Nmap Development mailing list archives
RE: ssl-enum-ciphers not returning all ciphers
From: "Lemons, Terry" <Terry.Lemons () dell com>
Date: Tue, 25 Jun 2019 19:27:43 +0000
Hi Matt Thanks very much for the help! Thanks for pointing out that I was wrong in identifying the two ciphers shown in nmap; that makes the results make more sense. I ran the openssl command you suggested; stripping out some of the possibly-sensitive information; here is the output: lava93141:/tmp # openssl s_client -connect 10.7.110.234:5671 -cipher DHE-RSA-AES256-GCM-SHA384 CONNECTED(00000003) . . . verify error:num=19:self signed certificate in certificate chain 139674829317776:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1498:SSL alert number 40 139674829317776:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177: --- Certificate chain . . . --- Server certificate -----BEGIN CERTIFICATE----- . . . -----END CERTIFICATE----- subject=... issuer=... --- Acceptable client certificate CA names . . . Client Certificate Types: ECDSA sign, RSA sign, DSA sign Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1 Shared Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1 Peer signing digest: SHA512 Server Temp Key: DH, 2048 bits --- SSL handshake has read 3122 bytes and written 330 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : DHE-RSA-AES256-GCM-SHA384 Session-ID: xxxxxx Session-ID-ctx: Master-Key: xxxxxxx Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1561490298 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain) --- # Thoughts? Thanks tl From: Matthew.Snyder () mt com <Matthew.Snyder () mt com> Sent: Tuesday, June 25, 2019 3:14 PM To: Lemons, Terry; dev () nmap org Subject: RE: ssl-enum-ciphers not returning all ciphers [EXTERNAL EMAIL] I actually see this pushing only the first two (RSA-only, non-ephemeral, non-Diffie-Hellman ---- follow highlights). But that's not really the issue being questioned. Can you confirm, is there a different result if you were to use "openssl s_client -connect 10.7.110.234:5671 -cipher DHE-RSA-AES256-GCM-SHA384"??? If by running an example that we are not seeing in NMAP, we get an incomplete handshake, it's likely that NMAP is accurate in its result. Regards, Matt From: dev <dev-bounces () nmap org<mailto:dev-bounces () nmap org>> On Behalf Of Lemons, Terry Sent: Tuesday, June 25, 2019 2:47 PM To: dev () nmap org<mailto:dev () nmap org> Subject: ssl-enum-ciphers not returning all ciphers Hi I'm using nmap 7.70 on a Linux system to probe a different Linux system that is using RabbitMQ/Erlang. The cipher list, specified in the RabbitMQ-specific format, is: ssl_options.ciphers.1 = AES128-GCM-SHA256 ssl_options.ciphers.2 = AES256-GCM-SHA384 ssl_options.ciphers.3 = DHE-RSA-AES256-GCM-SHA384 ssl_options.ciphers.4 = DHE-RSA-AES128-GCM-SHA256 ssl_options.ciphers.5 = DHE-RSA-AES256-SHA256 ssl_options.ciphers.6 = DHE-RSA-AES128-SHA256 ssl_options.ciphers.7 = DHE-RSA-AES256-SHA ssl_options.ciphers.8 = DHE-RSA-AES128-SHA ssl_options.ciphers.9 = ECDHE-RSA-AES128-GCM-SHA256 ssl_options.ciphers.10 = ECDHE-RSA-AES256-SHA384 ssl_options.ciphers.11 = ECDHE-RSA-AES128-GCM-SHA256 ssl_options.ciphers.12 = ECDHE-RSA-AES128-SHA256 ssl_options.ciphers.13 = ECDHE-RSA-AES256-SHA ssl_options.ciphers.14 = ECDHE-RSA-AES128-SHA When I run nmap (with -d option, below), it returns only the third and fourth cipher: nmap -sV -p 5671 -d --script ssl-enum-ciphers 10.7.110.234 Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-25 12:36 MDT --------------- Timing report --------------- hostgroups: min 1, max 100000 rtt-timeouts: init 1000, min 100, max 10000 max-scan-delay: TCP 1000, UDP 1000, SCTP 1000 parallelism: min 0, max 0 max-retries: 10, host-timeout: 0 min-rate: 0, max-rate: 0 --------------------------------------------- NSE: Using Lua 5.3. NSE: Arguments from CLI: NSE: Loaded 44 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 2) scan. Initiating NSE at 12:36 Completed NSE at 12:36, 0.00s elapsed NSE: Starting runlevel 2 (of 2) scan. Initiating NSE at 12:36 Completed NSE at 12:36, 0.00s elapsed Initiating Ping Scan at 12:36 Scanning 10.7.110.234 [4 ports] Packet capture filter (device eth0): dst host 10.7.93.141 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 10.7.110.234))) We got a ping packet back from 10.7.110.234: id = 48554 seq = 0 checksum = 16981 Completed Ping Scan at 12:36, 0.00s elapsed (1 total hosts) Overall sending rates: 1114.21 packets / s, 42339.83 bytes / s. mass_rdns: Using DNS server 10.7.93.100 Initiating Parallel DNS resolution of 1 host. at 12:36 mass_rdns: 13.00s 0/1 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 3] Completed Parallel DNS resolution of 1 host. at 12:37, 13.00s elapsed DNS resolution of 1 IPs took 13.00s. Mode: Async [#: 1, OK: 0, NX: 0, DR: 1, SF: 0, TR: 3, CN: 0] Initiating SYN Stealth Scan at 12:37 Scanning 10.7.110.234 [1 port] Packet capture filter (device eth0): dst host 10.7.93.141 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 10.7.110.234))) Discovered open port 5671/tcp on 10.7.110.234 Completed SYN Stealth Scan at 12:37, 0.00s elapsed (1 total ports) Overall sending rates: 354.99 packets / s, 15619.45 bytes / s. Initiating Service scan at 12:37 Scanning 1 service on 10.7.110.234 Got nsock CONNECT response with status ERROR - aborting this service Completed Service scan at 12:37, 5.05s elapsed (1 service on 1 host) NSE: Script scanning 10.7.110.234. NSE: Starting runlevel 1 (of 2) scan. Initiating NSE at 12:37 NSE: Starting ssl-enum-ciphers against 10.7.110.234:5671. NSE: [ssl-enum-ciphers 10.7.110.234:5671] Trying protocol TLSv1.1. NSE: [ssl-enum-ciphers 10.7.110.234:5671] Trying protocol SSLv3. NSE: [ssl-enum-ciphers 10.7.110.234:5671] Trying protocol TLSv1.2. NSE: [ssl-enum-ciphers 10.7.110.234:5671] Trying protocol TLSv1.0. NSE: Finished ssl-enum-ciphers against 10.7.110.234:5671. NSE: Finished ssl-enum-ciphers against 10.7.110.234:5671. NSE: Finished ssl-enum-ciphers against 10.7.110.234:5671. NSE: [ssl-enum-ciphers 10.7.110.234:5671] (TLSv1.2) Comparing TLS_RSA_WITH_AES_128_GCM_SHA256 to TLS_RSA_WITH_AES_256_GCM_SHA384 NSE: Finished ssl-enum-ciphers against 10.7.110.234:5671. NSE: Finished ssl-enum-ciphers against 10.7.110.234:5671. Completed NSE at 12:37, 0.07s elapsed NSE: Starting runlevel 2 (of 2) scan. Initiating NSE at 12:37 NSE: Starting rpc-grind against 10.7.110.234:5671. NSE: [rpc-grind 10.7.110.234:5671] isRPC didn't receive response. NSE: [rpc-grind 10.7.110.234:5671] Target port 5671 is not a RPC port. NSE: Finished rpc-grind against 10.7.110.234:5671. Completed NSE at 12:37, 0.01s elapsed Nmap scan report for 10.7.110.234 Host is up, received echo-reply ttl 62 (0.0013s latency). Scanned at 2019-06-25 12:36:49 MDT for 18s PORT STATE SERVICE REASON VERSION 5671/tcp open ssl/amqps? syn-ack ttl 62 | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A | compressors: | NULL | cipher preference: client |_ least strength: A Final times for host: srtt: 1292 rttvar: 3833 to: 100000 NSE: Script Post-scanning. NSE: Starting runlevel 1 (of 2) scan. Initiating NSE at 12:37 Completed NSE at 12:37, 0.00s elapsed NSE: Starting runlevel 2 (of 2) scan. Initiating NSE at 12:37 Completed NSE at 12:37, 0.00s elapsed Read from /usr/bin/../share/nmap: nmap-payloads nmap-service-probes nmap-services. Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 18.80 seconds Raw packets sent: 5 (196B) | Rcvd: 2 (72B) # Is this a known problem? Should I be running nmap with different options? I tried '-T1' but it didn't change the behavior. Thanks! tl Terry Lemons [DellEMC_Logo_Hz_Blue_rgb_10percent] Data Protection Division 176 South Street, MS 2/B-34 Hopkinton MA 01748 terry.lemons () dell com<mailto:terry.lemons () dell com>
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- ssl-enum-ciphers not returning all ciphers Lemons, Terry (Jun 25)
- RE: ssl-enum-ciphers not returning all ciphers Matthew.Snyder (Jun 25)
- RE: ssl-enum-ciphers not returning all ciphers Lemons, Terry (Jun 25)
- RE: ssl-enum-ciphers not returning all ciphers Lemons, Terry (Jun 25)
- Re: ssl-enum-ciphers not returning all ciphers Daniel Miller (Jun 25)
- RE: ssl-enum-ciphers not returning all ciphers Lemons, Terry (Jun 26)
- RE: ssl-enum-ciphers not returning all ciphers Lemons, Terry (Jun 25)
- RE: ssl-enum-ciphers not returning all ciphers Matthew.Snyder (Jun 25)