Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

ssl-enum-ciphers not returning all ciphers

From: "Lemons, Terry" <Terry.Lemons () dell com>
Date: Tue, 25 Jun 2019 18:46:53 +0000
Hi

I'm using nmap 7.70 on a Linux system to probe a different Linux system that is using RabbitMQ/Erlang.

The cipher list, specified in the RabbitMQ-specific format, is:

ssl_options.ciphers.1 = AES128-GCM-SHA256
ssl_options.ciphers.2 = AES256-GCM-SHA384
ssl_options.ciphers.3 = DHE-RSA-AES256-GCM-SHA384
ssl_options.ciphers.4 = DHE-RSA-AES128-GCM-SHA256
ssl_options.ciphers.5 = DHE-RSA-AES256-SHA256
ssl_options.ciphers.6 = DHE-RSA-AES128-SHA256
ssl_options.ciphers.7 = DHE-RSA-AES256-SHA
ssl_options.ciphers.8 = DHE-RSA-AES128-SHA
ssl_options.ciphers.9 = ECDHE-RSA-AES128-GCM-SHA256
ssl_options.ciphers.10 = ECDHE-RSA-AES256-SHA384
ssl_options.ciphers.11 = ECDHE-RSA-AES128-GCM-SHA256
ssl_options.ciphers.12 = ECDHE-RSA-AES128-SHA256
ssl_options.ciphers.13 = ECDHE-RSA-AES256-SHA
ssl_options.ciphers.14 = ECDHE-RSA-AES128-SHA

When I run nmap (with -d option, below), it returns only the third and fourth cipher:

nmap -sV -p 5671 -d --script ssl-enum-ciphers 10.7.110.234
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-25 12:36 MDT
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
NSE: Using Lua 5.3.
NSE: Arguments from CLI:
NSE: Loaded 44 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 12:36
Completed NSE at 12:36, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 12:36
Completed NSE at 12:36, 0.00s elapsed
Initiating Ping Scan at 12:36
Scanning 10.7.110.234 [4 ports]
Packet capture filter (device eth0): dst host 10.7.93.141 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 
10.7.110.234)))
We got a ping packet back from 10.7.110.234: id = 48554 seq = 0 checksum = 16981
Completed Ping Scan at 12:36, 0.00s elapsed (1 total hosts)
Overall sending rates: 1114.21 packets / s, 42339.83 bytes / s.
mass_rdns: Using DNS server 10.7.93.100
Initiating Parallel DNS resolution of 1 host. at 12:36
mass_rdns: 13.00s 0/1 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 3]
Completed Parallel DNS resolution of 1 host. at 12:37, 13.00s elapsed
DNS resolution of 1 IPs took 13.00s. Mode: Async [#: 1, OK: 0, NX: 0, DR: 1, SF: 0, TR: 3, CN: 0]
Initiating SYN Stealth Scan at 12:37
Scanning 10.7.110.234 [1 port]
Packet capture filter (device eth0): dst host 10.7.93.141 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 
10.7.110.234)))
Discovered open port 5671/tcp on 10.7.110.234
Completed SYN Stealth Scan at 12:37, 0.00s elapsed (1 total ports)
Overall sending rates: 354.99 packets / s, 15619.45 bytes / s.
Initiating Service scan at 12:37
Scanning 1 service on 10.7.110.234
Got nsock CONNECT response with status ERROR - aborting this service
Completed Service scan at 12:37, 5.05s elapsed (1 service on 1 host)
NSE: Script scanning 10.7.110.234.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 12:37
NSE: Starting ssl-enum-ciphers against 10.7.110.234:5671.
NSE: [ssl-enum-ciphers 10.7.110.234:5671] Trying protocol TLSv1.1.
NSE: [ssl-enum-ciphers 10.7.110.234:5671] Trying protocol SSLv3.
NSE: [ssl-enum-ciphers 10.7.110.234:5671] Trying protocol TLSv1.2.
NSE: [ssl-enum-ciphers 10.7.110.234:5671] Trying protocol TLSv1.0.
NSE: Finished ssl-enum-ciphers against 10.7.110.234:5671.
NSE: Finished ssl-enum-ciphers against 10.7.110.234:5671.
NSE: Finished ssl-enum-ciphers against 10.7.110.234:5671.
NSE: [ssl-enum-ciphers 10.7.110.234:5671] (TLSv1.2) Comparing TLS_RSA_WITH_AES_128_GCM_SHA256 to 
TLS_RSA_WITH_AES_256_GCM_SHA384
NSE: Finished ssl-enum-ciphers against 10.7.110.234:5671.
NSE: Finished ssl-enum-ciphers against 10.7.110.234:5671.
Completed NSE at 12:37, 0.07s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 12:37
NSE: Starting rpc-grind against 10.7.110.234:5671.
NSE: [rpc-grind 10.7.110.234:5671] isRPC didn't receive response.
NSE: [rpc-grind 10.7.110.234:5671] Target port 5671 is not a RPC port.
NSE: Finished rpc-grind against 10.7.110.234:5671.
Completed NSE at 12:37, 0.01s elapsed
Nmap scan report for 10.7.110.234
Host is up, received echo-reply ttl 62 (0.0013s latency).
Scanned at 2019-06-25 12:36:49 MDT for 18s

PORT     STATE SERVICE    REASON         VERSION
5671/tcp open  ssl/amqps? syn-ack ttl 62
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: client
|_  least strength: A
Final times for host: srtt: 1292 rttvar: 3833  to: 100000

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 12:37
Completed NSE at 12:37, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 12:37
Completed NSE at 12:37, 0.00s elapsed
Read from /usr/bin/../share/nmap: nmap-payloads nmap-service-probes nmap-services.
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.80 seconds
           Raw packets sent: 5 (196B) | Rcvd: 2 (72B)
#

Is this a known problem? Should I be running nmap with different options?  I tried '-T1' but it didn't change the 
behavior.

Thanks!
tl


Terry Lemons

[DellEMC_Logo_Hz_Blue_rgb_10percent]
Data Protection Division

176 South Street, MS 2/B-34
Hopkinton MA 01748
terry.lemons () dell com<mailto:terry.lemons () dell com>



_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: