diff options
Diffstat (limited to 'scripts/ssl-enum-ciphers.nse')
-rw-r--r-- | scripts/ssl-enum-ciphers.nse | 1141 |
1 files changed, 1141 insertions, 0 deletions
diff --git a/scripts/ssl-enum-ciphers.nse b/scripts/ssl-enum-ciphers.nse new file mode 100644 index 0000000..881b6bd --- /dev/null +++ b/scripts/ssl-enum-ciphers.nse @@ -0,0 +1,1141 @@ +local coroutine = require "coroutine" +local math = require "math" +local nmap = require "nmap" +local outlib = require "outlib" +local shortport = require "shortport" +local sslcert = require "sslcert" +local stdnse = require "stdnse" +local string = require "string" +local table = require "table" +local tls = require "tls" + +description = [[ +This script repeatedly initiates SSLv3/TLS connections, each time trying a new +cipher or compressor while recording whether a host accepts or rejects it. The +end result is a list of all the ciphersuites and compressors that a server accepts. + +Each ciphersuite is shown with a letter grade (A through F) indicating the +strength of the connection. The grade is based on the cryptographic strength of +the key exchange and of the stream cipher. The message integrity (hash) +algorithm choice is not a factor. The output line beginning with +<code>Least strength</code> shows the strength of the weakest cipher offered. +The scoring is based on the Qualys SSL Labs SSL Server Rating Guide, but does +not take protocol support (TLS version) into account, which makes up 30% of the +SSL Labs rating. + +SSLv3/TLSv1 requires more effort to determine which ciphers and compression +methods a server supports than SSLv2. A client lists the ciphers and compressors +that it is capable of supporting, and the server will respond with a single +cipher and compressor chosen, or a rejection notice. + +Some servers use the client's ciphersuite ordering: they choose the first of +the client's offered suites that they also support. Other servers prefer their +own ordering: they choose their most preferred suite from among those the +client offers. In the case of server ordering, the script makes extra probes to +discover the server's sorted preference list. Otherwise, the list is sorted +alphabetically. + +The script will warn about certain SSL misconfigurations such as MD5-signed +certificates, low-quality ephemeral DH parameters, and the POODLE +vulnerability. + +This script is intrusive since it must initiate many connections to a server, +and therefore is quite noisy. + +It is recommended to use this script in conjunction with version detection +(<code>-sV</code>) in order to discover SSL/TLS services running on unexpected +ports. For the most common SSL ports like 443, 25 (with STARTTLS), 3389, etc. +the script is smart enough to run on its own. + +References: +* Qualys SSL Labs Rating Guide - https://www.ssllabs.com/projects/rating-guide/ +]] + +--- +-- @usage +-- nmap -sV --script ssl-enum-ciphers -p 443 <host> +-- +-- @output +-- PORT STATE SERVICE REASON +-- 443/tcp open https syn-ack +-- | ssl-enum-ciphers: +-- | TLSv1.0: +-- | ciphers: +-- | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (secp256r1) - A +-- | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (secp256r1) - A +-- | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A +-- | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A +-- | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A +-- | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A +-- | TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C +-- | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C +-- | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C +-- | TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (secp256r1) - C +-- | TLS_ECDHE_RSA_WITH_RC4_128_SHA (secp256r1) - C +-- | TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C +-- | TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - C +-- | compressors: +-- | NULL +-- | cipher preference: server +-- | warnings: +-- | 64-bit block cipher 3DES vulnerable to SWEET32 attack +-- | Broken cipher RC4 is deprecated by RFC 7465 +-- | Ciphersuite uses MD5 for message integrity +-- | Weak certificate signature: SHA1 +-- | TLSv1.2: +-- | ciphers: +-- | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A +-- | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A +-- | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (secp256r1) - A +-- | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (secp256r1) - A +-- | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A +-- | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A +-- | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A +-- | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A +-- | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A +-- | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A +-- | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A +-- | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A +-- | TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C +-- | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C +-- | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C +-- | TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (secp256r1) - C +-- | TLS_ECDHE_RSA_WITH_RC4_128_SHA (secp256r1) - C +-- | TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C +-- | TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - C +-- | compressors: +-- | NULL +-- | cipher preference: server +-- | warnings: +-- | 64-bit block cipher 3DES vulnerable to SWEET32 attack +-- | Broken cipher RC4 is deprecated by RFC 7465 +-- | Ciphersuite uses MD5 for message integrity +-- |_ least strength: C +-- +-- @xmloutput +-- <table key="TLSv1.0"> +-- <table key="ciphers"> +-- <table> +-- <elem key="kex_info">secp256r1</elem> +-- <elem key="name">TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA</elem> +-- <elem key="strength">A</elem> +-- </table> +-- <table> +-- <elem key="kex_info">secp256r1</elem> +-- <elem key="name">TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA</elem> +-- <elem key="strength">A</elem> +-- </table> +-- <table> +-- <elem key="kex_info">secp256r1</elem> +-- <elem key="name">TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</elem> +-- <elem key="strength">A</elem> +-- </table> +-- <table> +-- <elem key="kex_info">secp256r1</elem> +-- <elem key="name">TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</elem> +-- <elem key="strength">A</elem> +-- </table> +-- <table> +-- <elem key="kex_info">rsa 2048</elem> +-- <elem key="name">TLS_RSA_WITH_AES_128_CBC_SHA</elem> +-- <elem key="strength">A</elem> +-- </table> +-- <table> +-- <elem key="kex_info">rsa 2048</elem> +-- <elem key="name">TLS_RSA_WITH_AES_256_CBC_SHA</elem> +-- <elem key="strength">A</elem> +-- </table> +-- <table> +-- <elem key="kex_info">secp256r1</elem> +-- <elem key="name">TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA</elem> +-- <elem key="strength">C</elem> +-- </table> +-- <table> +-- <elem key="kex_info">secp256r1</elem> +-- <elem key="name">TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</elem> +-- <elem key="strength">C</elem> +-- </table> +-- <table> +-- <elem key="kex_info">rsa 2048</elem> +-- <elem key="name">TLS_RSA_WITH_3DES_EDE_CBC_SHA</elem> +-- <elem key="strength">C</elem> +-- </table> +-- <table> +-- <elem key="kex_info">secp256r1</elem> +-- <elem key="name">TLS_ECDHE_ECDSA_WITH_RC4_128_SHA</elem> +-- <elem key="strength">C</elem> +-- </table> +-- <table> +-- <elem key="kex_info">secp256r1</elem> +-- <elem key="name">TLS_ECDHE_RSA_WITH_RC4_128_SHA</elem> +-- <elem key="strength">C</elem> +-- </table> +-- <table> +-- <elem key="kex_info">rsa 2048</elem> +-- <elem key="name">TLS_RSA_WITH_RC4_128_SHA</elem> +-- <elem key="strength">C</elem> +-- </table> +-- <table> +-- <elem key="kex_info">rsa 2048</elem> +-- <elem key="name">TLS_RSA_WITH_RC4_128_MD5</elem> +-- <elem key="strength">C</elem> +-- </table> +-- </table> +-- <table key="compressors"> +-- <elem>NULL</elem> +-- </table> +-- <elem key="cipher preference">server</elem> +-- <table key="warnings"> +-- <elem>64-bit block cipher 3DES vulnerable to SWEET32 attack</elem> +-- <elem>Broken cipher RC4 is deprecated by RFC 7465</elem> +-- <elem>Ciphersuite uses MD5 for message integrity</elem> +-- <elem>Weak certificate signature: SHA1</elem> +-- </table> +-- </table> +-- <table key="TLSv1.2"> +-- <table key="ciphers"> +-- <table> +-- <elem key="kex_info">secp256r1</elem> +-- <elem key="name"> +-- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256</elem> +-- <elem key="strength">A</elem> +-- </table> +-- <table> +-- <elem key="kex_info">secp256r1</elem> +-- <elem key="name"> +-- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384</elem> +-- <elem key="strength">A</elem> +-- </table> +-- <table> +-- <elem key="kex_info">secp256r1</elem> +-- <elem key="name">TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA</elem> +-- <elem key="strength">A</elem> +-- </table> +-- <table> +-- <elem key="kex_info">secp256r1</elem> +-- <elem key="name">TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA</elem> +-- <elem key="strength">A</elem> +-- </table> +-- <table> +-- <elem key="kex_info">secp256r1</elem> +-- <elem key="name">TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</elem> +-- <elem key="strength">A</elem> +-- </table> +-- <table> +-- <elem key="kex_info">secp256r1</elem> +-- <elem key="name">TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384</elem> +-- <elem key="strength">A</elem> +-- </table> +-- <table> +-- <elem key="kex_info">secp256r1</elem> +-- <elem key="name">TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</elem> +-- <elem key="strength">A</elem> +-- </table> +-- <table> +-- <elem key="kex_info">secp256r1</elem> +-- <elem key="name">TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</elem> +-- <elem key="strength">A</elem> +-- </table> +-- <table> +-- <elem key="kex_info">rsa 2048</elem> +-- <elem key="name">TLS_RSA_WITH_AES_128_GCM_SHA256</elem> +-- <elem key="strength">A</elem> +-- </table> +-- <table> +-- <elem key="kex_info">rsa 2048</elem> +-- <elem key="name">TLS_RSA_WITH_AES_256_GCM_SHA384</elem> +-- <elem key="strength">A</elem> +-- </table> +-- <table> +-- <elem key="kex_info">rsa 2048</elem> +-- <elem key="name">TLS_RSA_WITH_AES_128_CBC_SHA</elem> +-- <elem key="strength">A</elem> +-- </table> +-- <table> +-- <elem key="kex_info">rsa 2048</elem> +-- <elem key="name">TLS_RSA_WITH_AES_256_CBC_SHA</elem> +-- <elem key="strength">A</elem> +-- </table> +-- <table> +-- <elem key="kex_info">secp256r1</elem> +-- <elem key="name">TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA</elem> +-- <elem key="strength">C</elem> +-- </table> +-- <table> +-- <elem key="kex_info">secp256r1</elem> +-- <elem key="name">TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</elem> +-- <elem key="strength">C</elem> +-- </table> +-- <table> +-- <elem key="kex_info">rsa 2048</elem> +-- <elem key="name">TLS_RSA_WITH_3DES_EDE_CBC_SHA</elem> +-- <elem key="strength">C</elem> +-- </table> +-- <table> +-- <elem key="kex_info">secp256r1</elem> +-- <elem key="name">TLS_ECDHE_ECDSA_WITH_RC4_128_SHA</elem> +-- <elem key="strength">C</elem> +-- </table> +-- <table> +-- <elem key="kex_info">secp256r1</elem> +-- <elem key="name">TLS_ECDHE_RSA_WITH_RC4_128_SHA</elem> +-- <elem key="strength">C</elem> +-- </table> +-- <table> +-- <elem key="kex_info">rsa 2048</elem> +-- <elem key="name">TLS_RSA_WITH_RC4_128_SHA</elem> +-- <elem key="strength">C</elem> +-- </table> +-- <table> +-- <elem key="kex_info">rsa 2048</elem> +-- <elem key="name">TLS_RSA_WITH_RC4_128_MD5</elem> +-- <elem key="strength">C</elem> +-- </table> +-- </table> +-- <table key="compressors"> +-- <elem>NULL</elem> +-- </table> +-- <elem key="cipher preference">server</elem> +-- <table key="warnings"> +-- <elem>64-bit block cipher 3DES vulnerable to SWEET32 attack</elem> +-- <elem>Broken cipher RC4 is deprecated by RFC 7465</elem> +-- <elem>Ciphersuite uses MD5 for message integrity</elem> +-- </table> +-- </table> +-- <elem key="least strength">C</elem> + +author = {"Mak Kolybabi <mak@kolybabi.com>", "Gabriel Lawrence"} + +license = "Same as Nmap--See https://nmap.org/book/man-legal.html" + +categories = {"discovery", "intrusive"} +dependencies = {"https-redirect"} + +-- Test at most this many ciphersuites at a time. +-- http://seclists.org/nmap-dev/2012/q3/156 +-- http://seclists.org/nmap-dev/2010/q1/859 +local CHUNK_SIZE = 64 +local have_ssl, openssl = pcall(require,'openssl') + +-- Add additional context (protocol) to debug output +local function ctx_log(level, protocol, fmt, ...) + return stdnse.debug(level, "(%s) " .. fmt, protocol, ...) +end + +-- returns a function that yields a new tls record each time it is called +local function get_record_iter(sock) + local buffer = "" + local i = 1 + local fragment + return function () + local record + i, record = tls.record_read(buffer, i, fragment) + if record == nil then + local status, err + status, buffer, err = tls.record_buffer(sock, buffer, i) + if not status then + return nil, err + end + i, record = tls.record_read(buffer, i, fragment) + if record == nil then + return nil, "done" + end + end + fragment = record.fragment + return record + end +end + +local function try_params(host, port, t) + + -- Use Nmap's own discovered timeout plus 5 seconds for host processing + -- Default to 10 seconds total. + local timeout = ((host.times and host.times.timeout) or 5) * 1000 + 5000 + + -- Create socket. + local status, sock, err + local specialized = sslcert.getPrepareTLSWithoutReconnect(port) + if specialized then + status, sock = specialized(host, port) + if not status then + ctx_log(1, t.protocol, "Can't connect: %s", sock) + return nil + end + else + sock = nmap.new_socket() + sock:set_timeout(timeout) + status, err = sock:connect(host, port) + if not status then + ctx_log(1, t.protocol, "Can't connect: %s", err) + sock:close() + return nil + end + end + + sock:set_timeout(timeout) + + -- Send request. + local req = tls.client_hello(t) + status, err = sock:send(req) + if not status then + ctx_log(1, t.protocol, "Can't send: %s", err) + sock:close() + return nil + end + + -- Read response. + local get_next_record = get_record_iter(sock) + local records = {} + while true do + local record + record, err = get_next_record() + if not record then + ctx_log(1, t.protocol, "Couldn't read a TLS record: %s", err) + sock:close() + return records + end + -- Collect message bodies into one record per type + records[record.type] = records[record.type] or record + local done = false + for j = 1, #record.body do -- no ipairs because we append below + local b = record.body[j] + done = ((record.type == "alert" and b.level == "fatal") or + (record.type == "handshake" and (b.type == "server_hello_done" or + -- TLSv1.3 does not have server_hello_done + (t.protocol == "TLSv1.3" and b.type == "server_hello"))) + ) + table.insert(records[record.type].body, b) + end + if done then + sock:close() + return records + end + end +end + +local function sorted_keys(t) + local ret = {} + for k, _ in pairs(t) do + ret[#ret+1] = k + end + table.sort(ret) + return ret +end + +local function in_chunks(t, size) + size = math.floor(size) + if size < 1 then size = 1 end + local ret = {} + for i = 1, #t, size do + local chunk = {} + for j = i, i + size - 1 do + chunk[#chunk+1] = t[j] + end + ret[#ret+1] = chunk + end + return ret +end + +local function remove(t, e) + for i, v in ipairs(t) do + if v == e then + table.remove(t, i) + return i + end + end + return nil +end + +local function slice(t, i, j) + local output = {} + while i <= j do + output[#output+1] = t[i] + i = i + 1 + end + return output +end + +local function merge(a, b, cmp) + local output = {} + local i = 1 + local j = 1 + while i <= #a and j <= #b do + local winner, err = cmp(a[i], b[j]) + if not winner then + return nil, err + end + if winner == a[i] then + output[#output+1] = a[i] + i = i + 1 + else + output[#output+1] = b[j] + j = j + 1 + end + end + while i <= #a do + output[#output+1] = a[i] + i = i + 1 + end + while j <= #b do + output[#output+1] = b[j] + j = j + 1 + end + return output +end + +local function merge_recursive(chunks, cmp) + if #chunks == 0 then + return {} + elseif #chunks == 1 then + return chunks[1] + else + local m = math.floor(#chunks / 2) + local a, b = slice(chunks, 1, m), slice(chunks, m+1, #chunks) + local am, err = merge_recursive(a, cmp) + if not am then + return nil, err + end + local bm, err = merge_recursive(b, cmp) + if not bm then + return nil, err + end + return merge(am, bm, cmp) + end +end + +-- https://bugzilla.mozilla.org/show_bug.cgi?id=946147 +local function remove_high_byte_ciphers(t) + local output = {} + for i, v in ipairs(t) do + if tls.CIPHERS[v] <= 255 then + output[#output+1] = v + end + end + return output +end + +-- Get TLS extensions +local function base_extensions(host) + local tlsname = tls.servername(host) + return { + -- Claim to support common elliptic curves + -- TODO: Determine desire to comply with RFC 4492, section 4: + -- "The client MUST NOT include these extensions in the ClientHello + -- message if it does not propose any ECC cipher suites." + -- OTOH, OpenSSL 1.1.1 sends them always so it is probably safe. + ["elliptic_curves"] = tls.EXTENSION_HELPERS["elliptic_curves"](tls.DEFAULT_ELLIPTIC_CURVES), + -- Some servers require Supported Point Formats Extension + ["ec_point_formats"] = tls.EXTENSION_HELPERS["ec_point_formats"]({"uncompressed"}), + -- Enable SNI if a server name is available + ["server_name"] = tlsname and tls.EXTENSION_HELPERS["server_name"](tlsname), + } +end + +-- Get a message body from a record which has the specified property set to value +local function get_body(record, property, value) + for i, b in ipairs(record.body) do + if b[property] == value then + return b + end + end + return nil +end + +-- Score a ciphersuite implementation (including key exchange info) +local function score_cipher (kex_strength, cipher_info) + local kex_score, cipher_score + if not kex_strength or not cipher_info.size then + return "unknown" + end + if kex_strength <= 0 then + return 0 + elseif kex_strength < 512 then + kex_score = 0.2 + elseif kex_strength < 1024 then + kex_score = 0.4 + elseif kex_strength < 2048 then + kex_score = 0.8 + elseif kex_strength < 4096 then + kex_score = 0.9 + else + kex_score = 1.0 + end + + if cipher_info.size <= 0 then + return 0 + elseif cipher_info.size < 128 then + cipher_score = 0.2 + elseif cipher_info.size < 256 then + cipher_score = 0.8 + else + cipher_score = 1.0 + end + + -- Based on SSL Labs' 30-30-40 rating without the first 30% (protocol support) + return 0.43 * kex_score + 0.57 * cipher_score +end + +local function letter_grade (score) + if not tonumber(score) then return "unknown" end + if score >= 0.80 then + return "A" + elseif score >= 0.65 then + return "B" + elseif score >= 0.50 then + return "C" + elseif score >= 0.35 then + return "D" + elseif score >= 0.20 then + return "E" + else + return "F" + end +end + +local tls13proto = tls.PROTOCOLS["TLSv1.3"] +local tls13supported = tls.EXTENSION_HELPERS.supported_versions({"TLSv1.3"}) +local function get_hello_table(host, protocol) + local t = { + protocol = protocol, + record_protocol = protocol, -- improve chances of immediate rejection + extensions = base_extensions(host), + } + + -- supported_versions extension required for TLSv1.3 + if (tls.PROTOCOLS[protocol] >= tls13proto) then + t.extensions.supported_versions = tls13supported + end + + return t +end + +-- Find which ciphers out of group are supported by the server. +local function find_ciphers_group(host, port, protocol, group, scores) + local results = {} + local t = get_hello_table(host, protocol) + + -- This is a hacky sort of tristate variable. There are three conditions: + -- 1. false = either ciphers or protocol is bad. Keep trying with new ciphers + -- 2. nil = The protocol is bad. Abandon thread. + -- 3. true = Protocol works, at least some cipher must be supported. + local protocol_worked = false + while (next(group)) do + t["ciphers"] = group + + local records = try_params(host, port, t) + if not records then + return nil + end + local handshake = records.handshake + + if handshake == nil then + local alert = records.alert + if alert then + ctx_log(2, protocol, "Got alert: %s", alert.body[1].description) + if not tls.record_version_ok(alert["protocol"], protocol) then + ctx_log(1, protocol, "Protocol mismatch (received %s)", alert.protocol) + -- Sometimes this is not an actual rejection of the protocol. Check specifically: + if get_body(alert, "description", "protocol_version") then + protocol_worked = nil + end + break + elseif get_body(alert, "description", "handshake_failure") + or get_body(alert, "description", "insufficient_security") then + protocol_worked = true + ctx_log(2, protocol, "%d ciphers rejected.", #group) + break + end + elseif protocol_worked then + ctx_log(2, protocol, "%d ciphers rejected. (No handshake)", #group) + else + ctx_log(1, protocol, "%d ciphers and/or protocol rejected. (No handshake)", #group) + end + break + else + local server_hello = get_body(handshake, "type", "server_hello") + if not server_hello then + ctx_log(2, protocol, "Unexpected record received.") + break + end + if server_hello.protocol ~= protocol then + ctx_log(1, protocol, "Protocol rejected. cipher: %s", server_hello.cipher) + -- Some implementations will do this if a cipher is supported in some + -- other protocol version but not this one. Gotta keep trying. + if not remove(group, server_hello.cipher) then + -- But if we didn't even offer this cipher, then give up. Crazy! + protocol_worked = protocol_worked or nil + end + break + else + protocol_worked = true + local name = server_hello.cipher + ctx_log(2, protocol, "Cipher %s chosen.", name) + if not remove(group, name) then + ctx_log(1, protocol, "chose cipher %s that was not offered.", name) + ctx_log(1, protocol, "removing high-byte ciphers and trying again.") + local size_before = #group + group = remove_high_byte_ciphers(group) + ctx_log(1, protocol, "removed %d high-byte ciphers.", size_before - #group) + if #group == size_before then + -- No changes... Server just doesn't like our offered ciphers. + break + end + else + -- Add cipher to the list of accepted ciphers. + table.insert(results, name) + if scores then + local info = tls.cipher_info(name) + -- Some warnings: + if info.hash and info.hash == "MD5" then + scores.warnings["Ciphersuite uses MD5 for message integrity"] = true + end + if info.mode and info.mode == "CBC" and info.block_size <= 64 then + scores.warnings[("64-bit block cipher %s vulnerable to SWEET32 attack"):format(info.cipher)] = true + end + if protocol == "SSLv3" and info.mode and info.mode == "CBC" then + scores.warnings["CBC-mode cipher in SSLv3 (CVE-2014-3566)"] = true + elseif info.cipher == "RC4" then + scores.warnings["Broken cipher RC4 is deprecated by RFC 7465"] = true + end + if protocol == "TLSv1.3" and not info.tls13ok then + scores.warnings["Non-TLSv1.3 ciphersuite chosen for TLSv1.3"] = true + end + local kex = tls.KEX_ALGORITHMS[info.kex] + scores.any_pfs_ciphers = kex.pfs or scores.any_pfs_ciphers + local extra, kex_strength + if kex.export then + scores.warnings["Export key exchange"] = true + if info.kex:find("1024$") then + kex_strength = 1024 + else + kex_strength = 512 + end + end + if kex.anon then + scores.warnings["Anonymous key exchange, score capped at F"] = true + kex_strength = 0 + elseif have_ssl and kex.pubkey then + local certs = get_body(handshake, "type", "certificate") + -- Assume RFC compliance: + -- "The sender's certificate MUST come first in the list." + -- This may not always be the case, so + -- TODO: reorder certificates and validate entire chain + -- TODO: certificate validation (date, self-signed, etc) + local c, err + if certs == nil then + err = "no certificate message" + else + c, err = sslcert.parse_ssl_certificate(certs.certificates[1]) + end + if not c then + ctx_log(1, protocol, "Failed to parse certificate: %s", err) + elseif c.pubkey.type == kex.pubkey then + local sigalg = c.sig_algorithm:match("([mM][dD][245])") or c.sig_algorithm:match("([sS][hH][aA]1)") + if sigalg then + kex_strength = 0 + scores.warnings[("Insecure certificate signature (%s), score capped at F"):format(string.upper(sigalg))] = true + end + local rsa_bits = tls.rsa_equiv(kex.pubkey, c.pubkey.bits) + kex_strength = math.min(kex_strength or rsa_bits, rsa_bits) + if c.pubkey.exponent then + if openssl.bignum_bn2dec(c.pubkey.exponent) == "1" then + kex_strength = 0 + scores.warnings["Certificate RSA exponent is 1, score capped at F"] = true + end + end + if c.pubkey.ecdhparams then + if c.pubkey.ecdhparams.curve_params.ec_curve_type == "namedcurve" then + extra = c.pubkey.ecdhparams.curve_params.curve + else + extra = string.format("%s %d", c.pubkey.ecdhparams.curve_params.ec_curve_type, c.pubkey.bits) + end + else + extra = string.format("%s %d", kex.pubkey, c.pubkey.bits) + end + end + end + local ske + if protocol == "TLSv1.3" then + ske = server_hello.extensions.key_share + elseif kex.server_key_exchange then + ske = get_body(handshake, "type", "server_key_exchange") + if ske then + ske = ske.data + end + end + if ske then + local kex_info = kex.server_key_exchange(ske, protocol) + if kex_info.strength then + local kex_type = kex_info.type or kex.type + if kex_info.ecdhparams then + if kex_info.ecdhparams.curve_params.ec_curve_type == "namedcurve" then + extra = kex_info.ecdhparams.curve_params.curve + else + extra = string.format("%s %d", kex_info.ecdhparams.curve_params.ec_curve_type, kex_info.strength) + end + else + extra = string.format("%s %d", kex_type, kex_info.strength) + end + local rsa_bits = tls.rsa_equiv(kex_type, kex_info.strength) + if kex_strength and kex_strength > rsa_bits then + kex_strength = rsa_bits + scores.warnings[( + "Key exchange (%s) of lower strength than certificate key" + ):format(extra)] = true + end + kex_strength = math.min(kex_strength or rsa_bits, rsa_bits) + end + if kex_info.rsa and kex_info.rsa.exponent == 1 then + kex_strength = 0 + scores.warnings["Certificate RSA exponent is 1, score capped at F"] = true + end + end + scores[name] = { + cipher_strength=info.size, + kex_strength = kex_strength, + extra = extra, + letter_grade = letter_grade(score_cipher(kex_strength, info)) + } + end + end + end + end + end + return results, protocol_worked +end + +local function get_chunk_size(host, protocol) + -- Try to make sure we don't send too big of a handshake + -- https://github.com/ssllabs/research/wiki/Long-Handshake-Intolerance + local len_t = get_hello_table(host, protocol) + len_t.ciphers = {} + local cipher_len_remaining = 255 - #tls.client_hello(len_t) + -- if we're over 255 anyway, just go for it. + -- Each cipher adds 2 bytes + local max_chunks = cipher_len_remaining > 1 and cipher_len_remaining // 2 or CHUNK_SIZE + -- otherwise, use the min + return max_chunks < CHUNK_SIZE and max_chunks or CHUNK_SIZE +end + +-- Break the cipher list into chunks of CHUNK_SIZE (for servers that can't +-- handle many client ciphers at once), and then call find_ciphers_group on +-- each chunk. +local function find_ciphers(host, port, protocol) + + local candidates = {} + -- TLSv1.3 ciphers are different, though some are shared (ECCPWD) + local tls13 = protocol == "TLSv1.3" + for _, c in ipairs(sorted_keys(tls.CIPHERS)) do + local info = tls.cipher_info(c) + if (not tls13 and not info.tls13only) + or (tls13 and info.tls13ok) then + candidates[#candidates+1] = c + end + end + local ciphers = in_chunks(candidates, get_chunk_size(host, protocol)) + + local results = {} + local scores = {warnings={}} + -- Try every cipher. + for _, group in ipairs(ciphers) do + local chunk, protocol_worked = find_ciphers_group(host, port, protocol, group, scores) + if protocol_worked == nil then return nil end + for _, name in ipairs(chunk) do + table.insert(results, name) + end + end + if not next(results) then return nil end + scores.warnings["Forward Secrecy not supported by any cipher"] = (not scores.any_pfs_ciphers) or nil + scores.any_pfs_ciphers = nil + + return results, scores +end + +local function find_compressors(host, port, protocol, good_ciphers) + local compressors = sorted_keys(tls.COMPRESSORS) + local t = get_hello_table(host, protocol) + t.ciphers = good_ciphers + + local results = {} + + -- Try every compressor. + local protocol_worked = false + while (next(compressors)) do + -- Create structure. + t["compressors"] = compressors + + -- Try connecting with compressor. + local records = try_params(host, port, t) + local handshake = records.handshake + + if handshake == nil then + local alert = records.alert + if alert then + ctx_log(2, protocol, "Got alert: %s", alert.body[1].description) + if not tls.record_version_ok(alert["protocol"], protocol) then + ctx_log(1, protocol, "Protocol rejected.") + protocol_worked = nil + break + elseif get_body(alert, "description", "handshake_failure") then + protocol_worked = true + ctx_log(2, protocol, "%d compressors rejected.", #compressors) + -- Should never get here, because NULL should be good enough. + -- The server may just not be able to handle multiple compressors. + if #compressors > 1 then -- Make extra-sure it's not crazily rejecting the NULL compressor + compressors[1] = "NULL" + for i = 2, #compressors, 1 do + compressors[i] = nil + end + -- try again. + else + break + end + end + elseif protocol_worked then + ctx_log(2, protocol, "%d compressors rejected. (No handshake)", #compressors) + else + ctx_log(1, protocol, "%d compressors and/or protocol rejected. (No handshake)", #compressors) + end + break + else + local server_hello = get_body(handshake, "type", "server_hello") + if not server_hello then + ctx_log(2, protocol, "Unexpected record received.") + break + end + if server_hello.protocol ~= protocol then + ctx_log(1, protocol, "Protocol rejected.") + protocol_worked = (protocol_worked == nil) and nil or false + break + else + protocol_worked = true + local name = server_hello.compressor + ctx_log(2, protocol, "Compressor %s chosen.", name) + remove(compressors, name) + + -- Add compressor to the list of accepted compressors. + table.insert(results, name) + if name == "NULL" then + break -- NULL is always last choice, and must be included + end + end + end + end + + return results +end + +-- Offer two ciphers and return the one chosen by the server. Returns nil and +-- an error message in case of a server error. +local function compare_ciphers(host, port, protocol, cipher_a, cipher_b) + local t = get_hello_table(host, protocol) + t.ciphers = {cipher_a, cipher_b} + local records = try_params(host, port, t) + local server_hello = records.handshake and get_body(records.handshake, "type", "server_hello") + if server_hello then + ctx_log(2, protocol, "compare %s %s -> %s", cipher_a, cipher_b, server_hello.cipher) + return server_hello.cipher + else + ctx_log(2, protocol, "compare %s %s -> error", cipher_a, cipher_b) + return nil, string.format("Error when comparing %s and %s", cipher_a, cipher_b) + end +end + +-- Try to find whether the server prefers its own ciphersuite order or that of +-- the client. +-- +-- The return value is (preference, err). preference is a string: +-- "server": the server prefers its own order. In this case ciphers is non-nil. +-- "client": the server follows the client preference. ciphers is nil. +-- "indeterminate": returned when there are only 0 or 1 ciphers. ciphers is nil. +-- nil: an error occurred during the test. err is non-nil. +-- err is an error message string that is non-nil when preference is nil or +-- indeterminate. +-- +-- The algorithm tries offering two ciphersuites in two different orders. If +-- the server makes a different choice each time, "client" preference is +-- assumed. Otherwise, "server" preference is assumed. +local function find_cipher_preference(host, port, protocol, ciphers) + -- Too few ciphers to make a decision? + if #ciphers < 2 then + return "indeterminate", "Too few ciphers supported" + end + + -- Do a comparison in both directions to see if server ordering is consistent. + local cipher_a, cipher_b = ciphers[1], ciphers[2] + ctx_log(1, protocol, "Comparing %s to %s", cipher_a, cipher_b) + local winner_forwards, err = compare_ciphers(host, port, protocol, cipher_a, cipher_b) + if not winner_forwards then + return nil, err + end + local winner_backward, err = compare_ciphers(host, port, protocol, cipher_b, cipher_a) + if not winner_backward then + return nil, err + end + if winner_forwards ~= winner_backward then + return "client", nil + end + return "server", nil +end + +-- Sort ciphers according to server preference with a modified merge sort +local function sort_ciphers(host, port, protocol, ciphers) + local chunks = {} + for _, group in ipairs(in_chunks(ciphers, get_chunk_size(host, protocol))) do + local size = #group + local chunk = find_ciphers_group(host, port, protocol, group) + if not chunk then + return nil, "Network error" + end + if #chunk ~= size then + ctx_log(1, protocol, "warning: %d ciphers offered but only %d accepted", size, #chunk) + end + table.insert(chunks, chunk) + end + + -- The comparison operator for the merge is a 2-cipher ClientHello. + local function cmp(cipher_a, cipher_b) + return compare_ciphers(host, port, protocol, cipher_a, cipher_b) + end + local sorted, err = merge_recursive(chunks, cmp) + if not sorted then + return nil, err + end + return sorted +end + +local function try_protocol(host, port, protocol, upresults) + local condvar = nmap.condvar(upresults) + + local results = stdnse.output_table() + + -- Find all valid ciphers. + local ciphers, scores = find_ciphers(host, port, protocol) + if ciphers == nil then + condvar "signal" + return nil + end + + if #ciphers == 0 then + results = {ciphers={},compressors={}} + setmetatable(results,{ + __tostring=function(t) return "No supported ciphers found" end + }) + upresults[protocol] = results + condvar "signal" + return nil + end + -- Find all valid compression methods. + local compressors + -- RFC 8446: "For every TLS 1.3 ClientHello, this vector MUST contain exactly + -- one byte, set to zero" + if (tls.PROTOCOLS[protocol] < tls13proto) then + -- Reduce chunk size by 1 to allow extra room for the extra compressors (2 bytes) + for _, c in ipairs(in_chunks(ciphers, get_chunk_size(host, protocol) - 1)) do + compressors = find_compressors(host, port, protocol, c) + -- I observed a weird interaction between ECDSA ciphers and DEFLATE compression. + -- Some servers would reject the handshake if no non-ECDSA ciphers were available. + -- Sending 64 ciphers at a time should be sufficient, but we'll try them all if necessary. + if compressors and #compressors ~= 0 then + break + end + end + end + + -- Note the server's cipher preference algorithm. + local cipher_pref, cipher_pref_err = find_cipher_preference(host, port, protocol, ciphers) + + -- Order ciphers according to server preference, if possible + if cipher_pref == "server" then + local sorted, err = sort_ciphers(host, port, protocol, ciphers) + if sorted then + ciphers = sorted + else + -- Can't sort, fall back to alphabetical order + table.sort(ciphers) + cipher_pref_err = err + end + else + -- fall back to alphabetical order + table.sort(ciphers) + end + + -- Add rankings to ciphers + for i, name in ipairs(ciphers) do + local outcipher = {name=name, kex_info=scores[name].extra, strength=scores[name].letter_grade} + setmetatable(outcipher,{ + __tostring=function(t) + if t.kex_info then + return string.format("%s (%s) - %s", t.name, t.kex_info, t.strength) + else + return string.format("%s - %s", t.name, t.strength) + end + end + }) + ciphers[i]=outcipher + end + + results["ciphers"] = ciphers + + -- Format the compressor table. + if compressors then + table.sort(compressors) + end + results["compressors"] = compressors + + results["cipher preference"] = cipher_pref + results["cipher preference error"] = cipher_pref_err + if next(scores.warnings) then + results["warnings"] = sorted_keys(scores.warnings) + end + + upresults[protocol] = results + condvar "signal" + return nil +end + +portrule = function (host, port) + return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port) +end + +action = function(host, port) + + if not have_ssl then + stdnse.verbose("OpenSSL not available; some cipher scores will be marked as unknown.") + end + + local results = {} + + local condvar = nmap.condvar(results) + local threads = {} + + for name, _ in pairs(tls.PROTOCOLS) do + stdnse.debug1("Trying protocol %s.", name) + local co = stdnse.new_thread(try_protocol, host, port, name, results) + threads[co] = true + end + + repeat + for thread in pairs(threads) do + if coroutine.status(thread) == "dead" then threads[thread] = nil end + end + if ( next(threads) ) then + condvar "wait" + end + until next(threads) == nil + + if not next(results) then + return nil + end + + local least = "A" + for p, r in pairs(results) do + for i, c in ipairs(r.ciphers) do + -- counter-intuitive: "A" < "B", so really looking for max + least = least < c.strength and c.strength or least + end + end + results["least strength"] = least + + return outlib.sorted_by_key(results) +end |