1

I'm looking to find computers on the network that are using older versions of tls/ssl.

So far I've been using nmap's ssl-enum-ciphers and ssl-poodle scripts but the output isn't helpful as it shows every cipher available, eg :

Nmap scan report for x.x.x.x
Host is up (0.017s latency).

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers:
|   SSLv3:
|     ciphers:
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: server
|     warnings:
|       CBC-mode cipher in SSLv3 (CVE-2014-3566)
|   TLSv1.0:
|     ciphers:
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A

I have seen nmap has the greppable output option "-oG" but I'm not sure it works in conjunction with scripts, or I'm not using it correctly.

I've been using a variation of the below command

nmap -sV --script ssl-enum-ciphers -p 443 {ip address/netmask}

Ideally I'd like the output to look like

IP Address/Hostname SSLv3 TLS1.0 TLS1.2

But even getting it into .csv format would be helpful. Is there a better way to do this? Maybe I'm lacking some grep knowledge here.

Thanks!

rambetherleu
  • 21
  • 1
  • 5
  • Is this just me, or does "nmap -sV --script ssl--enum-ciphers -p 443 {ip address/netmask}" result in "NSE: failed to initialize the script engine: /usr/bin/../share/nmap/nse_main.lua:823: 'ssl--enum-ciphers' did not match a category, filename, or directory" – Gerard H. Pille Jun 08 '20 at 10:51
  • Yep, my bad. Double dash between ssl and enum when it should only have been a single dash. Edited now. Thanks! – rambetherleu Jun 08 '20 at 10:56
  • LOL, thought I had to download it, did so, and ended up with a version incompatible with my nmap. Reinstalled nmap. – Gerard H. Pille Jun 08 '20 at 11:41
  • You can try to run all the ssl tests nmap has `nmap --script ssl* -p 443`, and then you see which others scripts are valuable for you – Ace Oct 29 '22 at 05:46

1 Answers1

1

If you don't mind awk, I've concocted a checkciphers.sh script, as follows:

#! /usr/bin/ksh
nmap -sV --script ssl-enum-ciphers -p 443 | awk '
  /^Nmap scan report for /{
    currhost = $5 " " $6
  }
  /^443\/tcp /{
    if ($2 != "open") {
      currhost = ""
    }
  }
  /^\|   (TLS|SSL)/{
    currciph = $2
  }
  /^\|     ciphers:/{
    count = 1
    next
  }
  /^\|     [^ ]/{
    count = 0
  }
  /^\|       [^ ]/{
    if ("$currhost" && count > 0) {
      host[currhost] = 1
      ciph[currhost][currciph] += 1
    }
  }
  END {
    for (H in host) {
      CC=""
      for (C in ciph[H]) {
        CC=CC " " C ciph[H][C]
      }
      print H,CC
    }
  }
'
Gerard H. Pille
  • 2,569
  • 1
  • 13
  • 11
  • This is great, thanks a lot! I'm not overly familiar with awk but I can definitely figure it out, cheers :) – rambetherleu Jun 08 '20 at 14:02
  • Hi, I'm seeing the following errors with this : ``` source checkciphers.sh awk: line 23: syntax error at or near [ awk: line 29: syntax error at or near [ awk: line 34: syntax error at or near } ``` I've added a test ip with a /32 netmask to test it. – rambetherleu Jun 12 '20 at 10:40
  • Can you show the output of "nmap -sV --script ssl-enum-ciphers -p 443" that causes this? And what do you mean with "I've added a test ip with a /32 netmask to test it" ? – Gerard H. Pille Jun 12 '20 at 11:21