Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: [NSE] modified ssl-enum-ciphers to indicate policy compliance
From: Ron <ron () skullsecurity net>
Date: Sun, 3 Apr 2011 15:12:03 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey,

I haven't taken a close look, but from a preliminary look I noticed two things that I suggest you change:
1. Can you use stdnse.get_script_args() to access the argument rather than doing it manually?
2. Can you add the script name before the argument (say, "goodciphers = 
stdnse.get_script_args('ssl-enum-ciphers.goodcipherlist'") or something similar

Additionally, it'd be useful to have default built-in lists of ciphers that are considered weak, medium, and strong. 
Nessus, for example, considers every cipher <=56-bits to be weak, 64 - 124 bits to be medium, and 128-bits and higher 
to be strong. Or something, I didn't look up the actual numbers. 

Can you pre-populate a datafile in nselib/data with those values and have Nmap find that by default?

Thanks! 

Ron

On Wed, 30 Mar 2011 21:56:02 +0000 "Lawrence, Gabe" <glawrenc () qualcomm com> wrote:
Howdy folks,

I'm about to audit a bunch of SSL servers to make sure that they are
only offering ciphers that we've decided are good. The easiest way
for me to assess this was to modify the existing ssl-enum-ciphers
script to read in a file containing ciphers and indicate if a server
only offered ciphers in that list, as well as making a visual
distinction for the ones that aren't. Attached is my attempt at this
and I figured it was worth sharing with the community. I added myself
to the author variable only so first attempt at Lua wouldn't reflect
negatively on Mak Kolybabi.

Original output from the script looked like this:

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers2:
|   TLSv1.0
|     Ciphers (4)
|       SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA
|       TLS_RSA_WITH_DES_CBC_SHA
|       TLS_RSA_WITH_RC4_128_MD5
|     Compressors (1)
|_      uncompressed


Specifying --script-args goodcipherlist=./test  with test looking
like this

cat test
SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_RC4_128_MD5

Gives you this

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers2:
|   TLSv1.0
|     Ciphers (4)
|       SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA
|       TLS_RSA_WITH_DES_CBC_SHA*
|       TLS_RSA_WITH_RC4_128_MD5
|     Compressors (1)
|       uncompressed
|_  Compliant = false

So the one marked with a * is the one that took this server out of
compliance.

And, no... my test cipher list isn't my dream list ;-)

I'm not on the list so if you wouldn't mind keeping me on the CC for
any discussion.

Cheers,
gabe
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAk2Y1JMACgkQ2t2zxlt4g/TAPwCdFH1HrN1yx54IdrplQ5ZXM0QN
1BgAn0UEAfeNAf7QwDTrqKD1m1ej7ewt
=KUkL
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]