Nmap Development mailing list archives
ssl-enum-ciphers.nse not showing TLS_ECDHE* ciphers
From: Guido van Rooij <guido () gvr org>
Date: Wed, 10 Mar 2021 12:15:15 +0100
With nmap 7.60, I scanned the host with IP address 3.132.36.206 with the below reesulst:
nmap -sV --script ssl-enum-ciphers -p 443 3.132.36.206
Starting Nmap 7.60 ( https://nmap.org ) at 2021-03-10 11:06 UTC Nmap scan report for ec2-3-132-36-206.us-east-2.compute.amazonaws.com (3.132.36.206) Host is up (0.094s latency). PORT STATE SERVICE VERSION 443/tcp open ssl/http Golang net/http server (Go-IPFS json-rpc or InfluxDB API) | ssl-enum-ciphers: | TLSv1.0: | ciphers: | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C | compressors: | NULL | cipher preference: server | warnings: | 64-bit block cipher 3DES vulnerable to SWEET32 attack | TLSv1.1: | ciphers: | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C | compressors: | NULL | cipher preference: server | warnings: | 64-bit block cipher 3DES vulnerable to SWEET32 attack | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (rsa 2048) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C | compressors: | NULL | cipher preference: server | warnings: | 64-bit block cipher 3DES vulnerable to SWEET32 attack |_ least strength: C Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 29.27 seconds The same command with nmap 7.91 does not show the TLS_ECDHE* ciphers. Tested both on Ubuntu 18.04.5 as on FreeBSD 12.1: > nmap -sV --script ssl-enum-ciphers -p 443 3.132.36.206 Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-10 12:08 CET Nmap scan report for ec2-3-132-36-206.us-east-2.compute.amazonaws.com (3.132.36.206) Host is up (0.096s latency). PORT STATE SERVICE VERSION 443/tcp open ssl/http Golang net/http server (Go-IPFS json-rpc or InfluxDB API) | ssl-enum-ciphers: | TLSv1.0: | ciphers: | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C | compressors: | NULL | cipher preference: server | warnings: | 64-bit block cipher 3DES vulnerable to SWEET32 attack | Forward Secrecy not supported by any cipher | TLSv1.1: | ciphers: | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C | compressors: | NULL | cipher preference: server | warnings: | 64-bit block cipher 3DES vulnerable to SWEET32 attack | Forward Secrecy not supported by any cipher | TLSv1.2: | ciphers: | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C | compressors: | NULL | cipher preference: server | warnings: | 64-bit block cipher 3DES vulnerable to SWEET32 attack | Forward Secrecy not supported by any cipher |_ least strength: C Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 18.60 seconds Anyone know how to fix this? Thanks, Guido van Rooiji _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- ssl-enum-ciphers.nse not showing TLS_ECDHE* ciphers Guido van Rooij (Mar 12)
- Re: ssl-enum-ciphers.nse not showing TLS_ECDHE* ciphers nnposter (Mar 20)
- <Possible follow-ups>
- ssl-enum-ciphers.nse not showing TLS_ECDHE* ciphers Guido van Rooij (Mar 16)