[NSE] modified ssl-enum-ciphers to indicate policy compliance

["Lawrence, Gabe" <glawrenc () qualcomm com>]

Howdy folks,

I'm about to audit a bunch of SSL servers to make sure that they are only offering ciphers that we've decided are good. 
The easiest way for me to assess this was to modify the existing ssl-enum-ciphers script to read in a file containing 
ciphers and indicate if a server only offered ciphers in that list, as well as making a visual distinction for the ones 
that aren't. Attached is my attempt at this and I figured it was worth sharing with the community. I added myself to 
the author variable only so first attempt at Lua wouldn't reflect negatively on Mak Kolybabi.

Original output from the script looked like this:

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers2:
|   TLSv1.0
|     Ciphers (4)
|       SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA
|       TLS_RSA_WITH_DES_CBC_SHA
|       TLS_RSA_WITH_RC4_128_MD5
|     Compressors (1)
|_      uncompressed


Specifying --script-args goodcipherlist=./test  with test looking like this

cat test
SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_RC4_128_MD5

Gives you this

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers2:
|   TLSv1.0
|     Ciphers (4)
|       SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA
|       TLS_RSA_WITH_DES_CBC_SHA*
|       TLS_RSA_WITH_RC4_128_MD5
|     Compressors (1)
|       uncompressed
|_  Compliant = false

So the one marked with a * is the one that took this server out of compliance.

And, no... my test cipher list isn't my dream list ;-)

I'm not on the list so if you wouldn't mind keeping me on the CC for any discussion.

Cheers,
gabe

Attachment: ssl-enum-ciphers2.nse
Description: ssl-enum-ciphers2.nse

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/