Nmap Development mailing list archives

Re: nmap does not list ciphers consistently

From: Daniel Miller <bonsaiviking () gmail com>
Date: Sat, 20 Jan 2018 14:12:26 -0600

Anil,

Thanks for reporting this. The most useful output would be if you ran the
script with -d to enable debug output. Since we are not interested in the
output of the other scripts, and the "+" means that the script will run
regardless of detected service, do not use the -sV option when collecting
the debug output.

Example: nmap --script +ssl-enum-ciphers -p443 x.x.x.x

Dan

On Wed, Jan 17, 2018 at 4:07 AM, NAYAK, ANIL KUMAR <nayakani () gmail com>
wrote:

Dear Team,

1. nmap output does not list ciphers available in ALL expected ports
(not consistent)
2. nmap output does not list ciphers against a specific port consistently

Here the appliance/program  runs on Linux  3.10.0-327 (RHEL 7.2)

I need help to explain why it is happening , own script (openssl
s_client) confirms  that  TLS v1.2 exclusive ciphers are available at
port
443,8443(tomcat) & 5989(cimom), but nmap failed to list it consistently.

Could this happen because nmap does not like certain response from
target or it is possible that target possibly did not provide the list
on few attempts (due to firewall etc? ). How to troubleshoot this ?
Please see the test results below.

Many thanks for any help you may have to offer.  My objective is to
show(consistent manner) the Ciphers available at Port 443 .

Kind regards,
Anil.

Outputs: (replaced IP with x.x.x.x)
-----------

1.

a. Unsuccessful : (Does not list for ANY ports , subsequently we could
see the same command was successful on all expected ports)

ANILs-MacBook-Pro:.ssh anil$ nmap  -sV --script +ssl-enum-ciphers x.x.x.x

Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-17 14:39 IST
Nmap scan report for x.x.x.x
Host is up (0.0037s latency).
Not shown: 995 filtered ports
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 6.6.1 (protocol 2.0)
443/tcp  open  ssl/http   Apache Tomcat/Coyote JSP engine 1.1
|_http-server-header: Apache-Coyote/1.1
3260/tcp open  tcpwrapped
8080/tcp open  http       Apache Tomcat/Coyote JSP engine 1.1
8443/tcp open  ssl/http   Apache Tomcat/Coyote JSP engine 1.1
|_http-server-header: Apache-Coyote/1.1

Service detection performed. Please report any incorrect results at
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 144.95 seconds

b. Successful:  (but this result varies , ciphers gets listed under
port 443,8443, 5989 ..  but it varies too often)

ANILs-MacBook-Pro:.ssh anil$ nmap  -sV --script +ssl-enum-ciphers x.x.x.x

Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-17 15:21 IST
Nmap scan report for x.x.x.x
Host is up (0.0025s latency).
Not shown: 996 filtered ports
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 6.6.1 (protocol 2.0)
443/tcp  open  ssl/http Apache Tomcat/Coyote JSP engine 1.1
|_http-server-header: Apache-Coyote/1.1
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp160k1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp160k1) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: client
|     warnings:
|       Key exchange (secp160k1) of lower strength than certificate key
|_  least strength: A
3260/tcp open  iscsi?
8443/tcp open  ssl/http Apache Tomcat/Coyote JSP engine 1.1
|_http-server-header: Apache-Coyote/1.1
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp160k1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp160k1) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: client
|     warnings:
|       Key exchange (secp160k1) of lower strength than certificate key
|_  least strength: A

Service detection performed. Please report any incorrect results at
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 271.48 seconds

2
a. Unsuccessful:  It should ideally list the ciphers which it could
find subsequently (in section b)

ANILs-MacBook-Pro:.ssh anil$ nmap  -sV --script +ssl-enum-ciphers x.x.x.x
-p 443

Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-17 14:23 IST
Nmap scan report for x.x.x.x.x
Host is up (0.0024s latency).

PORT    STATE SERVICE  VERSION
443/tcp open  ssl/http Apache Tomcat/Coyote JSP engine 1.1
|_http-server-header: Apache-Coyote/1.1

Service detection performed. Please report any incorrect results at
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.03 seconds

b. Successful :

ANILs-MacBook-Pro:.ssh anil$ nmap  -sV --script +ssl-enum-ciphers
x.x.x.x. -p 443

Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-17 14:26 IST
Nmap scan report for x.x.x.x
Host is up (0.0020s latency).

PORT    STATE SERVICE  VERSION
443/tcp open  ssl/http Apache Tomcat/Coyote JSP engine 1.1
|_http-server-header: Apache-Coyote/1.1
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp160k1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp160k1) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: client
|     warnings:
|       Key exchange (secp160k1) of lower strength than certificate key
|_  least strength: A

Service detection performed. Please report any incorrect results at
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.75 seconds
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Current thread:

nmap does not list ciphers consistently NAYAK, ANIL KUMAR (Jan 20)
- Re: nmap does not list ciphers consistently Daniel Miller (Jan 20)
  - Re: nmap does not list ciphers consistently NAYAK, ANIL KUMAR (Feb 05)
    - Re: nmap does not list ciphers consistently nnposter (Feb 05)
    - Re: nmap does not list ciphers consistently nayakani (Feb 17)
    - Re: nmap does not list ciphers consistently Daniel Miller (Feb 13)