Nmap Development mailing list archives
Re: cipher support
From: Robin Wood <robin@digi.ninja>
Date: Tue, 13 Oct 2015 05:39:14 +0100
On 13 Oct 2015 02:48, "Daniel Miller" <bonsaiviking () gmail com> wrote:
Robin, It's true: the ssl-enum-ciphers script does not detect SSLv2. This is
because we have a dedicated script for that protocol: sslv2.nse. I just engaged with Robert Graham (masscan) and John Matherly (Shodan) on Twitter and they had interesting things to say: Rob will be scanning the Internet for SSLv2 tonight looking for what ciphers are offered [1], and Shodan already lets you search for SSLv2, but does not list ciphers [2]. Based on the name I think ssl-enum-ciphers should check for SSLv2. From a semantic point of view I can understand why if SSLv2 is listed and not enumerated but having a single script that returns everything would be easier to work with. Robin
I did look into it further, and it appears that the client must send a
list of ciphers to the SSLv2 server, and the server will send back *any* of the ciphers it supports. This is still more info than SSLv3 and newer gives, since in those cases only 1 cipher is returned. But sslv2.nse sends all 8 cipher suites described in any documentation I can find anywhere. We would gladly send more if any were identified; the "address space" is 3 bytes, so there is lots of room for potentially-implemented ciphers we are not trying.
Dan [1] https://twitter.com/ErrataRob/status/653671404194410497 [2] https://twitter.com/achillean/status/653671202389536768 On Mon, Oct 12, 2015 at 5:29 PM, Robin Wood <robin@digi.ninja> wrote:On 12 Oct 2015 19:34, "Daniel Miller" <bonsaiviking () gmail com> wrote:Robin, Nmap relies on the sslv2 NSE script [1] for SSLv2 detection and cipher
enumeration. It does not require OpenSSL for any of these functions. The script will show the ciphers that the server provides; SSLv2 is different than SSLv3 and TLS in this regard, since the server sends a list of supported ciphers. The list of names that we can translate is admittedly sparse: only 8 ciphers listed. But any unsupported ones will be reported by number, so no real information is lost.
Related, the ssl-enum-ciphers script also does not use OpenSSL to
determine the list of supported ciphers. OpenSSL is used to parse the server certificate to extract necessary key strength information for determining the "score" of the handshake, but this is secondary to the cipher enumeration part of the script.
I'll check again but I'm sure in a test earlier I got the ssllabs site
and sslscan finding SSLv2 but not the ssl-enum-ciphers script.
I'll run it all in the morning and post back results. RobinDan [1] https://nmap.org/nsedoc/scripts/sslv2.html On Mon, Oct 12, 2015 at 9:00 AM, Robin Wood <robin@digi.ninja> wrote:I've been looking at SSL and found that both sslscan and nmap are missing SSLv2 ciphers. From looking at sslscan it needs to be built against a static version of openssl which is built to support SSLv2 and from a tweet by Dan Miller I assume nmap is the same, what is the best way to do this? Luckily I don't think I've not missed anything as Nessus has been catching all the SSLv2 that I've come across but I was wondering if it is worth adding something to the scripts that test for ciphers so they can warn the user if they are likely to miss ciphers due to the version of openssl in use? Robin _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- cipher support Robin Wood (Oct 12)
- Re: cipher support Daniel Miller (Oct 12)
- Re: cipher support Robin Wood (Oct 12)
- Re: cipher support Daniel Miller (Oct 12)
- Re: cipher support Robin Wood (Oct 12)
- Re: cipher support Robin Wood (Oct 12)
- Re: cipher support Daniel Miller (Oct 12)