Hubbard on Networking: calomel

Showing posts with label calomel. Show all posts

Sunday, July 12, 2015

Checking Browser Cipher Suites

My previous blog showed you an easy way to check the cipher suites offered by a server. Now I will show you an easy way to check your browser's cipher suites.

The team at the "Distributed Computing & Security (DCSec) Research Group" of the Leibniz Universität Hannover have created a web page that pulls all of the cipher suites out of your browser - Cipher Suites Supported by Your Browser (ordered by preference). A big thank you to the team that created this site!

NOTE: the German site is no longer up. Please use Qualys.com instead

Qualys Client Test

I wanted to see how bad IE6 on Windows XP really was so I fired up my XP SP3 Virtual Machine and went to the site. Yikes it's bad! My favorite cipher in the list is RC2 with 40 bit key size!

I highlighted the connection that my browser made in red, it's SSL3.0 with RC4 and SHA1. Well, at least it isn't vulnerable to BEAST!

For all of the corporate IT folks that have to run IE6 because of legacy applications here are the results:

Spec	Cipher_Suite_Name	Key_Siz	Description
(00,04)	RSA-RC4128-MD5	128 Bit	Key exchange: RSA, encryption: RC4, MAC: MD5.
(00,05)	RSA-RC4128-SHA	128 Bit	Key exchange: RSA, encryption: RC4, MAC: SHA1
(00,0a)	RSA-3DES-EDE-SHA	168 Bit	Key exchange: RSA, encryption: 3DES, MAC: SHA1.
(01,0080)	RC4128-MD5	128 Bit	Key exchange: RC4, encryption algorithm is unknown, MAC: MD5.
(07,00c0)	DES192-EDE3-MD5	168 Bit	Key exchange: Data Encryption Standard (DES), encryption algorithm is unknown, MAC: MD5.
(03,0080)	RC2128-MD5	128 Bit	Key exchange: RC2, encryption algorithm is unknown, MAC: MD5.
(00,09)	RSA-DES-SHA	56 Bit	Key exchange: RSA, encryption: DES, MAC: SHA1.
(06,0040)	DES64-MD5	56 Bit	Key exchange: Data Encryption Standard (DES), encryption algorithm is unknown, MAC: MD5.
(00,64)	RSA-EXPORT1024-RC456-SHA	56 Bit	Key exchange: RSA, encryption: RC4, MAC: SHA1.
(00,62)	RSA-EXPORT1024-DES-SHA	56 Bit	Key exchange: RSA, encryption: DES, MAC: SHA1.
(00,03)	RSA-EXPORT-RC440-MD5	40 Bit	Key exchange: RSA, encryption: RC4, MAC: MD5.
(00,06)	RSA-EXPORT-RC2-CBC40-MD5	40 Bit	Key exchange: RSA, encryption: RC2, MAC: MD5.
(02,0080)	RC4128-EXPORT40-MD5	40 Bit	Key exchange: RC4, encryption algorithm is unknown, MAC: MD5.
(04,0080)	RC2128-EXPORT40-MD5	40 Bit	Key exchange: RC2, encryption algorithm is unknown, MAC: MD5.
(00,13)	DHE-DSS-3DES-EDE-SHA	168 Bit	Key exchange: DH, encryption: 3DES, MAC: SHA1.
(00,12)	DHE-DSS-DES-SHA	56 Bit	Key exchange: DH, encryption: DES, MAC: SHA1.
(00,63)	DHE-DSS-EXPORT1024-DES-SHA	56 Bit	Key exchange: DH, encryption: DES, MAC: SHA1.

User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E)Preferred SSL/TLS version: SSLv3SNI information: Your
browser did not send SNI information.SSL stack current time: The TLS stack of your browser did not send a time value.

This connection uses SSLv3 with RC4-SHA and a 128 Bit key for encryption.
Raw: Version: 3.0 Ciphers:04,05,0a,010080,0700c0,030080,09,060040,64,62,03,06,020080,040080,13,12,63 Extensions: The TLS stack of your browser did not send
extensions.Remote Time: The TLS stack of your browser did not send a time value.

This service is provided by the DCSEC research group at Leibniz University Hannover. Imprint
If you have any comments or questions please contact Sascha Fahl
***************************************

Next I went to the site with Firefox 39 on XP SP3 and the results were much different! Even running on XP SP3 Firefox provided modern cipher suites and didn't offer the "Export Grade" suites used by Logjam.

The connection negotiated was the latest TLSv1.2 with Elliptic Curve DH Ephemeral to give Perfect Forward Secrecy and SHA 256 for the MAC! Again, I highlighted the connection in red.
***************************************

Spec	Cipher Suite Name	Key Size	Description
(c0,2b)	ECDHE-ECDSA-AES128-GCM-SHA256	128 Bit	Key exchange: ECDH, encryption: AES, MAC: SHA256.
(c0,2f)	ECDHE-RSA-AES128-GCM-SHA256	128 Bit	Key exchange: ECDH, encryption: AES, MAC: SHA256.
(c0,0a)	ECDHE-ECDSA-AES256-SHA	256 Bit	Key exchange: ECDH, encryption: AES, MAC: SHA1.
(c0,09)	ECDHE-ECDSA-AES128-SHA	128 Bit	Key exchange: ECDH, encryption: AES, MAC: SHA1.
(c0,13)	ECDHE-RSA-AES128-SHA	128 Bit	Key exchange: ECDH, encryption: AES, MAC: SHA1.
(c0,14)	ECDHE-RSA-AES256-SHA	256 Bit	Key exchange: ECDH, encryption: AES, MAC: SHA1.
(00,33)	DHE-RSA-AES128-SHA	128 Bit	Key exchange: DH, encryption: AES, MAC: SHA1.
(00,39)	DHE-RSA-AES256-SHA	256 Bit	Key exchange: DH, encryption: AES, MAC: SHA1.
(00,2f)	RSA-AES128-SHA	128 Bit	Key exchange: RSA, encryption: AES, MAC: SHA1.
(00,35)	RSA-AES256-SHA	256 Bit	Key exchange: RSA, encryption: AES, MAC: SHA1.
(00,0a)	RSA-3DES-EDE-SHA	168 Bit	Key exchange: RSA, encryption: 3DES, MAC: SHA1.

Further information:
User-Agent:
Mozilla/5.0 (Windows NT 5.1; rv:39.0) Gecko/20100101 Firefox/39.0
Preferred SSL/TLS version:
TLSv1
SNI information:
cc.dcsec.uni-hannover.de
SSL stack current time:
The TLS stack of your browser did not send a time value.

This connection uses TLSv1.2 with ECDHE-RSA-AES128-GCM-SHA256 and a 128 Bit key for encryption.

Raw:
Version:
3.1
Ciphers:
c02b,c02f,c00a,c009,c013,c014,33,39,2f,35,0a
Extensions:
0000,ff01,000a,000b,0023,3374,0010,0005,000d
Remote Time:
The TLS stack of your browser did not send a time value.

This service is provided by the DCSEC research group at Leibniz University Hannover. Imprint
If you have any comments or questions please contact Sascha Fahl
***************************************

Next I tried my Samsung s5 running Google Chorme. To my surprise it supported the latest cipher suites and no "Export Grade" ciphers.

***************************************

Spec	Cipher Suite Name	Key Size	Description
(cc,14)	ECDHE-ECDSA-CHACHA20-POLY1305-SHA256	128 Bit	Key exchange: ECDH, encryption: ChaCha20 Poly1305, MAC: SHA256.
(cc,13)	ECDHE-RSA-CHACHA20-POLY1305-SHA256	128 Bit	Key exchange: ECDH, encryption: ChaCha20 Poly1305, MAC: SHA256.
(cc,15)	DHE-RSA-CHACHA20-POLY1305-SHA256	128 Bit	Key exchange: DH, encryption: ChaCha20 Poly1305, MAC: SHA256.
(c0,2b)	ECDHE-ECDSA-AES128-GCM-SHA256	128 Bit	Key exchange: ECDH, encryption: AES, MAC: SHA256.
(c0,2f)	ECDHE-RSA-AES128-GCM-SHA256	128 Bit	Key exchange: ECDH, encryption: AES, MAC: SHA256.
(00,9e)	DHE-RSA-AES128-GCM-SHA256	128 Bit	Key exchange: DH, encryption: AES, MAC: SHA256.
(c0,0a)	ECDHE-ECDSA-AES256-SHA	256 Bit	Key exchange: ECDH, encryption: AES, MAC: SHA1.
(c0,14)	ECDHE-RSA-AES256-SHA	256 Bit	Key exchange: ECDH, encryption: AES, MAC: SHA1.
(00,39)	DHE-RSA-AES256-SHA	256 Bit	Key exchange: DH, encryption: AES, MAC: SHA1.
(c0,09)	ECDHE-ECDSA-AES128-SHA	128 Bit	Key exchange: ECDH, encryption: AES, MAC: SHA1.
(c0,13)	ECDHE-RSA-AES128-SHA	128 Bit	Key exchange: ECDH, encryption: AES, MAC: SHA1.
(00,33)	DHE-RSA-AES128-SHA	128 Bit	Key exchange: DH, encryption: AES, MAC: SHA1.
(00,9c)	RSA-AES128-GCM-SHA256	128 Bit	Key exchange: RSA, encryption: AES, MAC: SHA256.
(00,35)	RSA-AES256-SHA	256 Bit	Key exchange: RSA, encryption: AES, MAC: SHA1.
(00,2f)	RSA-AES128-SHA	128 Bit	Key exchange: RSA, encryption: AES, MAC: SHA1.
(00,0a)	RSA-3DES-EDE-SHA	168 Bit	Key exchange: RSA, encryption: 3DES, MAC: SHA1.
(00,ff)	EMPTY-RENEGOTIATION-INFO-SCSV	0 Bit	Used for secure renegotation.

Further information:

User-Agent:Mozilla/5.0 (Linux; Android 5.0; SM-G900V Build/LRX21T) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile

Safari/537.36
Preferred SSL/TLS version: TLSv1
SNI information: cc.dcsec.uni-hannover.de
SSL stack current time: The TLS stack of your browser did not send a time value.

This connection uses TLSv1.2 with ECDHE-RSA-AES128-GCM-SHA256 and a 128 Bit key for encryption.

***************************************

Conclusions

Don't use IE6 for anything you don't have too!
Keep your browser updated. Firefox and Chrome especially are rapidly upgrading their cipher suites.
If you use Firefox install the Calomel Addon to quickly see what ciphers a connection is using.
If you are responsible for maintaining a web server read the Mozilla Wiki on Server Side Security and make sure you have the best cipher suites that your clients can use.
If you are responsible for a Windows IIS web server use Steve Gibson's Ordered and Curated cipher suite list
Read the ars Technica blog on Massive leak reveals Hacking Team’s most private moments in messy detail to see how dangerous the Internet really is.

@rikosintie

Michael earned his first IT certification, a Novell Certified Netware Engineer (CNE) in 1993. Michael then focused on the Microsoft MCSE credential, studied database design, and wrote several Visual Basic programs to automate production at a manufacturing company. In 2000 he earned the Cisco CCNA. Since then, Michael has earned Cisco’s security certification, Aruba’s switching certification, and the LPI’s Linux Essentials certification.

Saturday, July 11, 2015

Checking Server Cipher Suites with Cipherscan

Unless you have been living under a rock for the last year you have heard about many of the flaws with SSL - Heartbleed, Logjam, Poodle, etc.

And then there is the ars technica article on the breach at the infamous organization "The Hacking Team" . Here is a disturbing paragraph from the article:

******************************************
Still another document boasts of Hacking Team's ability to bypass certificate pinning and the HTTP strict transport security mechanisms that are designed to make HTTPS website encryption more reliable and secure. "Our solution is the only way to intercept TOR traffic at the moment," the undated PowerPoint presentation went on to say.
******************************************

For a network engineer there is also the problem that Firefox and Chrome are going to stop allowing you to go to servers with weak security. Here is a screen shot of the message I received in Firefox 39 this morning when I tried to log into my Cisco ISE server:

Firefox 39 connecting to Cisco ISE 1.2

I put the message into Google and found this on the Firefox support site:

It makes you wish you had an easy way to know what cipher suites a server can provide! Well lucky for us there is a project on Github called Cipherscan that does just that! They created a customized version of OpenSSL and a script for Linux. You just download the custom OpenSSL package, install it in a private directory, save the script to the apps directory and execute the script. It's that easy and in my opinion it is a great tool to have in your toolbox, a big thank you to the developers!

*********************************************
From the cipherscan readme file:
Cipherscan tests the ordering of the SSL/TLS ciphers on a given target, for all major versions of SSL
and TLS. It also extracts some certificates informations, TLS options, OCSP stapling and more. Cipherscan is a wrapper above the openssl s_client command line.

Cipherscan is meant to run on all flavors of unix. It ships with its own built of OpenSSL for
Linux/64 and Darwin/64. On other platform, it will use the openssl version provided by the operating
system (which may have limited ciphers support), or your own version provided in the -o command line flag.

*********************************************

Script Output

I have been running the script against a lot of different servers and the results are interesting.

For example, here is the output from my ISE server:
root@kali:~/Desktop/openssl/apps# ./cipherscan 192.168.10.21
......
Target: 192.168.10.21:443

prio	ciphersuite	protocols	pfs	curves
1	DHE-RSA-AES256-SHA	SSLv3,TLSv1	DH,768bits	None
2	AES256-SHA	SSLv3,TLSv1	None	None
3	DHE-RSA-AES128-SHA	SSLv3,TLSv1	DH,768bits	None
4	AES128-SHA	SSLv3,TLSv1	None	None
5	DES-CBC3-SHA	SSLv3,TLSv1	None	None

Certificate: UNTRUSTED, 2048 bit, sha1WithRSAEncryption signature
TLS ticket lifetime hint: None
OCSP stapling: not supported
Cipher ordering: client

You can see that the Diffe-Hellman Ephemeral key is only 768 bits.

Then I ran it on an HP officeJet pro 8600. Firefox 39 will open this page because the printer doesn't offer a weak Diffe-Hellman Ephemeral key but the Calomel SSL extension turns red.

If you aren't running the Calomel extension for Firefox I highly recommend it. Calomel checks the certificate on every site and gives you a Red, Yellow or Green shield depending on the strength of the certificate. See the "References" section below for their site. They have a lot of good information about SSL on their site.

root@kali:~/Desktop/openssl/apps# ./cipherscan 192.168.10.239
.......
Target: 192.168.10.239:443

prio	ciphersuite	protocols	pfs	curves
1	AES256-SHA	SSLv3,TLSv1	None	None
2	AES128-SHA	SSLv3,TLSv1	None	None
3	RC4-SHA	SSLv3,TLSv1	None	None
4	RC4-MD5	SSLv3,TLSv1	None	None
5	DES-CBC3-SHA	SSLv3,TLSv1	None	None
6	DES-CBC-SHA	SSLv3,TLSv1	None	None

Certificate: UNTRUSTED, 1024 bit, md5WithRSAEncryption signature
TLS ticket lifetime hint: None
OCSP stapling: not supported
Cipher ordering: client

Here is the output from https://mail.google.com.

root@kali:~/Desktop/openssl/apps# ./cipherscan mail.google.com
...................
Target: mail.google.com:443

prio	ciphersuite	protocols	pfs	curves
1	ECDHE-RSA-CHACHA20-POLY1305	TLSv1.2	ECDH,P-256,256bits	prime256v1
2	ECDHE-RSA-AES128-GCM-SHA256	TLSv1.2	ECDH,P-256,256bits	prime256v1
3	ECDHE-RSA-AES128-SHA	TLSv1.1,TLSv1.2	ECDH,P-256,256bits	prime256v1
4	ECDHE-RSA-RC4-SHA	SSLv3,TLSv1,TLSv1.1,TLSv1.2	ECDH,P-256,256bits	prime256v1
5	AES128-GCM-SHA256	TLSv1.2	None	None
6	AES128-SHA256	TLSv1.2	None	None
7	AES128-SHA	TLSv1.1,TLSv1.2	None	None
8	RC4-SHA	SSLv3,TLSv1,TLSv1.1,TLSv1.2	None	None
9	RC4-MD5	SSLv3,TLSv1,TLSv1.1,TLSv1.2	None	None
10	ECDHE-RSA-AES256-GCM-SHA384	TLSv1.2	ECDH,P-256,256bits	prime256v1
11	ECDHE-RSA-AES256-SHA384	TLSv1.2	ECDH,P-256,256bits	prime256v1
12	ECDHE-RSA-AES256-SHA	SSLv3,TLSv1,TLSv1.1,TLSv1.2	ECDH,P-256,256bits	prime256v1
13	AES256-GCM-SHA384	TLSv1.2	None	None
14	AES256-SHA256	TLSv1.2	None	None
15	AES256-SHA	SSLv3,TLSv1,TLSv1.1,TLSv1.2	None	None
16	ECDHE-RSA-AES128-SHA256	TLSv1.2	ECDH,P-256,256bits	prime256v1
17	ECDHE-RSA-DES-CBC3-SHA	SSLv3,TLSv1,TLSv1.1,TLSv1.2	ECDH,P-256,256bits	prime256v1
18	DES-CBC3-SHA	SSLv3,TLSv1,TLSv1.1,TLSv1.2	None	None

Certificate: trusted, 2048 bit, sha256WithRSAEncryption signature
TLS ticket lifetime hint: 100800
OCSP stapling: not supported
Cipher ordering: server

Here is Calomel's view of the certificate:

Installing Cipherscan

Open a terminal on kali or your favorite Linux distro.
Switch to the directory you want to install Cipherscan into.

run git clone https://github.com/PeterMosmans/openssl.git --depth 1 -b 1.0.2-chacha
cd openssl
./Configure zlib no-shared experimental-jpake enable-md2 enable-rc5 \ enable-rfc3779 enable-gost
enable-static-engine linux-x86_64
make depend
make
make report

Get the script from https://github.com/jvehent/cipherscan.

To copy the script click in the page and press ctrl+a on Linux\Windows or command+a on Max OSX. Paste the script into your editor of choice, verify that you copied it correctly, then save it to the apps folder.

The Mozilla Wiki article on Sever Side TLS

The Mozilla Wiki has a great article on TLS. It explains Forward Secrecy, Diffie\Hellman Ephemeral key exchange, OCSP Stapling and much more for just about every browser and OS. It is also where I found cipherscan!

If you are responsible for an Apache, Haproxy or Nginx server the Mozilla wiki article is a must read. It even has a configuration generator for these servers that will create a configuration based on which generation browsers you must support.

References:

Cipherscan on Github

Mozilla Wiki - Security/Server Side TLS
Calomel Firefox Addon
ars technica - Massive leak reveals Hacking Team’s most private moments in messy detail
Defensive Security Episode 122 - Discussion on the breach at The Hacking Team
Testing for Weak SSL/TLS Ciphers - OWASP
SSL Cipher Suites Supported By Your Browser
How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll

@rikosintie