Nmap Development mailing list archives
RE: Script for supported ciphers?
From: Matthew Boyle <matt_boyle32 () hotmail com>
Date: Thu, 5 Feb 2009 20:30:23 +0000
From: robert () everythingeverything co ukIs there an nmap script to display what SSL ciphers / versions a server will accept? I could sure use one for my PCI compliance scanning...Agreed, I'd find it quite useful too. At the moment I use a script to run an external program every time Nmap identifies the use of SSL, being able to do it with Nmap would be a great time saver. It'd definitely be useful to identify support for SSLv2 for PCI scans (although the Assessor Update: November 2008 [1] states that "The merchant can enable SSL 2.0 or older for an initial handshake only to identify that the browser requires to be updated. The merchant can then notify their customers that a security update is required in those rare cases prior to making an online purchase using a credit or debit card."), but I'd also like to know about weak ciphers in general.
hey, i'm the original author of the SSLv2 script. i did briefly investigate adapting it to also identify weak/null SSLv3/TLS cyphers, but some of the characteristics of the protocol make it rather harder to get the complete list of the cyphers the server supports. SSLv2 leaves the cypher choice to the client, while in SSLv3/TLS that's done by the server, based on what the client offers. of course, this is moot if we all that's required is a safe/unsafe diagnosis, leaving further investigation to the interested party. that would probably just be a matter of sending CLIENT-HELLO requests containing only weak cyphers, and checking for an error message from the server. if people are interested in such a thing i'd be glad to take another look. cheers, --matt _________________________________________________________________ Windows Live Messenger just got better .Video display pics, contact updates & more. http://www.download.live.com/messenger _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Script for supported ciphers? Corey Chandler (Feb 04)
- Re: Script for supported ciphers? David Fifield (Feb 04)
- Re: Script for supported ciphers? Rob Nicholls (Feb 05)
- RE: Script for supported ciphers? Matthew Boyle (Feb 05)