Nmap Development mailing list archives
RE: ssl-enum-ciphers not returning all ciphers
From: "Lemons, Terry" <Terry.Lemons () dell com>
Date: Tue, 25 Jun 2019 19:27:43 +0000
Hi Matt
Thanks very much for the help!
Thanks for pointing out that I was wrong in identifying the two ciphers shown in nmap; that makes the results make more
sense.
I ran the openssl command you suggested; stripping out some of the possibly-sensitive information; here is the output:
lava93141:/tmp # openssl s_client -connect 10.7.110.234:5671 -cipher DHE-RSA-AES256-GCM-SHA384
CONNECTED(00000003)
.
.
.
verify error:num=19:self signed certificate in certificate chain
139674829317776:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1498:SSL alert
number 40
139674829317776:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
Certificate chain
.
.
.
---
Server certificate
-----BEGIN CERTIFICATE-----
.
.
.
-----END CERTIFICATE-----
subject=...
issuer=...
---
Acceptable client certificate CA names
.
.
.
Client Certificate Types: ECDSA sign, RSA sign, DSA sign
Requested Signature Algorithms:
ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
Shared Requested Signature Algorithms:
ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
Peer signing digest: SHA512
Server Temp Key: DH, 2048 bits
---
SSL handshake has read 3122 bytes and written 330 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : DHE-RSA-AES256-GCM-SHA384
Session-ID: xxxxxx
Session-ID-ctx:
Master-Key: xxxxxxx
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1561490298
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
#
Thoughts?
Thanks
tl
From: Matthew.Snyder () mt com <Matthew.Snyder () mt com>
Sent: Tuesday, June 25, 2019 3:14 PM
To: Lemons, Terry; dev () nmap org
Subject: RE: ssl-enum-ciphers not returning all ciphers
[EXTERNAL EMAIL]
I actually see this pushing only the first two (RSA-only, non-ephemeral, non-Diffie-Hellman ---- follow highlights).
But that's not really the issue being questioned.
Can you confirm, is there a different result if you were to use "openssl s_client -connect 10.7.110.234:5671 -cipher
DHE-RSA-AES256-GCM-SHA384"???
If by running an example that we are not seeing in NMAP, we get an incomplete handshake, it's likely that NMAP is
accurate in its result.
Regards,
Matt
From: dev <dev-bounces () nmap org<mailto:dev-bounces () nmap org>> On Behalf Of Lemons, Terry
Sent: Tuesday, June 25, 2019 2:47 PM
To: dev () nmap org<mailto:dev () nmap org>
Subject: ssl-enum-ciphers not returning all ciphers
Hi
I'm using nmap 7.70 on a Linux system to probe a different Linux system that is using RabbitMQ/Erlang.
The cipher list, specified in the RabbitMQ-specific format, is:
ssl_options.ciphers.1 = AES128-GCM-SHA256
ssl_options.ciphers.2 = AES256-GCM-SHA384
ssl_options.ciphers.3 = DHE-RSA-AES256-GCM-SHA384
ssl_options.ciphers.4 = DHE-RSA-AES128-GCM-SHA256
ssl_options.ciphers.5 = DHE-RSA-AES256-SHA256
ssl_options.ciphers.6 = DHE-RSA-AES128-SHA256
ssl_options.ciphers.7 = DHE-RSA-AES256-SHA
ssl_options.ciphers.8 = DHE-RSA-AES128-SHA
ssl_options.ciphers.9 = ECDHE-RSA-AES128-GCM-SHA256
ssl_options.ciphers.10 = ECDHE-RSA-AES256-SHA384
ssl_options.ciphers.11 = ECDHE-RSA-AES128-GCM-SHA256
ssl_options.ciphers.12 = ECDHE-RSA-AES128-SHA256
ssl_options.ciphers.13 = ECDHE-RSA-AES256-SHA
ssl_options.ciphers.14 = ECDHE-RSA-AES128-SHA
When I run nmap (with -d option, below), it returns only the third and fourth cipher:
nmap -sV -p 5671 -d --script ssl-enum-ciphers 10.7.110.234
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-25 12:36 MDT
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
NSE: Using Lua 5.3.
NSE: Arguments from CLI:
NSE: Loaded 44 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 12:36
Completed NSE at 12:36, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 12:36
Completed NSE at 12:36, 0.00s elapsed
Initiating Ping Scan at 12:36
Scanning 10.7.110.234 [4 ports]
Packet capture filter (device eth0): dst host 10.7.93.141 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host
10.7.110.234)))
We got a ping packet back from 10.7.110.234: id = 48554 seq = 0 checksum = 16981
Completed Ping Scan at 12:36, 0.00s elapsed (1 total hosts)
Overall sending rates: 1114.21 packets / s, 42339.83 bytes / s.
mass_rdns: Using DNS server 10.7.93.100
Initiating Parallel DNS resolution of 1 host. at 12:36
mass_rdns: 13.00s 0/1 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 3]
Completed Parallel DNS resolution of 1 host. at 12:37, 13.00s elapsed
DNS resolution of 1 IPs took 13.00s. Mode: Async [#: 1, OK: 0, NX: 0, DR: 1, SF: 0, TR: 3, CN: 0]
Initiating SYN Stealth Scan at 12:37
Scanning 10.7.110.234 [1 port]
Packet capture filter (device eth0): dst host 10.7.93.141 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host
10.7.110.234)))
Discovered open port 5671/tcp on 10.7.110.234
Completed SYN Stealth Scan at 12:37, 0.00s elapsed (1 total ports)
Overall sending rates: 354.99 packets / s, 15619.45 bytes / s.
Initiating Service scan at 12:37
Scanning 1 service on 10.7.110.234
Got nsock CONNECT response with status ERROR - aborting this service
Completed Service scan at 12:37, 5.05s elapsed (1 service on 1 host)
NSE: Script scanning 10.7.110.234.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 12:37
NSE: Starting ssl-enum-ciphers against 10.7.110.234:5671.
NSE: [ssl-enum-ciphers 10.7.110.234:5671] Trying protocol TLSv1.1.
NSE: [ssl-enum-ciphers 10.7.110.234:5671] Trying protocol SSLv3.
NSE: [ssl-enum-ciphers 10.7.110.234:5671] Trying protocol TLSv1.2.
NSE: [ssl-enum-ciphers 10.7.110.234:5671] Trying protocol TLSv1.0.
NSE: Finished ssl-enum-ciphers against 10.7.110.234:5671.
NSE: Finished ssl-enum-ciphers against 10.7.110.234:5671.
NSE: Finished ssl-enum-ciphers against 10.7.110.234:5671.
NSE: [ssl-enum-ciphers 10.7.110.234:5671] (TLSv1.2) Comparing TLS_RSA_WITH_AES_128_GCM_SHA256 to
TLS_RSA_WITH_AES_256_GCM_SHA384
NSE: Finished ssl-enum-ciphers against 10.7.110.234:5671.
NSE: Finished ssl-enum-ciphers against 10.7.110.234:5671.
Completed NSE at 12:37, 0.07s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 12:37
NSE: Starting rpc-grind against 10.7.110.234:5671.
NSE: [rpc-grind 10.7.110.234:5671] isRPC didn't receive response.
NSE: [rpc-grind 10.7.110.234:5671] Target port 5671 is not a RPC port.
NSE: Finished rpc-grind against 10.7.110.234:5671.
Completed NSE at 12:37, 0.01s elapsed
Nmap scan report for 10.7.110.234
Host is up, received echo-reply ttl 62 (0.0013s latency).
Scanned at 2019-06-25 12:36:49 MDT for 18s
PORT STATE SERVICE REASON VERSION
5671/tcp open ssl/amqps? syn-ack ttl 62
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| compressors:
| NULL
| cipher preference: client
|_ least strength: A
Final times for host: srtt: 1292 rttvar: 3833 to: 100000
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 12:37
Completed NSE at 12:37, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 12:37
Completed NSE at 12:37, 0.00s elapsed
Read from /usr/bin/../share/nmap: nmap-payloads nmap-service-probes nmap-services.
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.80 seconds
Raw packets sent: 5 (196B) | Rcvd: 2 (72B)
#
Is this a known problem? Should I be running nmap with different options? I tried '-T1' but it didn't change the
behavior.
Thanks!
tl
Terry Lemons
[DellEMC_Logo_Hz_Blue_rgb_10percent]
Data Protection Division
176 South Street, MS 2/B-34
Hopkinton MA 01748
terry.lemons () dell com<mailto:terry.lemons () dell com>
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- ssl-enum-ciphers not returning all ciphers Lemons, Terry (Jun 25)
- RE: ssl-enum-ciphers not returning all ciphers Matthew.Snyder (Jun 25)
- RE: ssl-enum-ciphers not returning all ciphers Lemons, Terry (Jun 25)
- RE: ssl-enum-ciphers not returning all ciphers Lemons, Terry (Jun 25)
- Re: ssl-enum-ciphers not returning all ciphers Daniel Miller (Jun 25)
- RE: ssl-enum-ciphers not returning all ciphers Lemons, Terry (Jun 26)
- RE: ssl-enum-ciphers not returning all ciphers Lemons, Terry (Jun 25)
- RE: ssl-enum-ciphers not returning all ciphers Matthew.Snyder (Jun 25)