Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: [NSE] modified ssl-enum-ciphers to indicate policy compliance
From: David Fifield <david () bamsoftware com>
Date: Tue, 19 Apr 2011 10:25:35 -0700

On Wed, Mar 30, 2011 at 09:56:02PM +0000, Lawrence, Gabe wrote:
Howdy folks,

I'm about to audit a bunch of SSL servers to make sure that they are
only offering ciphers that we've decided are good. The easiest way for
me to assess this was to modify the existing ssl-enum-ciphers script
to read in a file containing ciphers and indicate if a server only
offered ciphers in that list, as well as making a visual distinction
for the ones that aren't. Attached is my attempt at this and I figured
it was worth sharing with the community. I added myself to the author
variable only so first attempt at Lua wouldn't reflect negatively on
Mak Kolybabi.

Original output from the script looked like this:

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers2:
|   TLSv1.0
|     Ciphers (4)
|       SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA
|       TLS_RSA_WITH_DES_CBC_SHA
|       TLS_RSA_WITH_RC4_128_MD5
|     Compressors (1)
|_      uncompressed


Specifying --script-args goodcipherlist=./test  with test looking like this

cat test
SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_RC4_128_MD5

Gives you this

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers2:
|   TLSv1.0
|     Ciphers (4)
|       SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA
|       TLS_RSA_WITH_DES_CBC_SHA*
|       TLS_RSA_WITH_RC4_128_MD5
|     Compressors (1)
|       uncompressed
|_  Compliant = false

So the one marked with a * is the one that took this server out of compliance.

And, no... my test cipher list isn't my dream list ;-)

I'm not on the list so if you wouldn't mind keeping me on the CC for
any discussion.

Hi Gabe. Nice job on these modifications. You might not have been Cced
on a couple of replies:
        http://seclists.org/nmap-dev/2011/q2/46
        http://seclists.org/nmap-dev/2011/q2/49
I think I agree with Ron: It would be nice if an external data file
classified ciphers into "strong" and "weak". We could add such a file to
the distribution and make the script read it by default. Then for audits
like yours, someone could just modify the file to match their own cipher
requirements.

If you do this, please base your work on the latest version of the
script, which has some minor changes.
http://nmap.org/svn/scripts/ssl-enum-ciphers.nse

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]