While Nessus is a wonderful vulnerability scanner, sometimes it is too slow and resource heavy for individual issues. The following 2 equivalent scripts perform checks for the following SSL related Nessus plugins:
- 20007: SSL Version 2 (v2) Protocol Detection
- 26928: SSL Weak Cipher Suites Supported
- 31705: SSL Anonymous Cipher Suites Supported
The first is the curl version:
#!/bin/bash # phaas at redspin.com: Never us a 'sh when a bash is necessary # Checks the Equivalent of Nessus Plugin 20007, 26928 and 31705 (10863+21643) if [ $# -lt 1 ] then echo "List SSL Weakness present for a given website" echo "Usage: `basename $0` website {port}" exit 1 fi web=${1-'www.redspin.com'} port=${2-'443'} # Check for the insecure SSLv2 version curl -m1 -Ik "https://$web:$port" --ciphers sslv2 &> /dev/null if [[ "$?" -eq 0 ]]; then echo -e "$web:$port: (ssl2) Weak SSLv2 encryption enabled"; fi # Enumerate weak SSL ciphers using curl IFS=$'\n' # Loop across lines, rather than words ciphers='LOW:EXP:eNULL:aNULL' # Include EXP (Export Ciphers) for line in `openssl ciphers -v $ciphers | tr -s ' '`; do version=`echo "$line" | cut -d' ' -f2 | tr [:upper:] [:lower:]` cipher=`echo "$line" | cut -d' ' -f1` auth=`echo "$line" | tr -s ' ' | grep -o "Au=[^ ]*" | cut -d'=' -f2` strength=`echo "$line" | sed 's#Kx=[^ ]*##' | grep -o '([0-9]*)' | tr -d '()' | grep -v 'None'` if [[ "$auth" == 'None' ]]; then auth="no"; fi if [[ -z "$strength" ]]; then strength="without encryption"; else strength="at $strength bit encryption"; fi #echo "curl -m1 -Ik https://$web:$port --ciphers $cipher -$version &> /dev/null" curl -m1 -Ik "https://$web:$port" --ciphers "$cipher" -$version &> /dev/null if [[ "$?" -eq 0 ]]; then echo -e "$web:$port: ($version) $cipher = Supported $strength with $auth authentication support" fi done
And the following is the openssl version:
#!/bin/bash # phaas at redspin.com: Never us a 'sh when a bash is necessary # Checks the Equivalent of Nessus Plugin 20007, 26928 and 31705 (10863+21643) if [ $# -lt 1 ] then echo "List SSL Weakness present for a given website" echo "Usage: `basename $0` website {port}" exit 1 fi web=${1-'www.redspin.com'} port=${2-'443'} # Check for the insecure SSLv2 version sslv2=`echo -e '' | openssl s_client -connect $web:$port -ssl2 -no_ssl3 -no_tls1 2>/dev/null | grep -i 'SSLv2'` if [ -n "$sslv2" ]; then echo -e "$web:$port: (ssl2) Weak SSLv2 encryption enabled"; fi # Enumerate weak SSL ciphers using openssl IFS=$'\n' # Loop across lines, rather than words ciphers='LOW:EXP:eNULL:aNULL' # Include EXP (Export Ciphers) for line in `openssl ciphers -v $ciphers | tr -s ' '`; do version=`echo "$line" | cut -d' ' -f2 | tr [:upper:] [:lower:] | tr -d 'v'` cipher=`echo "$line" | cut -d' ' -f1` auth=`echo "$line" | tr -s ' ' | grep -o "Au=[^ ]*" | cut -d'=' -f2` strength=`echo "$line" | sed 's#Kx=[^ ]*##' | grep -o '([0-9]*)' | tr -d '()' | grep -v 'None'` if [[ "$auth" == 'None' ]]; then auth="no"; fi if [[ -z "$strength" ]]; then strength="without encryption"; else strength="at $strength bit encryption"; fi #echo "openssl s_client -connect $web:$port -$version -cipher $cipher" supported=`echo "" | openssl s_client -connect $web:$port -$version -cipher $cipher 2>&1 | grep DONE` if [[ -n "$supported" ]]; then echo -e "$web:$port: ($version) $cipher = Supported $strength with $auth authentication support" fi done
I decided to include both because while openssl is usually included by default on most Linux distributions, curl is easier to obtain on Windows machines.
This information truly helped me, I am sharing having a few friends. I will be checking back regularly to look for updates.
Pingback: Enumerating SSL Ciphers with SSLScan | Redspin Security Blog