Monday, July 13, 2015

Checking Server Cipher Suites with Nmap

Ok, one more blog on cipher suites and then I'm finished (for a while!). Last night I was reading  Testing for Weak SSL/TLS Ciphers on the OWASP site and found an nmap script that gives you a quick and dirty way to check ciphers. One advantage over cipherscan is that nmap runs on almost every OS.

I ran the script against the same servers as in the cipherscan blog. You can see that you don't get quite as much information but if you updating your server's list of ciphers or inspecting a new version of IOS you get enough and it's pretty quick. Notice that you can test any port. In the OWASP example they were testing a mail server so they included smtps, imaps and pop3s ports.

Here is nmap running against my ISE server. The scan took 1.53 seconds:

1S1K-930:~ mhubbard$ nmap --script ssl-cert,ssl-enum-ciphers -p 443,465,993,995 192.168.10.21

Starting Nmap 6.40 ( http://nmap.org ) at 2015-07-13 18:48 PDT
Nmap scan report for 192.168.10.21
Host is up (0.00091s latency).
PORT    STATE    SERVICE
443/tcp open     https
| ssl-cert: Subject: commonName=RANISE01.pu.pri
| Issuer: commonName=ProgrammingUnlimited
| Public Key type: rsa
| Public Key bits: 2048
| Not valid before: 2015-07-12T02:38:27+00:00
| Not valid after:  2017-07-11T02:38:27+00:00
| MD5:   fab4 235e fa7d 9f4a d10a 6b24 9764 0cdd
|_SHA-1: 539e 2a03 14b3 c265 1e41 ebf9 c987 77e5 8d63 783c
| ssl-enum-ciphers:
|   SSLv3:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|     compressors:
|       NULL
|   TLSv1.0:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|     compressors:
|       NULL
|_  least strength: strong
465/tcp filtered smtps
993/tcp filtered imaps
995/tcp filtered pop3s


Nmap done: 1 IP address (1 host up) scanned in 1.53 seconds
*****************************************

Here is the HP OfficeJet Pro 8600. The scan took .75 seconds.
1S1K-930:~ mhubbard$ nmap --script ssl-cert,ssl-enum-ciphers -p 443,465,993,995 192.168.10.239

Starting Nmap 6.40 ( http://nmap.org ) at 2015-07-13 18:39 PDT
Nmap scan report for 192.168.10.239
Host is up (0.0015s latency).
PORT    STATE  SERVICE
443/tcp open   https
| ssl-cert: Subject: commonName=HP6544E8/organizationName=HP/stateOrProvinceName=Washington/countryName=US
| Issuer: commonName=HP6544E8/organizationName=HP/stateOrProvinceName=Washington/countryName=US
| Public Key type: rsa
| Public Key bits: 1024
| Not valid before: 2014-08-28T13:09:39+00:00
| Not valid after:  2034-08-23T13:09:39+00:00
| MD5:   ac97 99b1 8ed9 b0c5 8d38 fcb4 764e f4dd
|_SHA-1: 982e ea57 c19c 6cde 38bc f9eb 523f 274e f837 dc93
| ssl-enum-ciphers: 
|   SSLv3: 
|     ciphers: 
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_DES_CBC_SHA - weak
|       TLS_RSA_WITH_RC4_128_MD5 - strong
|       TLS_RSA_WITH_RC4_128_SHA - strong
|     compressors: 
|       NULL
|   TLSv1.0: 
|     ciphers: 
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_DES_CBC_SHA - weak
|       TLS_RSA_WITH_RC4_128_MD5 - strong
|       TLS_RSA_WITH_RC4_128_SHA - strong
|     compressors: 
|       NULL
|_  least strength: weak
465/tcp closed smtps
993/tcp closed imaps

995/tcp closed pop3s

Nmap done: 1 IP address (1 host up) scanned in 0.75 seconds
*****************************************

And finally mail.google.com. Notice that the smtps, imaps and pop3s are filtered. You have to have a gmail account and set it specifically before you can use "The less secure Protocols" like imaps. This scan was much larger and took 85 seconds.


C:\Windows\system32>nmap --script ssl-cert,ssl-enum-ciphers -p 443,465,993,995 mail.google.com

Starting Nmap 6.47 ( http://nmap.org ) at 2015-07-12 21:02 Pacific Daylight Time
Nmap scan report for mail.google.com (173.194.219.18)
Host is up (0.0090s latency).
Other addresses for mail.google.com (not scanned): 173.194.219.17 173.194.219.83 173.194.219.19
rDNS record for 173.194.219.18: ya-in-f18.1e100.net
PORT    STATE    SERVICE
443/tcp open     https
| ssl-cert: Subject: commonName=mail.google.com/organizationName=Google Inc/stateOrProvinceName=California/countryName=US
| Issuer: commonName=Google Internet Authority G2/organizationName=Google Inc/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Not valid before: 2015-07-01T19:53:43+00:00
| Not valid after:  2015-09-28T23:00:00+00:00
| MD5:   1b61 b9fb ee8c 6735 f5bf 414b 5b8a ce81
|_SHA-1: b434 c59a 0926 b380 d4d2 8002 0870 4ee5 87e1 1945
| ssl-enum-ciphers:
|   SSLv3:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_RC4_128_MD5 - strong
|       TLS_RSA_WITH_RC4_128_SHA - strong
|     compressors:
|       NULL
|   TLSv1.0:
|     ciphers:
|       TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - strong
|       TLS_ECDHE_ECDSA_WITH_RC4_128_SHA - strong
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_RC4_128_MD5 - strong
|       TLS_RSA_WITH_RC4_128_SHA - strong
|     compressors:
|
|   TLSv1.1:
|     ciphers:
|       TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - strong
|       TLS_ECDHE_ECDSA_WITH_RC4_128_SHA - strong
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_RC4_128_MD5 - strong
|       TLS_RSA_WITH_RC4_128_SHA - strong
|     compressors:
|
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - strong
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 - strong
|       TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - strong
|       TLS_ECDHE_ECDSA_WITH_RC4_128_SHA - strong
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_RSA_WITH_RC4_128_MD5 - strong
|       TLS_RSA_WITH_RC4_128_SHA - strong
|     compressors:
|       NULL
|_  least strength: strong
465/tcp filtered smtps
993/tcp filtered imaps
995/tcp filtered pop3s

Nmap done: 1 IP address (1 host up) scanned in 84.99 seconds

References

ssl-enum-ciphers man page
ssl-cert man page
NMAP Scripts page - There are 498 scripts on the nmap site!  If you need a script and can't find one on the nmap site you can google the protocol and nmap.

Recently I was investigating a Linksys router that a friend bought. I googled nmap and HNAP and found a script that locates routers running the Home Network Administration Protocol. Another example, HD Moore has an enhanced version of the nmap banner script called banner-plus on github.
More on HNAP - What is it, How to Use it, How to Find it

1 comment:

  1. Checking server cipher suites with Nmap is an essential step for ensuring secure connections. If you're also into gaming, using XIV Launcher can enhance your experience while securing your server setup. It’s a great tool for managing mods and optimizing your gaming environment!

    ReplyDelete