summaryrefslogtreecommitdiffstats
path: root/scripts/ssl-enum-ciphers.nse
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--scripts/ssl-enum-ciphers.nse1141
1 files changed, 1141 insertions, 0 deletions
diff --git a/scripts/ssl-enum-ciphers.nse b/scripts/ssl-enum-ciphers.nse
new file mode 100644
index 0000000..881b6bd
--- /dev/null
+++ b/scripts/ssl-enum-ciphers.nse
@@ -0,0 +1,1141 @@
+local coroutine = require "coroutine"
+local math = require "math"
+local nmap = require "nmap"
+local outlib = require "outlib"
+local shortport = require "shortport"
+local sslcert = require "sslcert"
+local stdnse = require "stdnse"
+local string = require "string"
+local table = require "table"
+local tls = require "tls"
+
+description = [[
+This script repeatedly initiates SSLv3/TLS connections, each time trying a new
+cipher or compressor while recording whether a host accepts or rejects it. The
+end result is a list of all the ciphersuites and compressors that a server accepts.
+
+Each ciphersuite is shown with a letter grade (A through F) indicating the
+strength of the connection. The grade is based on the cryptographic strength of
+the key exchange and of the stream cipher. The message integrity (hash)
+algorithm choice is not a factor. The output line beginning with
+<code>Least strength</code> shows the strength of the weakest cipher offered.
+The scoring is based on the Qualys SSL Labs SSL Server Rating Guide, but does
+not take protocol support (TLS version) into account, which makes up 30% of the
+SSL Labs rating.
+
+SSLv3/TLSv1 requires more effort to determine which ciphers and compression
+methods a server supports than SSLv2. A client lists the ciphers and compressors
+that it is capable of supporting, and the server will respond with a single
+cipher and compressor chosen, or a rejection notice.
+
+Some servers use the client's ciphersuite ordering: they choose the first of
+the client's offered suites that they also support. Other servers prefer their
+own ordering: they choose their most preferred suite from among those the
+client offers. In the case of server ordering, the script makes extra probes to
+discover the server's sorted preference list. Otherwise, the list is sorted
+alphabetically.
+
+The script will warn about certain SSL misconfigurations such as MD5-signed
+certificates, low-quality ephemeral DH parameters, and the POODLE
+vulnerability.
+
+This script is intrusive since it must initiate many connections to a server,
+and therefore is quite noisy.
+
+It is recommended to use this script in conjunction with version detection
+(<code>-sV</code>) in order to discover SSL/TLS services running on unexpected
+ports. For the most common SSL ports like 443, 25 (with STARTTLS), 3389, etc.
+the script is smart enough to run on its own.
+
+References:
+* Qualys SSL Labs Rating Guide - https://www.ssllabs.com/projects/rating-guide/
+]]
+
+---
+-- @usage
+-- nmap -sV --script ssl-enum-ciphers -p 443 <host>
+--
+-- @output
+-- PORT STATE SERVICE REASON
+-- 443/tcp open https syn-ack
+-- | ssl-enum-ciphers:
+-- | TLSv1.0:
+-- | ciphers:
+-- | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (secp256r1) - A
+-- | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (secp256r1) - A
+-- | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
+-- | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
+-- | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
+-- | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
+-- | TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
+-- | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
+-- | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
+-- | TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (secp256r1) - C
+-- | TLS_ECDHE_RSA_WITH_RC4_128_SHA (secp256r1) - C
+-- | TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
+-- | TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - C
+-- | compressors:
+-- | NULL
+-- | cipher preference: server
+-- | warnings:
+-- | 64-bit block cipher 3DES vulnerable to SWEET32 attack
+-- | Broken cipher RC4 is deprecated by RFC 7465
+-- | Ciphersuite uses MD5 for message integrity
+-- | Weak certificate signature: SHA1
+-- | TLSv1.2:
+-- | ciphers:
+-- | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
+-- | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
+-- | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (secp256r1) - A
+-- | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (secp256r1) - A
+-- | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
+-- | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
+-- | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
+-- | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
+-- | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
+-- | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
+-- | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
+-- | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
+-- | TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
+-- | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
+-- | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
+-- | TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (secp256r1) - C
+-- | TLS_ECDHE_RSA_WITH_RC4_128_SHA (secp256r1) - C
+-- | TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
+-- | TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - C
+-- | compressors:
+-- | NULL
+-- | cipher preference: server
+-- | warnings:
+-- | 64-bit block cipher 3DES vulnerable to SWEET32 attack
+-- | Broken cipher RC4 is deprecated by RFC 7465
+-- | Ciphersuite uses MD5 for message integrity
+-- |_ least strength: C
+--
+-- @xmloutput
+-- <table key="TLSv1.0">
+-- <table key="ciphers">
+-- <table>
+-- <elem key="kex_info">secp256r1</elem>
+-- <elem key="name">TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA</elem>
+-- <elem key="strength">A</elem>
+-- </table>
+-- <table>
+-- <elem key="kex_info">secp256r1</elem>
+-- <elem key="name">TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA</elem>
+-- <elem key="strength">A</elem>
+-- </table>
+-- <table>
+-- <elem key="kex_info">secp256r1</elem>
+-- <elem key="name">TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</elem>
+-- <elem key="strength">A</elem>
+-- </table>
+-- <table>
+-- <elem key="kex_info">secp256r1</elem>
+-- <elem key="name">TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</elem>
+-- <elem key="strength">A</elem>
+-- </table>
+-- <table>
+-- <elem key="kex_info">rsa 2048</elem>
+-- <elem key="name">TLS_RSA_WITH_AES_128_CBC_SHA</elem>
+-- <elem key="strength">A</elem>
+-- </table>
+-- <table>
+-- <elem key="kex_info">rsa 2048</elem>
+-- <elem key="name">TLS_RSA_WITH_AES_256_CBC_SHA</elem>
+-- <elem key="strength">A</elem>
+-- </table>
+-- <table>
+-- <elem key="kex_info">secp256r1</elem>
+-- <elem key="name">TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA</elem>
+-- <elem key="strength">C</elem>
+-- </table>
+-- <table>
+-- <elem key="kex_info">secp256r1</elem>
+-- <elem key="name">TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</elem>
+-- <elem key="strength">C</elem>
+-- </table>
+-- <table>
+-- <elem key="kex_info">rsa 2048</elem>
+-- <elem key="name">TLS_RSA_WITH_3DES_EDE_CBC_SHA</elem>
+-- <elem key="strength">C</elem>
+-- </table>
+-- <table>
+-- <elem key="kex_info">secp256r1</elem>
+-- <elem key="name">TLS_ECDHE_ECDSA_WITH_RC4_128_SHA</elem>
+-- <elem key="strength">C</elem>
+-- </table>
+-- <table>
+-- <elem key="kex_info">secp256r1</elem>
+-- <elem key="name">TLS_ECDHE_RSA_WITH_RC4_128_SHA</elem>
+-- <elem key="strength">C</elem>
+-- </table>
+-- <table>
+-- <elem key="kex_info">rsa 2048</elem>
+-- <elem key="name">TLS_RSA_WITH_RC4_128_SHA</elem>
+-- <elem key="strength">C</elem>
+-- </table>
+-- <table>
+-- <elem key="kex_info">rsa 2048</elem>
+-- <elem key="name">TLS_RSA_WITH_RC4_128_MD5</elem>
+-- <elem key="strength">C</elem>
+-- </table>
+-- </table>
+-- <table key="compressors">
+-- <elem>NULL</elem>
+-- </table>
+-- <elem key="cipher preference">server</elem>
+-- <table key="warnings">
+-- <elem>64-bit block cipher 3DES vulnerable to SWEET32 attack</elem>
+-- <elem>Broken cipher RC4 is deprecated by RFC 7465</elem>
+-- <elem>Ciphersuite uses MD5 for message integrity</elem>
+-- <elem>Weak certificate signature: SHA1</elem>
+-- </table>
+-- </table>
+-- <table key="TLSv1.2">
+-- <table key="ciphers">
+-- <table>
+-- <elem key="kex_info">secp256r1</elem>
+-- <elem key="name">
+-- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256</elem>
+-- <elem key="strength">A</elem>
+-- </table>
+-- <table>
+-- <elem key="kex_info">secp256r1</elem>
+-- <elem key="name">
+-- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384</elem>
+-- <elem key="strength">A</elem>
+-- </table>
+-- <table>
+-- <elem key="kex_info">secp256r1</elem>
+-- <elem key="name">TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA</elem>
+-- <elem key="strength">A</elem>
+-- </table>
+-- <table>
+-- <elem key="kex_info">secp256r1</elem>
+-- <elem key="name">TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA</elem>
+-- <elem key="strength">A</elem>
+-- </table>
+-- <table>
+-- <elem key="kex_info">secp256r1</elem>
+-- <elem key="name">TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</elem>
+-- <elem key="strength">A</elem>
+-- </table>
+-- <table>
+-- <elem key="kex_info">secp256r1</elem>
+-- <elem key="name">TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384</elem>
+-- <elem key="strength">A</elem>
+-- </table>
+-- <table>
+-- <elem key="kex_info">secp256r1</elem>
+-- <elem key="name">TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</elem>
+-- <elem key="strength">A</elem>
+-- </table>
+-- <table>
+-- <elem key="kex_info">secp256r1</elem>
+-- <elem key="name">TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</elem>
+-- <elem key="strength">A</elem>
+-- </table>
+-- <table>
+-- <elem key="kex_info">rsa 2048</elem>
+-- <elem key="name">TLS_RSA_WITH_AES_128_GCM_SHA256</elem>
+-- <elem key="strength">A</elem>
+-- </table>
+-- <table>
+-- <elem key="kex_info">rsa 2048</elem>
+-- <elem key="name">TLS_RSA_WITH_AES_256_GCM_SHA384</elem>
+-- <elem key="strength">A</elem>
+-- </table>
+-- <table>
+-- <elem key="kex_info">rsa 2048</elem>
+-- <elem key="name">TLS_RSA_WITH_AES_128_CBC_SHA</elem>
+-- <elem key="strength">A</elem>
+-- </table>
+-- <table>
+-- <elem key="kex_info">rsa 2048</elem>
+-- <elem key="name">TLS_RSA_WITH_AES_256_CBC_SHA</elem>
+-- <elem key="strength">A</elem>
+-- </table>
+-- <table>
+-- <elem key="kex_info">secp256r1</elem>
+-- <elem key="name">TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA</elem>
+-- <elem key="strength">C</elem>
+-- </table>
+-- <table>
+-- <elem key="kex_info">secp256r1</elem>
+-- <elem key="name">TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</elem>
+-- <elem key="strength">C</elem>
+-- </table>
+-- <table>
+-- <elem key="kex_info">rsa 2048</elem>
+-- <elem key="name">TLS_RSA_WITH_3DES_EDE_CBC_SHA</elem>
+-- <elem key="strength">C</elem>
+-- </table>
+-- <table>
+-- <elem key="kex_info">secp256r1</elem>
+-- <elem key="name">TLS_ECDHE_ECDSA_WITH_RC4_128_SHA</elem>
+-- <elem key="strength">C</elem>
+-- </table>
+-- <table>
+-- <elem key="kex_info">secp256r1</elem>
+-- <elem key="name">TLS_ECDHE_RSA_WITH_RC4_128_SHA</elem>
+-- <elem key="strength">C</elem>
+-- </table>
+-- <table>
+-- <elem key="kex_info">rsa 2048</elem>
+-- <elem key="name">TLS_RSA_WITH_RC4_128_SHA</elem>
+-- <elem key="strength">C</elem>
+-- </table>
+-- <table>
+-- <elem key="kex_info">rsa 2048</elem>
+-- <elem key="name">TLS_RSA_WITH_RC4_128_MD5</elem>
+-- <elem key="strength">C</elem>
+-- </table>
+-- </table>
+-- <table key="compressors">
+-- <elem>NULL</elem>
+-- </table>
+-- <elem key="cipher preference">server</elem>
+-- <table key="warnings">
+-- <elem>64-bit block cipher 3DES vulnerable to SWEET32 attack</elem>
+-- <elem>Broken cipher RC4 is deprecated by RFC 7465</elem>
+-- <elem>Ciphersuite uses MD5 for message integrity</elem>
+-- </table>
+-- </table>
+-- <elem key="least strength">C</elem>
+
+author = {"Mak Kolybabi <mak@kolybabi.com>", "Gabriel Lawrence"}
+
+license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
+
+categories = {"discovery", "intrusive"}
+dependencies = {"https-redirect"}
+
+-- Test at most this many ciphersuites at a time.
+-- http://seclists.org/nmap-dev/2012/q3/156
+-- http://seclists.org/nmap-dev/2010/q1/859
+local CHUNK_SIZE = 64
+local have_ssl, openssl = pcall(require,'openssl')
+
+-- Add additional context (protocol) to debug output
+local function ctx_log(level, protocol, fmt, ...)
+ return stdnse.debug(level, "(%s) " .. fmt, protocol, ...)
+end
+
+-- returns a function that yields a new tls record each time it is called
+local function get_record_iter(sock)
+ local buffer = ""
+ local i = 1
+ local fragment
+ return function ()
+ local record
+ i, record = tls.record_read(buffer, i, fragment)
+ if record == nil then
+ local status, err
+ status, buffer, err = tls.record_buffer(sock, buffer, i)
+ if not status then
+ return nil, err
+ end
+ i, record = tls.record_read(buffer, i, fragment)
+ if record == nil then
+ return nil, "done"
+ end
+ end
+ fragment = record.fragment
+ return record
+ end
+end
+
+local function try_params(host, port, t)
+
+ -- Use Nmap's own discovered timeout plus 5 seconds for host processing
+ -- Default to 10 seconds total.
+ local timeout = ((host.times and host.times.timeout) or 5) * 1000 + 5000
+
+ -- Create socket.
+ local status, sock, err
+ local specialized = sslcert.getPrepareTLSWithoutReconnect(port)
+ if specialized then
+ status, sock = specialized(host, port)
+ if not status then
+ ctx_log(1, t.protocol, "Can't connect: %s", sock)
+ return nil
+ end
+ else
+ sock = nmap.new_socket()
+ sock:set_timeout(timeout)
+ status, err = sock:connect(host, port)
+ if not status then
+ ctx_log(1, t.protocol, "Can't connect: %s", err)
+ sock:close()
+ return nil
+ end
+ end
+
+ sock:set_timeout(timeout)
+
+ -- Send request.
+ local req = tls.client_hello(t)
+ status, err = sock:send(req)
+ if not status then
+ ctx_log(1, t.protocol, "Can't send: %s", err)
+ sock:close()
+ return nil
+ end
+
+ -- Read response.
+ local get_next_record = get_record_iter(sock)
+ local records = {}
+ while true do
+ local record
+ record, err = get_next_record()
+ if not record then
+ ctx_log(1, t.protocol, "Couldn't read a TLS record: %s", err)
+ sock:close()
+ return records
+ end
+ -- Collect message bodies into one record per type
+ records[record.type] = records[record.type] or record
+ local done = false
+ for j = 1, #record.body do -- no ipairs because we append below
+ local b = record.body[j]
+ done = ((record.type == "alert" and b.level == "fatal") or
+ (record.type == "handshake" and (b.type == "server_hello_done" or
+ -- TLSv1.3 does not have server_hello_done
+ (t.protocol == "TLSv1.3" and b.type == "server_hello")))
+ )
+ table.insert(records[record.type].body, b)
+ end
+ if done then
+ sock:close()
+ return records
+ end
+ end
+end
+
+local function sorted_keys(t)
+ local ret = {}
+ for k, _ in pairs(t) do
+ ret[#ret+1] = k
+ end
+ table.sort(ret)
+ return ret
+end
+
+local function in_chunks(t, size)
+ size = math.floor(size)
+ if size < 1 then size = 1 end
+ local ret = {}
+ for i = 1, #t, size do
+ local chunk = {}
+ for j = i, i + size - 1 do
+ chunk[#chunk+1] = t[j]
+ end
+ ret[#ret+1] = chunk
+ end
+ return ret
+end
+
+local function remove(t, e)
+ for i, v in ipairs(t) do
+ if v == e then
+ table.remove(t, i)
+ return i
+ end
+ end
+ return nil
+end
+
+local function slice(t, i, j)
+ local output = {}
+ while i <= j do
+ output[#output+1] = t[i]
+ i = i + 1
+ end
+ return output
+end
+
+local function merge(a, b, cmp)
+ local output = {}
+ local i = 1
+ local j = 1
+ while i <= #a and j <= #b do
+ local winner, err = cmp(a[i], b[j])
+ if not winner then
+ return nil, err
+ end
+ if winner == a[i] then
+ output[#output+1] = a[i]
+ i = i + 1
+ else
+ output[#output+1] = b[j]
+ j = j + 1
+ end
+ end
+ while i <= #a do
+ output[#output+1] = a[i]
+ i = i + 1
+ end
+ while j <= #b do
+ output[#output+1] = b[j]
+ j = j + 1
+ end
+ return output
+end
+
+local function merge_recursive(chunks, cmp)
+ if #chunks == 0 then
+ return {}
+ elseif #chunks == 1 then
+ return chunks[1]
+ else
+ local m = math.floor(#chunks / 2)
+ local a, b = slice(chunks, 1, m), slice(chunks, m+1, #chunks)
+ local am, err = merge_recursive(a, cmp)
+ if not am then
+ return nil, err
+ end
+ local bm, err = merge_recursive(b, cmp)
+ if not bm then
+ return nil, err
+ end
+ return merge(am, bm, cmp)
+ end
+end
+
+-- https://bugzilla.mozilla.org/show_bug.cgi?id=946147
+local function remove_high_byte_ciphers(t)
+ local output = {}
+ for i, v in ipairs(t) do
+ if tls.CIPHERS[v] <= 255 then
+ output[#output+1] = v
+ end
+ end
+ return output
+end
+
+-- Get TLS extensions
+local function base_extensions(host)
+ local tlsname = tls.servername(host)
+ return {
+ -- Claim to support common elliptic curves
+ -- TODO: Determine desire to comply with RFC 4492, section 4:
+ -- "The client MUST NOT include these extensions in the ClientHello
+ -- message if it does not propose any ECC cipher suites."
+ -- OTOH, OpenSSL 1.1.1 sends them always so it is probably safe.
+ ["elliptic_curves"] = tls.EXTENSION_HELPERS["elliptic_curves"](tls.DEFAULT_ELLIPTIC_CURVES),
+ -- Some servers require Supported Point Formats Extension
+ ["ec_point_formats"] = tls.EXTENSION_HELPERS["ec_point_formats"]({"uncompressed"}),
+ -- Enable SNI if a server name is available
+ ["server_name"] = tlsname and tls.EXTENSION_HELPERS["server_name"](tlsname),
+ }
+end
+
+-- Get a message body from a record which has the specified property set to value
+local function get_body(record, property, value)
+ for i, b in ipairs(record.body) do
+ if b[property] == value then
+ return b
+ end
+ end
+ return nil
+end
+
+-- Score a ciphersuite implementation (including key exchange info)
+local function score_cipher (kex_strength, cipher_info)
+ local kex_score, cipher_score
+ if not kex_strength or not cipher_info.size then
+ return "unknown"
+ end
+ if kex_strength <= 0 then
+ return 0
+ elseif kex_strength < 512 then
+ kex_score = 0.2
+ elseif kex_strength < 1024 then
+ kex_score = 0.4
+ elseif kex_strength < 2048 then
+ kex_score = 0.8
+ elseif kex_strength < 4096 then
+ kex_score = 0.9
+ else
+ kex_score = 1.0
+ end
+
+ if cipher_info.size <= 0 then
+ return 0
+ elseif cipher_info.size < 128 then
+ cipher_score = 0.2
+ elseif cipher_info.size < 256 then
+ cipher_score = 0.8
+ else
+ cipher_score = 1.0
+ end
+
+ -- Based on SSL Labs' 30-30-40 rating without the first 30% (protocol support)
+ return 0.43 * kex_score + 0.57 * cipher_score
+end
+
+local function letter_grade (score)
+ if not tonumber(score) then return "unknown" end
+ if score >= 0.80 then
+ return "A"
+ elseif score >= 0.65 then
+ return "B"
+ elseif score >= 0.50 then
+ return "C"
+ elseif score >= 0.35 then
+ return "D"
+ elseif score >= 0.20 then
+ return "E"
+ else
+ return "F"
+ end
+end
+
+local tls13proto = tls.PROTOCOLS["TLSv1.3"]
+local tls13supported = tls.EXTENSION_HELPERS.supported_versions({"TLSv1.3"})
+local function get_hello_table(host, protocol)
+ local t = {
+ protocol = protocol,
+ record_protocol = protocol, -- improve chances of immediate rejection
+ extensions = base_extensions(host),
+ }
+
+ -- supported_versions extension required for TLSv1.3
+ if (tls.PROTOCOLS[protocol] >= tls13proto) then
+ t.extensions.supported_versions = tls13supported
+ end
+
+ return t
+end
+
+-- Find which ciphers out of group are supported by the server.
+local function find_ciphers_group(host, port, protocol, group, scores)
+ local results = {}
+ local t = get_hello_table(host, protocol)
+
+ -- This is a hacky sort of tristate variable. There are three conditions:
+ -- 1. false = either ciphers or protocol is bad. Keep trying with new ciphers
+ -- 2. nil = The protocol is bad. Abandon thread.
+ -- 3. true = Protocol works, at least some cipher must be supported.
+ local protocol_worked = false
+ while (next(group)) do
+ t["ciphers"] = group
+
+ local records = try_params(host, port, t)
+ if not records then
+ return nil
+ end
+ local handshake = records.handshake
+
+ if handshake == nil then
+ local alert = records.alert
+ if alert then
+ ctx_log(2, protocol, "Got alert: %s", alert.body[1].description)
+ if not tls.record_version_ok(alert["protocol"], protocol) then
+ ctx_log(1, protocol, "Protocol mismatch (received %s)", alert.protocol)
+ -- Sometimes this is not an actual rejection of the protocol. Check specifically:
+ if get_body(alert, "description", "protocol_version") then
+ protocol_worked = nil
+ end
+ break
+ elseif get_body(alert, "description", "handshake_failure")
+ or get_body(alert, "description", "insufficient_security") then
+ protocol_worked = true
+ ctx_log(2, protocol, "%d ciphers rejected.", #group)
+ break
+ end
+ elseif protocol_worked then
+ ctx_log(2, protocol, "%d ciphers rejected. (No handshake)", #group)
+ else
+ ctx_log(1, protocol, "%d ciphers and/or protocol rejected. (No handshake)", #group)
+ end
+ break
+ else
+ local server_hello = get_body(handshake, "type", "server_hello")
+ if not server_hello then
+ ctx_log(2, protocol, "Unexpected record received.")
+ break
+ end
+ if server_hello.protocol ~= protocol then
+ ctx_log(1, protocol, "Protocol rejected. cipher: %s", server_hello.cipher)
+ -- Some implementations will do this if a cipher is supported in some
+ -- other protocol version but not this one. Gotta keep trying.
+ if not remove(group, server_hello.cipher) then
+ -- But if we didn't even offer this cipher, then give up. Crazy!
+ protocol_worked = protocol_worked or nil
+ end
+ break
+ else
+ protocol_worked = true
+ local name = server_hello.cipher
+ ctx_log(2, protocol, "Cipher %s chosen.", name)
+ if not remove(group, name) then
+ ctx_log(1, protocol, "chose cipher %s that was not offered.", name)
+ ctx_log(1, protocol, "removing high-byte ciphers and trying again.")
+ local size_before = #group
+ group = remove_high_byte_ciphers(group)
+ ctx_log(1, protocol, "removed %d high-byte ciphers.", size_before - #group)
+ if #group == size_before then
+ -- No changes... Server just doesn't like our offered ciphers.
+ break
+ end
+ else
+ -- Add cipher to the list of accepted ciphers.
+ table.insert(results, name)
+ if scores then
+ local info = tls.cipher_info(name)
+ -- Some warnings:
+ if info.hash and info.hash == "MD5" then
+ scores.warnings["Ciphersuite uses MD5 for message integrity"] = true
+ end
+ if info.mode and info.mode == "CBC" and info.block_size <= 64 then
+ scores.warnings[("64-bit block cipher %s vulnerable to SWEET32 attack"):format(info.cipher)] = true
+ end
+ if protocol == "SSLv3" and info.mode and info.mode == "CBC" then
+ scores.warnings["CBC-mode cipher in SSLv3 (CVE-2014-3566)"] = true
+ elseif info.cipher == "RC4" then
+ scores.warnings["Broken cipher RC4 is deprecated by RFC 7465"] = true
+ end
+ if protocol == "TLSv1.3" and not info.tls13ok then
+ scores.warnings["Non-TLSv1.3 ciphersuite chosen for TLSv1.3"] = true
+ end
+ local kex = tls.KEX_ALGORITHMS[info.kex]
+ scores.any_pfs_ciphers = kex.pfs or scores.any_pfs_ciphers
+ local extra, kex_strength
+ if kex.export then
+ scores.warnings["Export key exchange"] = true
+ if info.kex:find("1024$") then
+ kex_strength = 1024
+ else
+ kex_strength = 512
+ end
+ end
+ if kex.anon then
+ scores.warnings["Anonymous key exchange, score capped at F"] = true
+ kex_strength = 0
+ elseif have_ssl and kex.pubkey then
+ local certs = get_body(handshake, "type", "certificate")
+ -- Assume RFC compliance:
+ -- "The sender's certificate MUST come first in the list."
+ -- This may not always be the case, so
+ -- TODO: reorder certificates and validate entire chain
+ -- TODO: certificate validation (date, self-signed, etc)
+ local c, err
+ if certs == nil then
+ err = "no certificate message"
+ else
+ c, err = sslcert.parse_ssl_certificate(certs.certificates[1])
+ end
+ if not c then
+ ctx_log(1, protocol, "Failed to parse certificate: %s", err)
+ elseif c.pubkey.type == kex.pubkey then
+ local sigalg = c.sig_algorithm:match("([mM][dD][245])") or c.sig_algorithm:match("([sS][hH][aA]1)")
+ if sigalg then
+ kex_strength = 0
+ scores.warnings[("Insecure certificate signature (%s), score capped at F"):format(string.upper(sigalg))] = true
+ end
+ local rsa_bits = tls.rsa_equiv(kex.pubkey, c.pubkey.bits)
+ kex_strength = math.min(kex_strength or rsa_bits, rsa_bits)
+ if c.pubkey.exponent then
+ if openssl.bignum_bn2dec(c.pubkey.exponent) == "1" then
+ kex_strength = 0
+ scores.warnings["Certificate RSA exponent is 1, score capped at F"] = true
+ end
+ end
+ if c.pubkey.ecdhparams then
+ if c.pubkey.ecdhparams.curve_params.ec_curve_type == "namedcurve" then
+ extra = c.pubkey.ecdhparams.curve_params.curve
+ else
+ extra = string.format("%s %d", c.pubkey.ecdhparams.curve_params.ec_curve_type, c.pubkey.bits)
+ end
+ else
+ extra = string.format("%s %d", kex.pubkey, c.pubkey.bits)
+ end
+ end
+ end
+ local ske
+ if protocol == "TLSv1.3" then
+ ske = server_hello.extensions.key_share
+ elseif kex.server_key_exchange then
+ ske = get_body(handshake, "type", "server_key_exchange")
+ if ske then
+ ske = ske.data
+ end
+ end
+ if ske then
+ local kex_info = kex.server_key_exchange(ske, protocol)
+ if kex_info.strength then
+ local kex_type = kex_info.type or kex.type
+ if kex_info.ecdhparams then
+ if kex_info.ecdhparams.curve_params.ec_curve_type == "namedcurve" then
+ extra = kex_info.ecdhparams.curve_params.curve
+ else
+ extra = string.format("%s %d", kex_info.ecdhparams.curve_params.ec_curve_type, kex_info.strength)
+ end
+ else
+ extra = string.format("%s %d", kex_type, kex_info.strength)
+ end
+ local rsa_bits = tls.rsa_equiv(kex_type, kex_info.strength)
+ if kex_strength and kex_strength > rsa_bits then
+ kex_strength = rsa_bits
+ scores.warnings[(
+ "Key exchange (%s) of lower strength than certificate key"
+ ):format(extra)] = true
+ end
+ kex_strength = math.min(kex_strength or rsa_bits, rsa_bits)
+ end
+ if kex_info.rsa and kex_info.rsa.exponent == 1 then
+ kex_strength = 0
+ scores.warnings["Certificate RSA exponent is 1, score capped at F"] = true
+ end
+ end
+ scores[name] = {
+ cipher_strength=info.size,
+ kex_strength = kex_strength,
+ extra = extra,
+ letter_grade = letter_grade(score_cipher(kex_strength, info))
+ }
+ end
+ end
+ end
+ end
+ end
+ return results, protocol_worked
+end
+
+local function get_chunk_size(host, protocol)
+ -- Try to make sure we don't send too big of a handshake
+ -- https://github.com/ssllabs/research/wiki/Long-Handshake-Intolerance
+ local len_t = get_hello_table(host, protocol)
+ len_t.ciphers = {}
+ local cipher_len_remaining = 255 - #tls.client_hello(len_t)
+ -- if we're over 255 anyway, just go for it.
+ -- Each cipher adds 2 bytes
+ local max_chunks = cipher_len_remaining > 1 and cipher_len_remaining // 2 or CHUNK_SIZE
+ -- otherwise, use the min
+ return max_chunks < CHUNK_SIZE and max_chunks or CHUNK_SIZE
+end
+
+-- Break the cipher list into chunks of CHUNK_SIZE (for servers that can't
+-- handle many client ciphers at once), and then call find_ciphers_group on
+-- each chunk.
+local function find_ciphers(host, port, protocol)
+
+ local candidates = {}
+ -- TLSv1.3 ciphers are different, though some are shared (ECCPWD)
+ local tls13 = protocol == "TLSv1.3"
+ for _, c in ipairs(sorted_keys(tls.CIPHERS)) do
+ local info = tls.cipher_info(c)
+ if (not tls13 and not info.tls13only)
+ or (tls13 and info.tls13ok) then
+ candidates[#candidates+1] = c
+ end
+ end
+ local ciphers = in_chunks(candidates, get_chunk_size(host, protocol))
+
+ local results = {}
+ local scores = {warnings={}}
+ -- Try every cipher.
+ for _, group in ipairs(ciphers) do
+ local chunk, protocol_worked = find_ciphers_group(host, port, protocol, group, scores)
+ if protocol_worked == nil then return nil end
+ for _, name in ipairs(chunk) do
+ table.insert(results, name)
+ end
+ end
+ if not next(results) then return nil end
+ scores.warnings["Forward Secrecy not supported by any cipher"] = (not scores.any_pfs_ciphers) or nil
+ scores.any_pfs_ciphers = nil
+
+ return results, scores
+end
+
+local function find_compressors(host, port, protocol, good_ciphers)
+ local compressors = sorted_keys(tls.COMPRESSORS)
+ local t = get_hello_table(host, protocol)
+ t.ciphers = good_ciphers
+
+ local results = {}
+
+ -- Try every compressor.
+ local protocol_worked = false
+ while (next(compressors)) do
+ -- Create structure.
+ t["compressors"] = compressors
+
+ -- Try connecting with compressor.
+ local records = try_params(host, port, t)
+ local handshake = records.handshake
+
+ if handshake == nil then
+ local alert = records.alert
+ if alert then
+ ctx_log(2, protocol, "Got alert: %s", alert.body[1].description)
+ if not tls.record_version_ok(alert["protocol"], protocol) then
+ ctx_log(1, protocol, "Protocol rejected.")
+ protocol_worked = nil
+ break
+ elseif get_body(alert, "description", "handshake_failure") then
+ protocol_worked = true
+ ctx_log(2, protocol, "%d compressors rejected.", #compressors)
+ -- Should never get here, because NULL should be good enough.
+ -- The server may just not be able to handle multiple compressors.
+ if #compressors > 1 then -- Make extra-sure it's not crazily rejecting the NULL compressor
+ compressors[1] = "NULL"
+ for i = 2, #compressors, 1 do
+ compressors[i] = nil
+ end
+ -- try again.
+ else
+ break
+ end
+ end
+ elseif protocol_worked then
+ ctx_log(2, protocol, "%d compressors rejected. (No handshake)", #compressors)
+ else
+ ctx_log(1, protocol, "%d compressors and/or protocol rejected. (No handshake)", #compressors)
+ end
+ break
+ else
+ local server_hello = get_body(handshake, "type", "server_hello")
+ if not server_hello then
+ ctx_log(2, protocol, "Unexpected record received.")
+ break
+ end
+ if server_hello.protocol ~= protocol then
+ ctx_log(1, protocol, "Protocol rejected.")
+ protocol_worked = (protocol_worked == nil) and nil or false
+ break
+ else
+ protocol_worked = true
+ local name = server_hello.compressor
+ ctx_log(2, protocol, "Compressor %s chosen.", name)
+ remove(compressors, name)
+
+ -- Add compressor to the list of accepted compressors.
+ table.insert(results, name)
+ if name == "NULL" then
+ break -- NULL is always last choice, and must be included
+ end
+ end
+ end
+ end
+
+ return results
+end
+
+-- Offer two ciphers and return the one chosen by the server. Returns nil and
+-- an error message in case of a server error.
+local function compare_ciphers(host, port, protocol, cipher_a, cipher_b)
+ local t = get_hello_table(host, protocol)
+ t.ciphers = {cipher_a, cipher_b}
+ local records = try_params(host, port, t)
+ local server_hello = records.handshake and get_body(records.handshake, "type", "server_hello")
+ if server_hello then
+ ctx_log(2, protocol, "compare %s %s -> %s", cipher_a, cipher_b, server_hello.cipher)
+ return server_hello.cipher
+ else
+ ctx_log(2, protocol, "compare %s %s -> error", cipher_a, cipher_b)
+ return nil, string.format("Error when comparing %s and %s", cipher_a, cipher_b)
+ end
+end
+
+-- Try to find whether the server prefers its own ciphersuite order or that of
+-- the client.
+--
+-- The return value is (preference, err). preference is a string:
+-- "server": the server prefers its own order. In this case ciphers is non-nil.
+-- "client": the server follows the client preference. ciphers is nil.
+-- "indeterminate": returned when there are only 0 or 1 ciphers. ciphers is nil.
+-- nil: an error occurred during the test. err is non-nil.
+-- err is an error message string that is non-nil when preference is nil or
+-- indeterminate.
+--
+-- The algorithm tries offering two ciphersuites in two different orders. If
+-- the server makes a different choice each time, "client" preference is
+-- assumed. Otherwise, "server" preference is assumed.
+local function find_cipher_preference(host, port, protocol, ciphers)
+ -- Too few ciphers to make a decision?
+ if #ciphers < 2 then
+ return "indeterminate", "Too few ciphers supported"
+ end
+
+ -- Do a comparison in both directions to see if server ordering is consistent.
+ local cipher_a, cipher_b = ciphers[1], ciphers[2]
+ ctx_log(1, protocol, "Comparing %s to %s", cipher_a, cipher_b)
+ local winner_forwards, err = compare_ciphers(host, port, protocol, cipher_a, cipher_b)
+ if not winner_forwards then
+ return nil, err
+ end
+ local winner_backward, err = compare_ciphers(host, port, protocol, cipher_b, cipher_a)
+ if not winner_backward then
+ return nil, err
+ end
+ if winner_forwards ~= winner_backward then
+ return "client", nil
+ end
+ return "server", nil
+end
+
+-- Sort ciphers according to server preference with a modified merge sort
+local function sort_ciphers(host, port, protocol, ciphers)
+ local chunks = {}
+ for _, group in ipairs(in_chunks(ciphers, get_chunk_size(host, protocol))) do
+ local size = #group
+ local chunk = find_ciphers_group(host, port, protocol, group)
+ if not chunk then
+ return nil, "Network error"
+ end
+ if #chunk ~= size then
+ ctx_log(1, protocol, "warning: %d ciphers offered but only %d accepted", size, #chunk)
+ end
+ table.insert(chunks, chunk)
+ end
+
+ -- The comparison operator for the merge is a 2-cipher ClientHello.
+ local function cmp(cipher_a, cipher_b)
+ return compare_ciphers(host, port, protocol, cipher_a, cipher_b)
+ end
+ local sorted, err = merge_recursive(chunks, cmp)
+ if not sorted then
+ return nil, err
+ end
+ return sorted
+end
+
+local function try_protocol(host, port, protocol, upresults)
+ local condvar = nmap.condvar(upresults)
+
+ local results = stdnse.output_table()
+
+ -- Find all valid ciphers.
+ local ciphers, scores = find_ciphers(host, port, protocol)
+ if ciphers == nil then
+ condvar "signal"
+ return nil
+ end
+
+ if #ciphers == 0 then
+ results = {ciphers={},compressors={}}
+ setmetatable(results,{
+ __tostring=function(t) return "No supported ciphers found" end
+ })
+ upresults[protocol] = results
+ condvar "signal"
+ return nil
+ end
+ -- Find all valid compression methods.
+ local compressors
+ -- RFC 8446: "For every TLS 1.3 ClientHello, this vector MUST contain exactly
+ -- one byte, set to zero"
+ if (tls.PROTOCOLS[protocol] < tls13proto) then
+ -- Reduce chunk size by 1 to allow extra room for the extra compressors (2 bytes)
+ for _, c in ipairs(in_chunks(ciphers, get_chunk_size(host, protocol) - 1)) do
+ compressors = find_compressors(host, port, protocol, c)
+ -- I observed a weird interaction between ECDSA ciphers and DEFLATE compression.
+ -- Some servers would reject the handshake if no non-ECDSA ciphers were available.
+ -- Sending 64 ciphers at a time should be sufficient, but we'll try them all if necessary.
+ if compressors and #compressors ~= 0 then
+ break
+ end
+ end
+ end
+
+ -- Note the server's cipher preference algorithm.
+ local cipher_pref, cipher_pref_err = find_cipher_preference(host, port, protocol, ciphers)
+
+ -- Order ciphers according to server preference, if possible
+ if cipher_pref == "server" then
+ local sorted, err = sort_ciphers(host, port, protocol, ciphers)
+ if sorted then
+ ciphers = sorted
+ else
+ -- Can't sort, fall back to alphabetical order
+ table.sort(ciphers)
+ cipher_pref_err = err
+ end
+ else
+ -- fall back to alphabetical order
+ table.sort(ciphers)
+ end
+
+ -- Add rankings to ciphers
+ for i, name in ipairs(ciphers) do
+ local outcipher = {name=name, kex_info=scores[name].extra, strength=scores[name].letter_grade}
+ setmetatable(outcipher,{
+ __tostring=function(t)
+ if t.kex_info then
+ return string.format("%s (%s) - %s", t.name, t.kex_info, t.strength)
+ else
+ return string.format("%s - %s", t.name, t.strength)
+ end
+ end
+ })
+ ciphers[i]=outcipher
+ end
+
+ results["ciphers"] = ciphers
+
+ -- Format the compressor table.
+ if compressors then
+ table.sort(compressors)
+ end
+ results["compressors"] = compressors
+
+ results["cipher preference"] = cipher_pref
+ results["cipher preference error"] = cipher_pref_err
+ if next(scores.warnings) then
+ results["warnings"] = sorted_keys(scores.warnings)
+ end
+
+ upresults[protocol] = results
+ condvar "signal"
+ return nil
+end
+
+portrule = function (host, port)
+ return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port)
+end
+
+action = function(host, port)
+
+ if not have_ssl then
+ stdnse.verbose("OpenSSL not available; some cipher scores will be marked as unknown.")
+ end
+
+ local results = {}
+
+ local condvar = nmap.condvar(results)
+ local threads = {}
+
+ for name, _ in pairs(tls.PROTOCOLS) do
+ stdnse.debug1("Trying protocol %s.", name)
+ local co = stdnse.new_thread(try_protocol, host, port, name, results)
+ threads[co] = true
+ end
+
+ repeat
+ for thread in pairs(threads) do
+ if coroutine.status(thread) == "dead" then threads[thread] = nil end
+ end
+ if ( next(threads) ) then
+ condvar "wait"
+ end
+ until next(threads) == nil
+
+ if not next(results) then
+ return nil
+ end
+
+ local least = "A"
+ for p, r in pairs(results) do
+ for i, c in ipairs(r.ciphers) do
+ -- counter-intuitive: "A" < "B", so really looking for max
+ least = least < c.strength and c.strength or least
+ end
+ end
+ results["least strength"] = least
+
+ return outlib.sorted_by_key(results)
+end