192.168.10.239
Starting Nmap 6.40 ( http://nmap.org ) at 2015-07-13 18:39 PDT
Nmap scan report for 192.168.10.239
Host is up (0.0015s latency).
PORT STATE SERVICE
443/tcp open https
| ssl-cert: Subject: commonName=HP6544E8/organizationName=HP/stateOrProvinceName=Washington/countryName=US
| Issuer: commonName=HP6544E8/organizationName=HP/stateOrProvinceName=Washington/countryName=US
| Public Key type: rsa
| Public Key bits: 1024
| Not valid before: 2014-08-28T13:09:39+00:00
| Not valid after: 2034-08-23T13:09:39+00:00
| MD5: ac97 99b1 8ed9 b0c5 8d38 fcb4 764e f4dd
|_SHA-1: 982e ea57 c19c 6cde 38bc f9eb 523f 274e f837 dc93
| ssl-enum-ciphers:
| SSLv3:
| ciphers:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_DES_CBC_SHA - weak
| TLS_RSA_WITH_RC4_128_MD5 - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| compressors:
| NULL
| TLSv1.0:
| ciphers:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_DES_CBC_SHA - weak
| TLS_RSA_WITH_RC4_128_MD5 - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| compressors:
| NULL
|_ least strength: weak
465/tcp closed smtps
993/tcp closed imaps
995/tcp closed pop3s
Nmap done: 1 IP address (1 host up) scanned in 0.75 seconds
*****************************************
And finally mail.google.com. Notice that the smtps, imaps and pop3s are filtered. You have to have a gmail account and set it specifically before you can use "The less secure Protocols" like imaps. This scan was much larger and took 85 seconds.
C:\Windows\system32>nmap --script ssl-cert,ssl-enum-ciphers -p 443,465,993,995 mail.google.com
Starting Nmap 6.47 ( http://nmap.org ) at 2015-07-12 21:02 Pacific Daylight Time
Nmap scan report for mail.google.com (173.194.219.18)
Host is up (0.0090s latency).
Other addresses for mail.google.com (not scanned): 173.194.219.17 173.194.219.83 173.194.219.19
rDNS record for 173.194.219.18: ya-in-f18.1e100.net
PORT STATE SERVICE
443/tcp open https
| ssl-cert: Subject: commonName=mail.google.com/organizationName=Google Inc/stateOrProvinceName=California/countryName=US
| Issuer: commonName=Google Internet Authority G2/organizationName=Google Inc/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Not valid before: 2015-07-01T19:53:43+00:00
| Not valid after: 2015-09-28T23:00:00+00:00
| MD5: 1b61 b9fb ee8c 6735 f5bf 414b 5b8a ce81
|_SHA-1: b434 c59a 0926 b380 d4d2 8002 0870 4ee5 87e1 1945
| ssl-enum-ciphers:
| SSLv3:
| ciphers:
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_RC4_128_MD5 - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| compressors:
| NULL
| TLSv1.0:
| ciphers:
| TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_ECDSA_WITH_RC4_128_SHA - strong
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_RC4_128_MD5 - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| compressors:
|
| TLSv1.1:
| ciphers:
| TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_ECDSA_WITH_RC4_128_SHA - strong
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_RC4_128_MD5 - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| compressors:
|
| TLSv1.2:
| ciphers:
| TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 - strong
| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - strong
| TLS_ECDHE_ECDSA_WITH_RC4_128_SHA - strong
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - strong
| TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_RSA_WITH_RC4_128_MD5 - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| compressors:
| NULL
|_ least strength: strong
465/tcp filtered smtps
993/tcp filtered imaps
995/tcp filtered pop3s
Starting Nmap 6.47 ( http://nmap.org ) at 2015-07-12 21:02 Pacific Daylight Time
Nmap scan report for mail.google.com (173.194.219.18)
Host is up (0.0090s latency).
Other addresses for mail.google.com (not scanned): 173.194.219.17 173.194.219.83 173.194.219.19
rDNS record for 173.194.219.18: ya-in-f18.1e100.net
PORT STATE SERVICE
443/tcp open https
| ssl-cert: Subject: commonName=mail.google.com/organizationName=Google Inc/stateOrProvinceName=California/countryName=US
| Issuer: commonName=Google Internet Authority G2/organizationName=Google Inc/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Not valid before: 2015-07-01T19:53:43+00:00
| Not valid after: 2015-09-28T23:00:00+00:00
| MD5: 1b61 b9fb ee8c 6735 f5bf 414b 5b8a ce81
|_SHA-1: b434 c59a 0926 b380 d4d2 8002 0870 4ee5 87e1 1945
| ssl-enum-ciphers:
| SSLv3:
| ciphers:
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_RC4_128_MD5 - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| compressors:
| NULL
| TLSv1.0:
| ciphers:
| TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_ECDSA_WITH_RC4_128_SHA - strong
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_RC4_128_MD5 - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| compressors:
|
| TLSv1.1:
| ciphers:
| TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_ECDSA_WITH_RC4_128_SHA - strong
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_RC4_128_MD5 - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| compressors:
|
| TLSv1.2:
| ciphers:
| TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 - strong
| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - strong
| TLS_ECDHE_ECDSA_WITH_RC4_128_SHA - strong
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - strong
| TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_RSA_WITH_RC4_128_MD5 - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| compressors:
| NULL
|_ least strength: strong
465/tcp filtered smtps
993/tcp filtered imaps
995/tcp filtered pop3s
Nmap done: 1 IP address (1 host up) scanned in 84.99 seconds
References
ssl-enum-ciphers man pagessl-cert man page
NMAP Scripts page - There are 498 scripts on the nmap site! If you need a script and can't find one on the nmap site you can google the protocol and nmap.
Recently I was investigating a Linksys router that a friend bought. I googled nmap and HNAP and found a script that locates routers running the Home Network Administration Protocol. Another example, HD Moore has an enhanced version of the nmap banner script called banner-plus on github.
More on HNAP - What is it, How to Use it, How to Find it
No comments:
Post a Comment