Nmap Development mailing list archives
Re: sweet32 and ssl-enum-ciphers question
From: Daniel Miller <bonsaiviking () gmail com>
Date: Tue, 31 Jan 2017 08:51:53 -0600
Todd, The "+" forces the script to run on every discovered open port regardless of whether it is a "likely SSL" port or not. The default behavior is to only run on known SSL or STARTTLS ports (3389 is included in this list). The generally-accepted way to run the script against discovered services on unusual ports is to add -sV to perform service and application version detection. This way, the script can match not only on the port number but also on the service name or the detected ssl tunnel. Using "+" is slightly faster in the single-port known-service case, but can produce a lot of useless traffic if you are scanning many ports, since most of them will not be SSL. Dan On Tue, Jan 31, 2017 at 12:29 AM, ToddAndMargo <ToddAndMargo () zoho com> wrote:
On 01/30/2017 10:09 PM, ToddAndMargo wrote:On 01/30/2017 11:12 AM, ToddAndMargo wrote:Hi All, I have a customer that got tagged with sweet32 on his PCI (credit card security) external scan. He is using RDP on a couple of his workstations so he can log in from home and I do believe the issue is that he hasn't done his Windows 7 updates in about two years. I will fix. Anyway, I am on nmap 7.40. Reading over at: https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html It shows a bunch of this stuff: Example Usage nmap --script ssl-enum-ciphers -p 443 <host> Script Output PORT STATE SERVICE REASON 443/tcp open https syn-ack | ssl-enum-ciphers: | TLSv1.0: | ciphers: | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (secp256r1) - A | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (secp256r1) - A and on and so forth My intention is to use NMap to identify the sweet32 vulnerability and to then use NMap again to verify I have solved the issue. I am specifically looking for the "3DES" entry associated with sweet32. When I run this probe, I do not get any of the this stuff. I do get stuff back, but not the list with all the ciphers. This is what I ran: nmap -p xxxx,yyyy -v --script ssl-enum-ciphers www.xxx.yyy.zzz Am I missing something here? Many thanks, -TBy chance, if the port(s) are closed properly, would I not see the "ssl-enum-ciphers" report that shows on https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html as the script could find anything?This script "--script +ssl-enum-ciphers" found 64-bit block cipher 3DES vulnerable to SWEET32 attack So now I can reproduce. What did the "+" sign do to make the difference? Many thanks, -T -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Serious error. All shortcuts have disappeared. Screen. Mind. Both are blank. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- sweet32 and ssl-enum-ciphers question ToddAndMargo (Jan 30)
- Re: sweet32 and ssl-enum-ciphers question Daniel Calvo Castro (Jan 30)
- Re: sweet32 and ssl-enum-ciphers question ToddAndMargo (Jan 30)
- Re: sweet32 and ssl-enum-ciphers question ToddAndMargo (Jan 30)
- Re: sweet32 and ssl-enum-ciphers question ToddAndMargo (Jan 30)
- Re: sweet32 and ssl-enum-ciphers question Daniel Miller (Jan 31)
- Re: sweet32 and ssl-enum-ciphers question ToddAndMargo (Jan 31)
- Re: sweet32 and ssl-enum-ciphers question ToddAndMargo (Jan 30)
- Re: sweet32 and ssl-enum-ciphers question Daniel Calvo Castro (Jan 30)