Enumerating SSL Ciphers with SSLScan
by Nathan Drier on Aug.24, 2009, under Redspin Labs
You’d think that checking your email in a web browser is a simple task. Open up Firefox, plunk in your username and password, and start sending things to the SPAM folder. The truth is, when you load up your web mail in a browser, a flurry of activity takes place behind the scenes. One of the most interesting things that happens is how your web browser interacts with your web mail server (or any SSL-enabled service) to select a encryption protocol to use. While I won’t dive too deep into the mechanics of it all, I will try to explain why it is important.
Before the mail server will send any sensitive information to your browser, they need to agree on how they will encrypt the data. This gets boiled down to your web browser and the server listing their supported ciphers, and the two parties agreeing on the strongest cipher or protocol that they both support. The key here is supported protocols. This means that your SSL-enabled service supports a wide array of encryption ciphers and protocols so it can play nice with all sorts of different browsers and operating systems. In a perfect world, all ciphers and protocols are created equal, but like everything else; there is good encryption and there is bad encryption.
This is where a nifty little app called SSLScan steps in. It runs against SSL-enabled services and finds out exactly which protocols and ciphers are supported by the server. This is handy for identifying potentially weak SSL ciphers or protocols (SSLv2, low-bitstrength ciphers, NULL ciphers, etc). It also lists preferred ciphers and details about the SSL certificates. (If all this is nothing new to you, see The Shell Shakespeare’s post on SSL vulnerabilities – that guy could make meatloaf with nothing but emacs and a bash prompt.)
Debian users are lucky - a version of SSLScan exists in the Squeeze repo (although its a version behind). For everyone else, it should build easily on common systems. I know other tools exist to enumerate SSL methods. Most vulnerability scanners will flag weak ciphers. TSS will show you how to use OpenSSL and Bash to do it. Does anyone have other favorites?
# ./sslscan 10.0.0.45 _ ___ ___| |___ ___ __ _ _ __ / __/ __| / __|/ __/ _` | '_ \ \__ \__ \ \__ \ (_| (_| | | | | |___/___/_|___/\___\__,_|_| |_| Version 1.8.0 http://www.titania.co.uk Copyright Ian Ventura-Whiting 2009 Testing SSL server 10.0.0.45 on port 443 Supported Server Cipher(s): Rejected N/A SSLv2 168 bits DES-CBC3-MD5 Rejected N/A SSLv2 56 bits DES-CBC-MD5 Rejected N/A SSLv2 40 bits EXP-RC2-CBC-MD5 Rejected N/A SSLv2 128 bits RC2-CBC-MD5 Rejected N/A SSLv2 40 bits EXP-RC4-MD5 Rejected N/A SSLv2 128 bits RC4-MD5 Rejected N/A SSLv3 256 bits ADH-AES256-SHA Accepted SSLv3 256 bits DHE-RSA-AES256-SHA Rejected N/A SSLv3 256 bits DHE-DSS-AES256-SHA Accepted SSLv3 256 bits AES256-SHA Rejected N/A SSLv3 128 bits ADH-AES128-SHA Accepted SSLv3 128 bits DHE-RSA-AES128-SHA Rejected N/A SSLv3 128 bits DHE-DSS-AES128-SHA Accepted SSLv3 128 bits AES128-SHA Rejected N/A SSLv3 168 bits ADH-DES-CBC3-SHA Rejected N/A SSLv3 56 bits ADH-DES-CBC-SHA Rejected N/A SSLv3 40 bits EXP-ADH-DES-CBC-SHA Rejected N/A SSLv3 128 bits ADH-RC4-MD5 Rejected N/A SSLv3 40 bits EXP-ADH-RC4-MD5 Accepted SSLv3 168 bits EDH-RSA-DES-CBC3-SHA Rejected N/A SSLv3 56 bits EDH-RSA-DES-CBC-SHA Rejected N/A SSLv3 40 bits EXP-EDH-RSA-DES-CBC-SHA Rejected N/A SSLv3 168 bits EDH-DSS-DES-CBC3-SHA Rejected N/A SSLv3 56 bits EDH-DSS-DES-CBC-SHA Rejected N/A SSLv3 40 bits EXP-EDH-DSS-DES-CBC-SHA Accepted SSLv3 168 bits DES-CBC3-SHA Rejected N/A SSLv3 56 bits DES-CBC-SHA Rejected N/A SSLv3 40 bits EXP-DES-CBC-SHA Rejected N/A SSLv3 40 bits EXP-RC2-CBC-MD5 Accepted SSLv3 128 bits RC4-SHA Accepted SSLv3 128 bits RC4-MD5 Rejected N/A SSLv3 40 bits EXP-RC4-MD5 Rejected N/A SSLv3 0 bits NULL-SHA Rejected N/A SSLv3 0 bits NULL-MD5 Rejected N/A TLSv1 256 bits ADH-AES256-SHA Accepted TLSv1 256 bits DHE-RSA-AES256-SHA Rejected N/A TLSv1 256 bits DHE-DSS-AES256-SHA Accepted TLSv1 256 bits AES256-SHA Rejected N/A TLSv1 128 bits ADH-AES128-SHA Accepted TLSv1 128 bits DHE-RSA-AES128-SHA Rejected N/A TLSv1 128 bits DHE-DSS-AES128-SHA Accepted TLSv1 128 bits AES128-SHA Rejected N/A TLSv1 168 bits ADH-DES-CBC3-SHA Rejected N/A TLSv1 56 bits ADH-DES-CBC-SHA Rejected N/A TLSv1 40 bits EXP-ADH-DES-CBC-SHA Rejected N/A TLSv1 128 bits ADH-RC4-MD5 Rejected N/A TLSv1 40 bits EXP-ADH-RC4-MD5 Accepted TLSv1 168 bits EDH-RSA-DES-CBC3-SHA Rejected N/A TLSv1 56 bits EDH-RSA-DES-CBC-SHA Rejected N/A TLSv1 40 bits EXP-EDH-RSA-DES-CBC-SHA Rejected N/A TLSv1 168 bits EDH-DSS-DES-CBC3-SHA Rejected N/A TLSv1 56 bits EDH-DSS-DES-CBC-SHA Rejected N/A TLSv1 40 bits EXP-EDH-DSS-DES-CBC-SHA Accepted TLSv1 168 bits DES-CBC3-SHA Rejected N/A TLSv1 56 bits DES-CBC-SHA Rejected N/A TLSv1 40 bits EXP-DES-CBC-SHA Rejected N/A TLSv1 40 bits EXP-RC2-CBC-MD5 Accepted TLSv1 128 bits RC4-SHA Accepted TLSv1 128 bits RC4-MD5 Rejected N/A TLSv1 40 bits EXP-RC4-MD5 Rejected N/A TLSv1 0 bits NULL-SHA Rejected N/A TLSv1 0 bits NULL-MD5 Prefered Server Cipher(s): SSLv3 256 bits DHE-RSA-AES256-SHA TLSv1 256 bits DHE-RSA-AES256-SHA ...
