Nmap Development mailing list archives
Re: [NSE] modified ssl-enum-ciphers to indicate policy compliance
From: Martin Holst Swende <martin () swende se>
Date: Sun, 03 Apr 2011 22:25:05 +0200
On 04/03/2011 10:12 PM, Ron wrote:
Hey, I haven't taken a close look, but from a preliminary look I noticed two things that I suggest you change: 1. Can you use stdnse.get_script_args() to access the argument rather than doing it manually? 2. Can you add the script name before the argument (say, "goodciphers = stdnse.get_script_args('ssl-enum-ciphers.goodcipherlist'") or something similar Additionally, it'd be useful to have default built-in lists of ciphers that are considered weak, medium, and strong. Nessus, for example, considers every cipher <=56-bits to be weak, 64 - 124 bits to be medium, and 128-bits and higher to be strong. Or something, I didn't look up the actual numbers.
The tool SSLaudit by Michael Boman, which I use from time to time, is based on the SSL Rating guide. It contains this list with ratings of ciphers (graded from 0-100): http://code.google.com/p/sslaudit/source/browse/trunk/sslaudit.ini The version above is from jan 17 2010. Maybe useful ? /Martin Swende
Can you pre-populate a datafile in nselib/data with those values and have Nmap find that by default? Thanks! Ron On Wed, 30 Mar 2011 21:56:02 +0000 "Lawrence, Gabe" <glawrenc () qualcomm com> wrote:Howdy folks,I'm about to audit a bunch of SSL servers to make sure that they are only offering ciphers that we've decided are good. The easiest way for me to assess this was to modify the existing ssl-enum-ciphers script to read in a file containing ciphers and indicate if a server only offered ciphers in that list, as well as making a visual distinction for the ones that aren't. Attached is my attempt at this and I figured it was worth sharing with the community. I added myself to the author variable only so first attempt at Lua wouldn't reflect negatively on Mak Kolybabi.Original output from the script looked like this:PORT STATE SERVICE 443/tcp open https | ssl-enum-ciphers2: | TLSv1.0 | Ciphers (4) | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA | TLS_RSA_WITH_3DES_EDE_CBC_SHA | TLS_RSA_WITH_DES_CBC_SHA | TLS_RSA_WITH_RC4_128_MD5 | Compressors (1) |_ uncompressedSpecifying --script-args goodcipherlist=./test with test looking like thiscat test SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_RC4_128_MD5Gives you thisPORT STATE SERVICE 443/tcp open https | ssl-enum-ciphers2: | TLSv1.0 | Ciphers (4) | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA | TLS_RSA_WITH_3DES_EDE_CBC_SHA | TLS_RSA_WITH_DES_CBC_SHA* | TLS_RSA_WITH_RC4_128_MD5 | Compressors (1) | uncompressed |_ Compliant = falseSo the one marked with a * is the one that took this server out of compliance.And, no... my test cipher list isn't my dream list ;-)I'm not on the list so if you wouldn't mind keeping me on the CC for any discussion.Cheers, gabe
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/ _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [NSE] modified ssl-enum-ciphers to indicate policy compliance Ron (Apr 03)
- Re: [NSE] modified ssl-enum-ciphers to indicate policy compliance Martin Holst Swende (Apr 03)
- <Possible follow-ups>
- Re: [NSE] modified ssl-enum-ciphers to indicate policy compliance David Fifield (Apr 19)
- RE: [NSE] modified ssl-enum-ciphers to indicate policy compliance Gabriel Lawrence (May 11)
- Re: [NSE] modified ssl-enum-ciphers to indicate policy compliance Gabriel Lawrence (Jun 09)