Nmap Development mailing list archives

Re: [NSE] SSLv3/TLSv1 cipher and compression algorithm enumeration script

From: David Fifield <david () bamsoftware com>
Date: Tue, 23 Feb 2010 18:39:20 -0700

On Mon, Feb 22, 2010 at 10:00:14PM -0600, Mak Kolybabi wrote:

On 2010-02-19 13:58, David Fifield wrote:

I agree that the name should be changed. Maybe ssl-enum-ciphers.


I dislike that name on the basis that it also enumerates compression
algorithms. Perhaps ssl-enum-algorithms?


I like this script a lot. I committed it in r16847.

I understand your objection about the name of the script. I can't think
of a name that's wholly satisfactory to me. I committed it with the name
ssl-enum-ciphers, even though the script does more than that. Your
original name was sslv3-enum. Now that I'm thinking about it, maybe
ssl-enum is better. People understand "SSL" to encompass both SSL and
TLS. The only problem is that the script doesn't work with SSLv2 or
earlier, but we have sslv2.nse for that.

I like the new default behavior of printing results in the order they
are accepted by the remote server. I changed the name of the "sort"
script argument to "ssl-enum-ciphers.sort".

The new changes look great. I'm getting different results than before
against Ncat, though:

| ssl-enum-algorithms:
|   SSLv3
|     Ciphers (5)
|       TLS_RSA_WITH_AES_128_CBC_SHA
|       TLS_RSA_WITH_AES_256_CBC_SHA
|       TLS_RSA_WITH_IDEA_CBC_SHA
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA
|       TLS_RSA_WITH_RC4_128_SHA
|     Compressors (1)
|       uncompressed
|   TLSv1.0
|     Ciphers (5)
|       TLS_RSA_WITH_AES_128_CBC_SHA
|       TLS_RSA_WITH_AES_256_CBC_SHA
|       TLS_RSA_WITH_IDEA_CBC_SHA
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA
|       TLS_RSA_WITH_RC4_128_SHA
|     Compressors (1)
|_      uncompressed

Before, it was giving me results from TLSv1.1 and TLSv1.2 also. Do you
have an idea what might have caused the change, and which results are
correct? The previous results are at
http://seclists.org/nmap-dev/2010/q1/601.

You should switch the order of the first two paragraphs in the
description. The first paragraph is shown as the summary in NSEDoc, and
what you have now as the second paragraph is more descriptive of what
the script does.


I've rewritten the description to reflect that I now use a better
algorithm that was suggested to me, which is *way* faster.


The new algorithm is a great idea! For everyone else, the way it worked
at first was that the script would initiate a connection using each one
of its known ciphers individually, and keep track of which ones worked
and which didn't. Now, it starts by offering all ciphers at once, and
removes them one at a time as the server accepts them (one per
connection) until the server rejects them all.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

[NSE] SSLv3/TLSv1 cipher and compression algorithm enumeration script Mak Kolybabi (Feb 16)
- Re: [NSE] SSLv3/TLSv1 cipher and compression algorithm enumeration script Rob Nicholls (Feb 17)
- Re: [NSE] SSLv3/TLSv1 cipher and compression algorithm enumeration script David Fifield (Feb 19)
  - Re: [NSE] SSLv3/TLSv1 cipher and compression algorithm enumeration script Rob Nicholls (Feb 20)
  - Re: [NSE] SSLv3/TLSv1 cipher and compression algorithm enumeration script Mak Kolybabi (Feb 22)
    - Re: [NSE] SSLv3/TLSv1 cipher and compression algorithm enumeration script Fyodor (Feb 22)
    - Ncat segfault with -l --ssl < /dev/zero David Fifield (Feb 23)
    - Re: [NSE] SSLv3/TLSv1 cipher and compression algorithm enumeration script David Fifield (Feb 23)
    - Re: [NSE] SSLv3/TLSv1 cipher and compression algorithm enumeration script Fyodor (Feb 24)