Remotely list Ciphers supported by a SSL server

I was looking for a simple way to confirm the supported ciphers suits of a remote server. Nessus has the ability to identify week cipher suites however it is too heavyweight for my liking. I couldn't find anything else that met my needs so I've put a script together that wraps the relevant OpenSSL commands. It appears to be a common security testing task to confirm that weak ciphers have been disabled to prevent downgrading attacks, so I hope this script will be of use to others.

Unmodified this script will test HIGH,MEDIUM,LOW,EXPORT,eNULL and aNULL ciphers suits as defined by http://www.openssl.org/docs/apps/ciphers.html.

Example Usage:

./scan.py www.google.com:443


Example Output:

= LOW =
ADH-DES-CBC-SHA:FAIL
EDH-RSA-DES-CBC-SHA:FAIL
EDH-DSS-DES-CBC-SHA:FAIL
DES-CBC-SHA:FAIL
DES-CBC-MD5:FAIL

= EXPORT =
EXP-ADH-DES-CBC-SHA:FAIL
EXP-ADH-RC4-MD5:FAIL
EXP-EDH-RSA-DES-CBC-SHA:FAIL
EXP-EDH-DSS-DES-CBC-SHA:FAIL
EXP-DES-CBC-SHA:FAIL
EXP-RC2-CBC-MD5:FAIL
EXP-RC4-MD5:FAIL
EXP-RC2-CBC-MD5:FAIL
EXP-RC4-MD5:FAIL


Sample Script: (Requires OpenSSL executable in path)

#!/usr/bin/env python
# Copyright Matthew Churcher 2010
# License: Simplified BSD
# - http://www.opensource.org/licenses/bsd-license.php
from subprocess import Popen,PIPE
from sys import argv

connect_url = argv[1]

def test_group(group):
        print "= %s =" % (group)
        out,err = Popen(["openssl", "ciphers",group], stdout=PIPE).communicate()
        list = out.strip().rsplit(":")

        for cipher in list:

                out,err = Popen(["openssl","s_client","-connect",connect_url,"-cipher",cipher], stdout=PIPE, stdin=PIPE,stderr=PIPE).communicate(0)
                if  err.find("verify return") > -1 :
                        print cipher+":OK"
                        #print out
                else:
                        print cipher+":FAIL"
        print ""
if __name__ == '__main__':
        groups = ["HIGH","MEDIUM","LOW","EXPORT","eNULL","aNULL"]

        for group in groups:
                test_group(group)

Comments

Post a Comment

Popular posts from this blog

metasploitable exploits

Metasploit have a test VM which they call "Metasplotiable", it can be downloaded and used to try out Metasploit. I recommend using the backtrack VM image to do this as it's easier then install metasploit and it comes with lots of other useful tools. However I couldn't find a comprehensive list of vulnerabilities which can be exploited; so here are my notes. I've tried not to give too much away but of course going to be a partial spoiler. So see what you can find for yourself before cross checking against my list. 21/tcp open ftp ProFTPD 1.3.1 # Not a vulnerable version, although an obvious security risk but could be brute forced. 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) # Again no specific vulnerability found but could be brute forced 23/tcp open telnet Linux telnetd # Again no specific vulnerability found but could be brute forced 25/tcp open smtp Postfix smtpd # No specific vulnerability found but doesn...
Read more

SSL Digger

SSL Digger also does the job: Free from mcafee but windows only (.net 1.1). http://www.mcafee.com/us/downloads/free-tools/index.aspx Very light weight and simple to use. Gui based but exports reports.
Read more