Portcullis Labs - perl

UNIXSocketScanner | Content

Thu, 31 Jan 2013 01:40:07 GMT

UNIX socket scanner.

Features:

Multi threaded
Supports both internal probes format and nmap probes format

rdp-sec-check | Content

Sun, 15 Jul 2012 15:17:44 GMT

rdp-sec-check is a tool to remotely check if certain security features of an RDP service (AKA Terminal Services) have been enabled. It does not require authentication, only network connectivity to TCP port 3389.

It can determine many (though not quite all) of the security settings from the RDP-Tcp Properties | General tab:

Check which security layers are supported by the service: Standard RDP Security, TLSv1.0, CredSSP
For Standard RDP Security it detects the level of encryption supported: 40-bit, 56-bit, 128-bit, FIPS

The following potential security issues are flagged if present:

The service supports Standard RDP Security. This is known to be vulnerable to an active Man in the Middle attack.
The service supports weak encryption (40-bit or 56-bit).
The service does not mandate Network Level Authentication (NLA). NLA can help to prevent certain types of Denial of Service attack.
The service supports FIPS encryption but doesn't mandate it - may only be interesting for jurisdictions where FIPS is required

Dependencies

rdp-sec-check is a simple PERL script that requires one module from CPAN. Run 'cpan' as root then install the Encoding::BER module:

# cpan

cpan[1]> install Encoding::BER

Output Example #1: An old Windows 2000 RDP Service

$ rdp-sec-check.pl 10.0.0.94
Starting rdp-sec-check v0.8-beta ( http://labs.portcullis.co.uk/application/rdp-sec-check/ ) at Mon Jul  9 13:34:38 2012

Target:    10.0.0.94
IP:        10.0.0.94
Port:      3389

[+] Checking supported protocols

[-] Checking if RDP Security (PROTOCOL_RDP) is supported...Negotiation ignored - old Windows 2000/XP/2003 system?
[-] Checking if TLS Security (PROTOCOL_SSL) is supported...Negotiation ignored - old Windows 2000/XP/2003 system?
[-] Checking if CredSSP Security (PROTOCOL_HYBRID) is supported [uses NLA]...Negotiation ignored - old Windows 2000/XP/2003 system??

[+] Checking RDP Security Layer

[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_NONE...Not supported
[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_40BIT...Supported.  Server encryption level: ENCRYPTION_LEVEL_CLIENT_COMPATIBLE
[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_128BIT...Not supported
[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_56BIT...Supported.  Server encryption level: ENCRYPTION_LEVEL_CLIENT_COMPATIBLE
[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_FIPS...Not supported

[+] Summary of protocol support

[-] 10.0.0.94:3389 supports PROTOCOL_RDP   : TRUE
[-] 10.0.0.94:3389 supports PROTOCOL_HYBRID: FALSE
[-] 10.0.0.94:3389 supports PROTOCOL_SSL   : FALSE

[+] Summary of RDP encryption support

[-] 10.0.0.94:3389 has encryption level: ENCRYPTION_LEVEL_CLIENT_COMPATIBLE
[-] 10.0.0.94:3389 supports ENCRYPTION_METHOD_NONE   : FALSE
[-] 10.0.0.94:3389 supports ENCRYPTION_METHOD_40BIT  : TRUE
[-] 10.0.0.94:3389 supports ENCRYPTION_METHOD_128BIT : FALSE
[-] 10.0.0.94:3389 supports ENCRYPTION_METHOD_56BIT  : TRUE
[-] 10.0.0.94:3389 supports ENCRYPTION_METHOD_FIPS   : FALSE

[+] Summary of security issues

[-] 10.0.0.94:3389 has issue NLA_NOT_SUPPORTED_DOS
[-] 10.0.0.94:3389 has issue ONLY_RDP_SUPPORTED_MITM
[-] 10.0.0.94:3389 has issue WEAK_RDP_ENCRYPTION_SUPPORTED

rdp-sec-check v0.8-beta completed at Mon Jul  9 13:34:39 2012

Output Example #2: A Windows 2003 SP0 RDP Service

$ rdp-sec-check.pl 10.0.0.93
Starting rdp-sec-check v0.8-beta ( http://labs.portcullis.co.uk/application/rdp-sec-check/ ) at Mon Jul  9 13:35:34 2012

Target:    10.0.0.93
IP:        10.0.0.93
Port:      3389

[+] Checking supported protocols

[-] Checking if RDP Security (PROTOCOL_RDP) is supported...Negotiation ignored - old Windows 2000/XP/2003 system?
[-] Checking if TLS Security (PROTOCOL_SSL) is supported...Negotiation ignored - old Windows 2000/XP/2003 system?
[-] Checking if CredSSP Security (PROTOCOL_HYBRID) is supported [uses NLA]...Negotiation ignored - old Windows 2000/XP/2003 system??

[+] Checking RDP Security Layer

[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_NONE...Not supported
[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_40BIT...Supported.  Server encryption level: ENCRYPTION_LEVEL_CLIENT_COMPATIBLE
[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_128BIT...Supported.  Server encryption level: ENCRYPTION_LEVEL_CLIENT_COMPATIBLE
[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_56BIT...Supported.  Server encryption level: ENCRYPTION_LEVEL_CLIENT_COMPATIBLE
[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_FIPS...Supported.  Server encryption level: ENCRYPTION_LEVEL_CLIENT_COMPATIBLE

[+] Summary of protocol support

[-] 10.0.0.93:3389 supports PROTOCOL_RDP   : TRUE
[-] 10.0.0.93:3389 supports PROTOCOL_HYBRID: FALSE
[-] 10.0.0.93:3389 supports PROTOCOL_SSL   : FALSE

[+] Summary of RDP encryption support

[-] 10.0.0.93:3389 has encryption level: ENCRYPTION_LEVEL_CLIENT_COMPATIBLE
[-] 10.0.0.93:3389 supports ENCRYPTION_METHOD_NONE   : FALSE
[-] 10.0.0.93:3389 supports ENCRYPTION_METHOD_40BIT  : TRUE
[-] 10.0.0.93:3389 supports ENCRYPTION_METHOD_128BIT : TRUE
[-] 10.0.0.93:3389 supports ENCRYPTION_METHOD_56BIT  : TRUE
[-] 10.0.0.93:3389 supports ENCRYPTION_METHOD_FIPS   : TRUE

[+] Summary of security issues

[-] 10.0.0.93:3389 has issue NLA_NOT_SUPPORTED_DOS
[-] 10.0.0.93:3389 has issue FIPS_SUPPORTED_BUT_NOT_MANDATED
[-] 10.0.0.93:3389 has issue ONLY_RDP_SUPPORTED_MITM
[-] 10.0.0.93:3389 has issue WEAK_RDP_ENCRYPTION_SUPPORTED

Output Example #3: A typical Windows 2003 RDP Service

$ rdp-sec-check.pl 10.0.0.111
Starting rdp-sec-check v0.8-beta ( http://labs.portcullis.co.uk/application/rdp-sec-check/ ) at Mon Jul  9 13:36:56 2012

Target:    10.0.0.111
IP:        10.0.0.111
Port:      3389

[+] Checking supported protocols

[-] Checking if RDP Security (PROTOCOL_RDP) is supported...Supported
[-] Checking if TLS Security (PROTOCOL_SSL) is supported...Not supported - SSL_NOT_ALLOWED_BY_SERVER
[-] Checking if CredSSP Security (PROTOCOL_HYBRID) is supported [uses NLA]...Not supported - SSL_NOT_ALLOWED_BY_SERVER

[+] Checking RDP Security Layer

[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_NONE...Not supported
[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_40BIT...Supported.  Server encryption level: ENCRYPTION_LEVEL_CLIENT_COMPATIBLE
[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_128BIT...Supported.  Server encryption level: ENCRYPTION_LEVEL_CLIENT_COMPATIBLE
[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_56BIT...Supported.  Server encryption level: ENCRYPTION_LEVEL_CLIENT_COMPATIBLE
[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_FIPS...Supported.  Server encryption level: ENCRYPTION_LEVEL_CLIENT_COMPATIBLE

[+] Summary of protocol support

[-] 10.0.0.111:3389 supports PROTOCOL_RDP   : TRUE
[-] 10.0.0.111:3389 supports PROTOCOL_HYBRID: FALSE
[-] 10.0.0.111:3389 supports PROTOCOL_SSL   : FALSE

[+] Summary of RDP encryption support

[-] 10.0.0.111:3389 has encryption level: ENCRYPTION_LEVEL_CLIENT_COMPATIBLE
[-] 10.0.0.111:3389 supports ENCRYPTION_METHOD_NONE   : FALSE
[-] 10.0.0.111:3389 supports ENCRYPTION_METHOD_40BIT  : TRUE
[-] 10.0.0.111:3389 supports ENCRYPTION_METHOD_128BIT : TRUE
[-] 10.0.0.111:3389 supports ENCRYPTION_METHOD_56BIT  : TRUE
[-] 10.0.0.111:3389 supports ENCRYPTION_METHOD_FIPS   : TRUE

[+] Summary of security issues

[-] 10.0.0.111:3389 has issue NLA_NOT_SUPPORTED_DOS
[-] 10.0.0.111:3389 has issue FIPS_SUPPORTED_BUT_NOT_MANDATED
[-] 10.0.0.111:3389 has issue ONLY_RDP_SUPPORTED_MITM
[-] 10.0.0.111:3389 has issue WEAK_RDP_ENCRYPTION_SUPPORTED

rdp-sec-check v0.8-beta completed at Mon Jul  9 13:36:56 2012

Output Example #4: A well configured Windows 2008 RDP Service

$ rdp-sec-check.pl 10.0.0.21
Starting rdp-sec-check v0.8-beta ( http://labs.portcullis.co.uk/application/rdp-sec-check/ ) at Mon Jul  9 13:32:30 2012

Target:    10.0.0.21
IP:        10.0.0.21
Port:      3389

[+] Checking supported protocols

[-] Checking if RDP Security (PROTOCOL_RDP) is supported...Not supported - HYBRID_REQUIRED_BY_SERVER
[-] Checking if TLS Security (PROTOCOL_SSL) is supported...Not supported - HYBRID_REQUIRED_BY_SERVER
[-] Checking if CredSSP Security (PROTOCOL_HYBRID) is supported [uses NLA]...Supported

[+] Checking RDP Security Layer

[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_NONE...Not supported
[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_40BIT...Not supported
[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_128BIT...Not supported
[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_56BIT...Not supported
[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_FIPS...Not supported

[+] Summary of protocol support

[-] 10.0.0.21:3389 supports PROTOCOL_RDP   : FALSE
[-] 10.0.0.21:3389 supports PROTOCOL_HYBRID: TRUE
[-] 10.0.0.21:3389 supports PROTOCOL_SSL   : FALSE

[+] Summary of RDP encryption support

[-] 10.0.0.21:3389 supports ENCRYPTION_METHOD_NONE   : FALSE
[-] 10.0.0.21:3389 supports ENCRYPTION_METHOD_40BIT  : FALSE
[-] 10.0.0.21:3389 supports ENCRYPTION_METHOD_128BIT : FALSE
[-] 10.0.0.21:3389 supports ENCRYPTION_METHOD_56BIT  : FALSE
[-] 10.0.0.21:3389 supports ENCRYPTION_METHOD_FIPS   : FALSE

[+] Summary of security issues

rdp-sec-check v0.8-beta completed at Mon Jul  9 13:32:31 2012

ssl-cipher-suite-enum | Content

Wed, 13 Feb 2013 12:11:30 GMT

ssl-cipher-suite-enum is a tool for enumerating the SSL cipher suites supported by network services (principally HTTPS).

Key Features

Support for legacy and newer versions of SSL/TLS: SSLv2.0, TLSv1.0/SSLv3.0, TLSv1.1, TLSv1.2
Support for SSL testing over SMTP (STARTTLS), RDP and FTP (AUTH SSL)
Flagging of common security issues on a per-host and per-cipher-suite basis (see below for list)
Works even when the service requires a client SSL certificate
Bruteforces SSLv3+ cipher suites - rather than relying on a fixed list of cipher suites that were known at the time of writing
No reliance on SSL libraries - which can cause false negatives
Human readable and greppable output - to support reporting and automation
Fast scan rate - 1000 connections/second over the LAN
Option to throttle connection speed
Optimised scanning - group unpopular cipher sites into a single handshake to reduce the number of required connections
Option to logging all output to a file
Support for scanning a list of hosts
Handling of servers that accept cipher suites the client didn't offer - rare but it does happen!

Security Issues Identified

ssl-cipher-suite-enum identifies the following common security issues relating to SSL:

SSLv2 being supported - being vulnerable to a downgrade attack and other problems inherent to this version of the protocol.
Cipher suites that use symmetric encryption where the key length is less than 128-bits.
Support of key exchange algorithms that don't support forward secrecy - or equivalently, cipher suites that allow sniffed traffic to be retrospectively decrypted if the private SSL key were to be compromised.
Anonymous Diffie Hellman key exchanges - which allow Man in the Middle attacks
Cipher suites / protocol combinations that are vulnerable to the BEAST attack - i.e. combinations that would leave the client->server stream open to the BEAST attack

Overview

The tool performs a similar function to sslscan, THCSSLCheck and sslyze, but differs by crafting part of the SSL handshake instead of using an SSL library to establish a full connection. For SSLv3.0 and above, cipher suites are bruteforced (each cipher suite is represented as a 2 byte field: generally 0x00?? or 0xC0?? - yielding 512 possible values). For SSLv2 only known cipher suites are tried - the search space seems much larger v2 cipher suites and precludes timely bruteforcing.

The handshake-crafting approach provides some significant advantages over library-based tools. Libraries either become outdated and therefore incapable of testing for new protocols such as TLSv1.2 or exotic cipher suites; or they are updated and lose support for older protocols - namely SSLv2. This can be a significant cause of false negative results when performing vulnerability assessments.

ssl-cipher-suite-enum therefore aims to ensure that you can always identify all support cipher suites and that you never miss the fact that SSLv2 is supported. There is, of course an increased risk of false positive results, though: failing to use an SSL library means that the connection is never fully established. ssl-cipher-suit-enum will not detect that an application refuses to talk over weaker cipher suites or that full connection fails for some other reason - such as a client certificate being required.

Also see the FAQ page.

Example Output 1: Old Host Supporting SSLv2

$ ssl-cipher-suite-enum.pl 127.0.0.1
Starting ssl-cipher-enum v0.4-beta ( http://labs.portcullis.co.uk/application/ssl-cipher-suite-enum/ ) at Tue Jul  3 14:48:21 2012

[+] Scanning 1 hosts

=== Scan Info ===

Target:    127.0.0.1
IP:        127.0.0.1
Port:      443
Protocols: SSLv2.0,SSLv3.0,TLSv1.0,TLSv1.1,TLSv1.2
Scan Rate: unlimited

=== Testing protocol SSLv2.0 ===

[+] Cipher suite supported on 127.0.0.1:443: SSLv2.0 RC4_128_WITH_MD5[010080] SSL2_INSEC,NO_PFS
[+] Cipher suite supported on 127.0.0.1:443: SSLv2.0 RC4_128_EXPORT40_WITH_MD5[020080] SSL2_INSEC,NO_PFS,WEAK_ENC
[+] Cipher suite supported on 127.0.0.1:443: SSLv2.0 RC2_128_CBC_WITH_MD5[030080] SSL2_INSEC,BEAST,NO_PFS
[+] Cipher suite supported on 127.0.0.1:443: SSLv2.0 RC2_128_CBC_EXPORT40_WITH_MD5[040080] SSL2_INSEC,BEAST,NO_PFS,WEAK_ENC
[+] Cipher suite supported on 127.0.0.1:443: SSLv2.0 DES_64_CBC_WITH_MD5[060040] SSL2_INSEC,BEAST,NO_PFS,WEAK_ENC
[+] Cipher suite supported on 127.0.0.1:443: SSLv2.0 DES_192_EDE3_CBC_WITH_MD5[0700c0] SSL2_INSEC,BEAST,NO_PFS
[+] 6 SSLv2.0 cipher suites supported

[V] 127.0.0.1:443 - Some clients could be vulnerable to BEAST attack - if HTTPS service
[V] 127.0.0.1:443 - Some connections might be protected with a weak (<128-bit) symmetric encryption key

=== Testing protocol SSLv3.0 ===

[+] 0 SSLv3.0 cipher suites supported


=== Testing protocol TLSv1.0 ===

[+] 0 TLSv1.0 cipher suites supported


=== Testing protocol TLSv1.1 ===

[+] 0 TLSv1.1 cipher suites supported


=== Testing protocol TLSv1.2 ===

[+] 0 TLSv1.2 cipher suites supported

[+] Summary of support cipher suites for 127.0.0.1:443

SSLv2.0:
* RC4_128_WITH_MD5
* RC4_128_EXPORT40_WITH_MD5
* RC2_128_CBC_WITH_MD5
* RC2_128_CBC_EXPORT40_WITH_MD5
* DES_64_CBC_WITH_MD5
* DES_192_EDE3_CBC_WITH_MD5

[+] Summary of weakness "BEAST" for 127.0.0.1:443

SSLv2.0:
* RC2_128_CBC_WITH_MD5
* RC2_128_CBC_EXPORT40_WITH_MD5
* DES_64_CBC_WITH_MD5
* DES_192_EDE3_CBC_WITH_MD5

[+] Summary of weakness "NO_PFS" for 127.0.0.1:443

SSLv2.0:
* RC4_128_WITH_MD5
* RC4_128_EXPORT40_WITH_MD5
* RC2_128_CBC_WITH_MD5
* RC2_128_CBC_EXPORT40_WITH_MD5
* DES_64_CBC_WITH_MD5
* DES_192_EDE3_CBC_WITH_MD5

[+] Summary of weakness "SSL2_INSEC" for 127.0.0.1:443

SSLv2.0:
* RC4_128_WITH_MD5
* RC4_128_EXPORT40_WITH_MD5
* RC2_128_CBC_WITH_MD5
* RC2_128_CBC_EXPORT40_WITH_MD5
* DES_64_CBC_WITH_MD5
* DES_192_EDE3_CBC_WITH_MD5

[+] Summary of weakness "WEAK_ENC" for 127.0.0.1:443

SSLv2.0:
* RC4_128_EXPORT40_WITH_MD5
* RC2_128_CBC_EXPORT40_WITH_MD5
* DES_64_CBC_WITH_MD5


=== Scan Complete ===

[+] ssl-cipher-enum v0.4-beta completed at Tue Jul  3 14:48:22 2012.  918 connections in 1 secs.
Example Output 2: Average Modern SSL Service$ ssl-cipher-suite-enum.pl localhost:443
Starting ssl-cipher-enum v0.4-beta ( http://labs.portcullis.co.uk/application/ssl-cipher-suite-enum/ ) at Tue Jul  3 14:48:41 2012

[+] Scanning 1 hosts

=== Scan Info ===

Target:    localhost
IP:        127.0.0.2
Port:      443
Protocols: SSLv2.0,SSLv3.0,TLSv1.0,TLSv1.1,TLSv1.2
Scan Rate: unlimited

=== Testing protocol SSLv2.0 ===

[+] 0 SSLv2.0 cipher suites supported


=== Testing protocol SSLv3.0 ===

[+] Cipher suite supported on 127.0.0.2:443: SSLv3.0 RSA_RC4_128_SHA[0005] NO_PFS
[+] Cipher suite supported on 127.0.0.2:443: SSLv3.0 RSA_DES_192_CBC3_SHA[000a] BEAST,NO_PFS
[+] Cipher suite supported on 127.0.0.2:443: SSLv3.0 EDH_RSA_DES_192_CBC3_SHA[0016] BEAST
[+] Cipher suite supported on 127.0.0.2:443: SSLv3.0 RSA_WITH_AES_128_SHA[002f] BEAST,NO_PFS
[+] Cipher suite supported on 127.0.0.2:443: SSLv3.0 DHE_RSA_WITH_AES_128_SHA[0033] BEAST
[+] Cipher suite supported on 127.0.0.2:443: SSLv3.0 RSA_WITH_AES_256_SHA[0035] BEAST,NO_PFS
[+] Cipher suite supported on 127.0.0.2:443: SSLv3.0 DHE_RSA_WITH_AES_256_SHA[0039] BEAST

[+] Preferred SSLv3.0 cipher suite on 127.0.0.2:443: RSA_RC4_128_SHA[0005]

[+] 7 SSLv3.0 cipher suites supported

[V] 127.0.0.2:443 - Some clients could be vulnerable to BEAST attack - if HTTPS service
[V] 127.0.0.2:443 - Most encrypted connections will not use forward secrecy

=== Testing protocol TLSv1.0 ===

[+] Cipher suite supported on 127.0.0.2:443: TLSv1.0 RSA_RC4_128_SHA[0005] NO_PFS
[+] Cipher suite supported on 127.0.0.2:443: TLSv1.0 RSA_DES_192_CBC3_SHA[000a] BEAST,NO_PFS
[+] Cipher suite supported on 127.0.0.2:443: TLSv1.0 EDH_RSA_DES_192_CBC3_SHA[0016] BEAST
[+] Cipher suite supported on 127.0.0.2:443: TLSv1.0 RSA_WITH_AES_128_SHA[002f] BEAST,NO_PFS
[+] Cipher suite supported on 127.0.0.2:443: TLSv1.0 DHE_RSA_WITH_AES_128_SHA[0033] BEAST
[+] Cipher suite supported on 127.0.0.2:443: TLSv1.0 RSA_WITH_AES_256_SHA[0035] BEAST,NO_PFS
[+] Cipher suite supported on 127.0.0.2:443: TLSv1.0 DHE_RSA_WITH_AES_256_SHA[0039] BEAST

[+] Preferred TLSv1.0 cipher suite on 127.0.0.2:443: RSA_RC4_128_SHA[0005]

[+] 7 TLSv1.0 cipher suites supported

[V] 127.0.0.2:443 - Some clients could be vulnerable to BEAST attack - if HTTPS service
[V] 127.0.0.2:443 - Most encrypted connections will not use forward secrecy

=== Testing protocol TLSv1.1 ===

[+] Protocol TLSv1.1 is not supported.  Skipping.
[+] 0 TLSv1.1 cipher suites supported


=== Testing protocol TLSv1.2 ===

[+] Protocol TLSv1.2 is not supported.  Skipping.
[+] 0 TLSv1.2 cipher suites supported

[+] Summary of support cipher suites for 127.0.0.2:443

SSLv3.0:
* RSA_RC4_128_SHA
* RSA_DES_192_CBC3_SHA
* EDH_RSA_DES_192_CBC3_SHA
* RSA_WITH_AES_128_SHA
* DHE_RSA_WITH_AES_128_SHA
* RSA_WITH_AES_256_SHA
* DHE_RSA_WITH_AES_256_SHA

TLSv1.0:
* RSA_RC4_128_SHA
* RSA_DES_192_CBC3_SHA
* EDH_RSA_DES_192_CBC3_SHA
* RSA_WITH_AES_128_SHA
* DHE_RSA_WITH_AES_128_SHA
* RSA_WITH_AES_256_SHA
* DHE_RSA_WITH_AES_256_SHA

[+] Summary of weakness "BEAST" for 127.0.0.2:443

SSLv3.0:
* RSA_DES_192_CBC3_SHA
* EDH_RSA_DES_192_CBC3_SHA
* RSA_WITH_AES_128_SHA
* DHE_RSA_WITH_AES_128_SHA
* RSA_WITH_AES_256_SHA
* DHE_RSA_WITH_AES_256_SHA

TLSv1.0:
* RSA_DES_192_CBC3_SHA
* EDH_RSA_DES_192_CBC3_SHA
* RSA_WITH_AES_128_SHA
* DHE_RSA_WITH_AES_128_SHA
* RSA_WITH_AES_256_SHA
* DHE_RSA_WITH_AES_256_SHA

[+] Summary of weakness "NO_PFS" for 127.0.0.2:443

SSLv3.0:
* RSA_RC4_128_SHA
* RSA_DES_192_CBC3_SHA
* RSA_WITH_AES_128_SHA
* RSA_WITH_AES_256_SHA

TLSv1.0:
* RSA_RC4_128_SHA
* RSA_DES_192_CBC3_SHA
* RSA_WITH_AES_128_SHA
* RSA_WITH_AES_256_SHA


=== Scan Complete ===

[+] ssl-cipher-enum v0.4-beta completed at Tue Jul  3 14:48:41 2012.  470 connections in 0 secs.
Example Output 3: Well Secured Service Supporting TLSv1.2$ ssl-cipher-suite-enum.pl www.example.com
Starting ssl-cipher-enum v0.4-beta ( http://labs.portcullis.co.uk/application/ssl-cipher-suite-enum/ ) at Tue Jul  3 14:48:52 2012

[+] Scanning 1 hosts

=== Scan Info ===

Target:    www.example.com
IP:        127.0.0.3
Port:      443
Protocols: SSLv2.0,SSLv3.0,TLSv1.0,TLSv1.1,TLSv1.2
Scan Rate: unlimited

=== Testing protocol SSLv2.0 ===

[+] 0 SSLv2.0 cipher suites supported


=== Testing protocol SSLv3.0 ===

[+] Cipher suite supported on 127.0.0.3:443: SSLv3.0 RSA_RC4_128_MD5[0004] NO_PFS
[+] Cipher suite supported on 127.0.0.3:443: SSLv3.0 RSA_RC4_128_SHA[0005] NO_PFS
[+] Cipher suite supported on 127.0.0.3:443: SSLv3.0 RSA_DES_192_CBC3_SHA[000a] BEAST,NO_PFS
[+] Cipher suite supported on 127.0.0.3:443: SSLv3.0 ECDHE_RSA_WITH_RC4_128_SHA[c011] 
[+] Cipher suite supported on 127.0.0.3:443: SSLv3.0 ECDHE_RSA_WITH_DES_192_CBC3_SHA[c012] BEAST
[+] Cipher suite supported on 127.0.0.3:443: SSLv3.0 ECDHE_RSA_WITH_AES_128_CBC_SHA[c013] BEAST
[+] Cipher suite supported on 127.0.0.3:443: SSLv3.0 ECDHE_RSA_WITH_AES_256_CBC_SHA[c014] BEAST
[+] Cipher suite supported on 127.0.0.3:443: SSLv3.0 RSA_WITH_AES_128_SHA[002f] BEAST,NO_PFS
[+] Cipher suite supported on 127.0.0.3:443: SSLv3.0 RSA_WITH_AES_256_SHA[0035] BEAST,NO_PFS

[+] Preferred SSLv3.0 cipher suite on 127.0.0.3:443: ECDHE_RSA_WITH_RC4_128_SHA[c011]

[+] 9 SSLv3.0 cipher suites supported

[V] 127.0.0.3:443 - Some clients could be vulnerable to BEAST attack - if HTTPS service
[V] 127.0.0.3:443 - Some encrypted connections may not have forward secrecy

=== Testing protocol TLSv1.0 ===

[+] Cipher suite supported on 127.0.0.3:443: TLSv1.0 RSA_RC4_128_MD5[0004] NO_PFS
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.0 RSA_RC4_128_SHA[0005] NO_PFS
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.0 RSA_DES_192_CBC3_SHA[000a] BEAST,NO_PFS
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.0 ECDHE_RSA_WITH_RC4_128_SHA[c011] 
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.0 ECDHE_RSA_WITH_DES_192_CBC3_SHA[c012] BEAST
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.0 ECDHE_RSA_WITH_AES_128_CBC_SHA[c013] BEAST
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.0 ECDHE_RSA_WITH_AES_256_CBC_SHA[c014] BEAST
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.0 RSA_WITH_AES_128_SHA[002f] BEAST,NO_PFS
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.0 RSA_WITH_AES_256_SHA[0035] BEAST,NO_PFS

[+] Preferred TLSv1.0 cipher suite on 127.0.0.3:443: ECDHE_RSA_WITH_RC4_128_SHA[c011]

[+] 9 TLSv1.0 cipher suites supported

[V] 127.0.0.3:443 - Some clients could be vulnerable to BEAST attack - if HTTPS service
[V] 127.0.0.3:443 - Some encrypted connections may not have forward secrecy

=== Testing protocol TLSv1.1 ===

[+] Cipher suite supported on 127.0.0.3:443: TLSv1.1 RSA_RC4_128_MD5[0004] NO_PFS
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.1 RSA_RC4_128_SHA[0005] NO_PFS
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.1 RSA_DES_192_CBC3_SHA[000a] NO_PFS
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.1 ECDHE_RSA_WITH_RC4_128_SHA[c011] 
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.1 ECDHE_RSA_WITH_DES_192_CBC3_SHA[c012] 
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.1 ECDHE_RSA_WITH_AES_128_CBC_SHA[c013] 
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.1 ECDHE_RSA_WITH_AES_256_CBC_SHA[c014] 
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.1 RSA_WITH_AES_128_SHA[002f] NO_PFS
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.1 RSA_WITH_AES_256_SHA[0035] NO_PFS

[+] Preferred TLSv1.1 cipher suite on 127.0.0.3:443: ECDHE_RSA_WITH_RC4_128_SHA[c011]

[+] 9 TLSv1.1 cipher suites supported

[V] 127.0.0.3:443 - Some encrypted connections may not have forward secrecy

=== Testing protocol TLSv1.2 ===

[+] Cipher suite supported on 127.0.0.3:443: TLSv1.2 RSA_RC4_128_MD5[0004] NO_PFS
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.2 RSA_RC4_128_SHA[0005] NO_PFS
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.2 RSA_DES_192_CBC3_SHA[000a] NO_PFS
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.2 ECDHE_RSA_WITH_RC4_128_SHA[c011] 
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.2 ECDHE_RSA_WITH_DES_192_CBC3_SHA[c012] 
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.2 ECDHE_RSA_WITH_AES_128_CBC_SHA[c013] 
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.2 ECDHE_RSA_WITH_AES_256_CBC_SHA[c014] 
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.2 ECDHE_RSA_WITH_AES_128_CBC_SHA256[c027] 
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.2 ECDHE_RSA_WITH_AES_256_CBC_SHA384[c028] 
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.2 RSA_WITH_AES_128_SHA[002f] NO_PFS
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.2 ECDHE_RSA_WITH_AES_128_GCM_SHA256[c02f] 
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.2 ECDHE_RSA_WITH_AES_256_GCM_SHA384[c030] 
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.2 RSA_WITH_AES_256_SHA[0035] NO_PFS
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.2 RSA_WITH_AES_128_CBC_SHA256[003c] NO_PFS
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.2 RSA_WITH_AES_256_CBC_SHA256[003d] NO_PFS
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.2 RSA_WITH_AES_128_GCM_SHA256[009c] NO_PFS
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.2 RSA_WITH_AES_256_GCM_SHA384[009d] NO_PFS

[+] Preferred TLSv1.2 cipher suite on 127.0.0.3:443: ECDHE_RSA_WITH_RC4_128_SHA[c011]

[+] 17 TLSv1.2 cipher suites supported

[V] 127.0.0.3:443 - Some encrypted connections may not have forward secrecy
[+] Summary of support cipher suites for 127.0.0.3:443

SSLv3.0:
* RSA_RC4_128_MD5
* RSA_RC4_128_SHA
* RSA_DES_192_CBC3_SHA
* RSA_WITH_AES_128_SHA
* RSA_WITH_AES_256_SHA
* ECDHE_RSA_WITH_RC4_128_SHA
* ECDHE_RSA_WITH_DES_192_CBC3_SHA
* ECDHE_RSA_WITH_AES_128_CBC_SHA
* ECDHE_RSA_WITH_AES_256_CBC_SHA

TLSv1.0:
* RSA_RC4_128_MD5
* RSA_RC4_128_SHA
* RSA_DES_192_CBC3_SHA
* RSA_WITH_AES_128_SHA
* RSA_WITH_AES_256_SHA
* ECDHE_RSA_WITH_RC4_128_SHA
* ECDHE_RSA_WITH_DES_192_CBC3_SHA
* ECDHE_RSA_WITH_AES_128_CBC_SHA
* ECDHE_RSA_WITH_AES_256_CBC_SHA

TLSv1.1:
* RSA_RC4_128_MD5
* RSA_RC4_128_SHA
* RSA_DES_192_CBC3_SHA
* RSA_WITH_AES_128_SHA
* RSA_WITH_AES_256_SHA
* ECDHE_RSA_WITH_RC4_128_SHA
* ECDHE_RSA_WITH_DES_192_CBC3_SHA
* ECDHE_RSA_WITH_AES_128_CBC_SHA
* ECDHE_RSA_WITH_AES_256_CBC_SHA

TLSv1.2:
* RSA_RC4_128_MD5
* RSA_RC4_128_SHA
* RSA_DES_192_CBC3_SHA
* RSA_WITH_AES_128_SHA
* RSA_WITH_AES_256_SHA
* RSA_WITH_AES_128_CBC_SHA256
* RSA_WITH_AES_256_CBC_SHA256
* RSA_WITH_AES_128_GCM_SHA256
* RSA_WITH_AES_256_GCM_SHA384
* ECDHE_RSA_WITH_RC4_128_SHA
* ECDHE_RSA_WITH_DES_192_CBC3_SHA
* ECDHE_RSA_WITH_AES_128_CBC_SHA
* ECDHE_RSA_WITH_AES_256_CBC_SHA
* ECDHE_RSA_WITH_AES_128_CBC_SHA256
* ECDHE_RSA_WITH_AES_256_CBC_SHA384
* ECDHE_RSA_WITH_AES_128_GCM_SHA256
* ECDHE_RSA_WITH_AES_256_GCM_SHA384

[+] Summary of weakness "BEAST" for 127.0.0.3:443

SSLv3.0:
* RSA_DES_192_CBC3_SHA
* RSA_WITH_AES_128_SHA
* RSA_WITH_AES_256_SHA
* ECDHE_RSA_WITH_DES_192_CBC3_SHA
* ECDHE_RSA_WITH_AES_128_CBC_SHA
* ECDHE_RSA_WITH_AES_256_CBC_SHA

TLSv1.0:
* RSA_DES_192_CBC3_SHA
* RSA_WITH_AES_128_SHA
* RSA_WITH_AES_256_SHA
* ECDHE_RSA_WITH_DES_192_CBC3_SHA
* ECDHE_RSA_WITH_AES_128_CBC_SHA
* ECDHE_RSA_WITH_AES_256_CBC_SHA

[+] Summary of weakness "NO_PFS" for 127.0.0.3:443

SSLv3.0:
* RSA_RC4_128_MD5
* RSA_RC4_128_SHA
* RSA_DES_192_CBC3_SHA
* RSA_WITH_AES_128_SHA
* RSA_WITH_AES_256_SHA

TLSv1.0:
* RSA_RC4_128_MD5
* RSA_RC4_128_SHA
* RSA_DES_192_CBC3_SHA
* RSA_WITH_AES_128_SHA
* RSA_WITH_AES_256_SHA

TLSv1.1:
* RSA_RC4_128_MD5
* RSA_RC4_128_SHA
* RSA_DES_192_CBC3_SHA
* RSA_WITH_AES_128_SHA
* RSA_WITH_AES_256_SHA

TLSv1.2:
* RSA_RC4_128_MD5
* RSA_RC4_128_SHA
* RSA_DES_192_CBC3_SHA
* RSA_WITH_AES_128_SHA
* RSA_WITH_AES_256_SHA
* RSA_WITH_AES_128_CBC_SHA256
* RSA_WITH_AES_256_CBC_SHA256
* RSA_WITH_AES_128_GCM_SHA256
* RSA_WITH_AES_256_GCM_SHA384


=== Scan Complete ===

[+] ssl-cipher-enum v0.4-beta completed at Tue Jul  3 14:49:39 2012.  922 connections in 47 secs.

Output Example #4: Scanning SMTP Server That Supports STARTTLS

$ ./ssl-cipher-suite-enum.pl --smtp 10.0.0.4:25
Starting ssl-cipher-suite-enum v0.9 ( http://labs.portcullis.co.uk/application/ssl-cipher-suite-enum/ ) at Thu Jul 12 07:02:20 2012

[+] Scanning 1 hosts

=== Scan Info ===

Target:    10.0.0.4
IP:        10.0.0.4
Port:      25
Protocols: SSLv2.0,SSLv3.0,TLSv1.0,TLSv1.1,TLSv1.2
Preamble:  SMTP
Scan Rate: unlimited

=== Testing protocol SSLv2.0 ===

[+] Cipher suite supported on 10.0.0.4:25: SSLv2.0 RC4_128_WITH_MD5[010080] SSL2_INSEC,NO_PFS
[+] Cipher suite supported on 10.0.0.4:25: SSLv2.0 RC4_128_EXPORT40_WITH_MD5[020080] SSL2_INSEC,NO_PFS,WEAK_ENC
[+] Cipher suite supported on 10.0.0.4:25: SSLv2.0 RC2_128_CBC_WITH_MD5[030080] SSL2_INSEC,NO_PFS
[+] Cipher suite supported on 10.0.0.4:25: SSLv2.0 RC2_128_CBC_EXPORT40_WITH_MD5[040080] SSL2_INSEC,NO_PFS,WEAK_ENC
[+] Cipher suite supported on 10.0.0.4:25: SSLv2.0 DES_64_CBC_WITH_MD5[060040] SSL2_INSEC,NO_PFS,WEAK_ENC
[+] Cipher suite supported on 10.0.0.4:25: SSLv2.0 DES_192_EDE3_CBC_WITH_MD5[0700c0] SSL2_INSEC,NO_PFS
[+] 6 SSLv2.0 cipher suites supported

[V] 10.0.0.4:25 - Some connections might be protected with a weak (<128-bit) symmetric encryption key

=== Testing protocol SSLv3.0 ===

[+] Cipher suite supported on 10.0.0.4:25: SSLv3.0 RSA_RC4_40_MD5[0003] NO_PFS,WEAK_ENC
[+] Cipher suite supported on 10.0.0.4:25: SSLv3.0 RSA_RC4_128_MD5[0004] NO_PFS
[+] Cipher suite supported on 10.0.0.4:25: SSLv3.0 RSA_RC4_128_SHA[0005] NO_PFS
[+] Cipher suite supported on 10.0.0.4:25: SSLv3.0 RSA_RC2_40_MD5[0006] NO_PFS,WEAK_ENC
[+] Cipher suite supported on 10.0.0.4:25: SSLv3.0 RSA_DES_40_CBC_SHA[0008] NO_PFS,WEAK_ENC
[+] Cipher suite supported on 10.0.0.4:25: SSLv3.0 RSA_DES_64_CBC_SHA[0009] NO_PFS,WEAK_ENC
[+] Cipher suite supported on 10.0.0.4:25: SSLv3.0 RSA_DES_192_CBC3_SHA[000a] NO_PFS
[+] Cipher suite supported on 10.0.0.4:25: SSLv3.0 EDH_RSA_DES_40_CBC_SHA[0014] WEAK_ENC
[+] Cipher suite supported on 10.0.0.4:25: SSLv3.0 EDH_RSA_DES_64_CBC_SHA[0015] WEAK_ENC
[+] Cipher suite supported on 10.0.0.4:25: SSLv3.0 EDH_RSA_DES_192_CBC3_SHA[0016] 
[+] Cipher suite supported on 10.0.0.4:25: SSLv3.0 RSA_WITH_AES_128_SHA[002f] NO_PFS
[+] Cipher suite supported on 10.0.0.4:25: SSLv3.0 DHE_RSA_WITH_AES_128_SHA[0033] 
[+] Cipher suite supported on 10.0.0.4:25: SSLv3.0 RSA_WITH_AES_256_SHA[0035] NO_PFS
[+] Cipher suite supported on 10.0.0.4:25: SSLv3.0 DHE_RSA_WITH_AES_256_SHA[0039] 

[+] Preferred SSLv3.0 cipher suite on 10.0.0.4:25: RSA_RC4_40_MD5[0003] NO_PFS,WEAK_ENC

[+] 14 SSLv3.0 cipher suites supported

[V] 10.0.0.4:25 - Some connections might be protected with a weak (<128-bit) symmetric encryption key
[V] 10.0.0.4:25 - Most encrypted connections will not use forward secrecy

=== Testing protocol TLSv1.0 ===

[+] Cipher suite supported on 10.0.0.4:25: TLSv1.0 RSA_RC4_40_MD5[0003] NO_PFS,WEAK_ENC
[+] Cipher suite supported on 10.0.0.4:25: TLSv1.0 RSA_RC4_128_MD5[0004] NO_PFS
[+] Cipher suite supported on 10.0.0.4:25: TLSv1.0 RSA_RC4_128_SHA[0005] NO_PFS
[+] Cipher suite supported on 10.0.0.4:25: TLSv1.0 RSA_RC2_40_MD5[0006] NO_PFS,WEAK_ENC
[+] Cipher suite supported on 10.0.0.4:25: TLSv1.0 RSA_DES_40_CBC_SHA[0008] NO_PFS,WEAK_ENC
[+] Cipher suite supported on 10.0.0.4:25: TLSv1.0 RSA_DES_64_CBC_SHA[0009] NO_PFS,WEAK_ENC
[+] Cipher suite supported on 10.0.0.4:25: TLSv1.0 RSA_DES_192_CBC3_SHA[000a] NO_PFS
[+] Cipher suite supported on 10.0.0.4:25: TLSv1.0 EDH_RSA_DES_40_CBC_SHA[0014] WEAK_ENC
[+] Cipher suite supported on 10.0.0.4:25: TLSv1.0 EDH_RSA_DES_64_CBC_SHA[0015] WEAK_ENC
[+] Cipher suite supported on 10.0.0.4:25: TLSv1.0 EDH_RSA_DES_192_CBC3_SHA[0016] 
[+] Cipher suite supported on 10.0.0.4:25: TLSv1.0 RSA_WITH_AES_128_SHA[002f] NO_PFS
[+] Cipher suite supported on 10.0.0.4:25: TLSv1.0 DHE_RSA_WITH_AES_128_SHA[0033] 
[+] Cipher suite supported on 10.0.0.4:25: TLSv1.0 RSA_WITH_AES_256_SHA[0035] NO_PFS
[+] Cipher suite supported on 10.0.0.4:25: TLSv1.0 DHE_RSA_WITH_AES_256_SHA[0039] 

[+] Preferred TLSv1.0 cipher suite on 10.0.0.4:25: RSA_RC4_40_MD5[0003] NO_PFS,WEAK_ENC

[+] 14 TLSv1.0 cipher suites supported

[V] 10.0.0.4:25 - Some connections might be protected with a weak (<128-bit) symmetric encryption key
[V] 10.0.0.4:25 - Most encrypted connections will not use forward secrecy

=== Testing protocol TLSv1.1 ===

[+] Protocol TLSv1.1 is not supported.  Skipping.
[+] 0 TLSv1.1 cipher suites supported


=== Testing protocol TLSv1.2 ===

[+] Protocol TLSv1.2 is not supported.  Skipping.
[+] 0 TLSv1.2 cipher suites supported

[+] Summary of support cipher suites for 10.0.0.4:25

SSLv2.0:
* RC4_128_WITH_MD5
* RC4_128_EXPORT40_WITH_MD5
* RC2_128_CBC_WITH_MD5
* RC2_128_CBC_EXPORT40_WITH_MD5
* DES_64_CBC_WITH_MD5
* DES_192_EDE3_CBC_WITH_MD5

SSLv3.0:
* RSA_RC4_40_MD5
* RSA_RC4_128_MD5
* RSA_RC4_128_SHA
* RSA_RC2_40_MD5
* RSA_DES_40_CBC_SHA
* RSA_DES_64_CBC_SHA
* RSA_DES_192_CBC3_SHA
* EDH_RSA_DES_40_CBC_SHA
* EDH_RSA_DES_64_CBC_SHA
* EDH_RSA_DES_192_CBC3_SHA
* RSA_WITH_AES_128_SHA
* DHE_RSA_WITH_AES_128_SHA
* RSA_WITH_AES_256_SHA
* DHE_RSA_WITH_AES_256_SHA

TLSv1.0:
* RSA_RC4_40_MD5
* RSA_RC4_128_MD5
* RSA_RC4_128_SHA
* RSA_RC2_40_MD5
* RSA_DES_40_CBC_SHA
* RSA_DES_64_CBC_SHA
* RSA_DES_192_CBC3_SHA
* EDH_RSA_DES_40_CBC_SHA
* EDH_RSA_DES_64_CBC_SHA
* EDH_RSA_DES_192_CBC3_SHA
* RSA_WITH_AES_128_SHA
* DHE_RSA_WITH_AES_128_SHA
* RSA_WITH_AES_256_SHA
* DHE_RSA_WITH_AES_256_SHA

[+] Summary of weakness "NO_PFS" for 10.0.0.4:25

SSLv2.0:
* RC4_128_WITH_MD5
* RC4_128_EXPORT40_WITH_MD5
* RC2_128_CBC_WITH_MD5
* RC2_128_CBC_EXPORT40_WITH_MD5
* DES_64_CBC_WITH_MD5
* DES_192_EDE3_CBC_WITH_MD5

SSLv3.0:
* RSA_RC4_40_MD5
* RSA_RC4_128_MD5
* RSA_RC4_128_SHA
* RSA_RC2_40_MD5
* RSA_DES_40_CBC_SHA
* RSA_DES_64_CBC_SHA
* RSA_DES_192_CBC3_SHA
* RSA_WITH_AES_128_SHA
* RSA_WITH_AES_256_SHA

TLSv1.0:
* RSA_RC4_40_MD5
* RSA_RC4_128_MD5
* RSA_RC4_128_SHA
* RSA_RC2_40_MD5
* RSA_DES_40_CBC_SHA
* RSA_DES_64_CBC_SHA
* RSA_DES_192_CBC3_SHA
* RSA_WITH_AES_128_SHA
* RSA_WITH_AES_256_SHA

[+] Summary of weakness "SSL2_INSEC" for 10.0.0.4:25

SSLv2.0:
* RC4_128_WITH_MD5
* RC4_128_EXPORT40_WITH_MD5
* RC2_128_CBC_WITH_MD5
* RC2_128_CBC_EXPORT40_WITH_MD5
* DES_64_CBC_WITH_MD5
* DES_192_EDE3_CBC_WITH_MD5

[+] Summary of weakness "WEAK_ENC" for 10.0.0.4:25

SSLv2.0:
* RC4_128_EXPORT40_WITH_MD5
* RC2_128_CBC_EXPORT40_WITH_MD5
* DES_64_CBC_WITH_MD5

SSLv3.0:
* RSA_RC4_40_MD5
* RSA_RC2_40_MD5
* RSA_DES_40_CBC_SHA
* RSA_DES_64_CBC_SHA
* EDH_RSA_DES_40_CBC_SHA
* EDH_RSA_DES_64_CBC_SHA

TLSv1.0:
* RSA_RC4_40_MD5
* RSA_RC2_40_MD5
* RSA_DES_40_CBC_SHA
* RSA_DES_64_CBC_SHA
* EDH_RSA_DES_40_CBC_SHA
* EDH_RSA_DES_64_CBC_SHA


=== Scan Complete ===

[+] ssl-cipher-suite-enum v0.9 completed at Thu Jul 12 07:03:37 2012.  470 connections in 77 secs.

Output Example #5: Scanning An RDP Service

$ ./ssl-cipher-suite-enum.pl --rdp --tlsv1 10.0.0.5:3389
Starting ssl-cipher-suite-enum v0.9 ( http://labs.portcullis.co.uk/application/ssl-cipher-suite-enum/ ) at Thu Jul 12 07:07:59 2012

[+] Scanning 1 hosts

=== Scan Info ===

Target:    10.0.0.5
IP:        10.0.0.5
Port:      3389
Protocols: TLSv1.0
Preamble:  RDP
Scan Rate: unlimited

=== Testing protocol TLSv1.0 ===

[+] Cipher suite supported on 10.0.0.5:3389: TLSv1.0 RSA_RC4_128_MD5[0004] NO_PFS
[+] Cipher suite supported on 10.0.0.5:3389: TLSv1.0 RSA_RC4_128_SHA[0005] NO_PFS
[+] Cipher suite supported on 10.0.0.5:3389: TLSv1.0 RSA_DES_192_CBC3_SHA[000a] NO_PFS
[+] Cipher suite supported on 10.0.0.5:3389: TLSv1.0 ECDHE_RSA_WITH_AES_128_CBC_SHA[c013] 
[+] Cipher suite supported on 10.0.0.5:3389: TLSv1.0 ECDHE_RSA_WITH_AES_256_CBC_SHA[c014] 
[+] Cipher suite supported on 10.0.0.5:3389: TLSv1.0 RSA_WITH_AES_128_SHA[002f] NO_PFS
[+] Cipher suite supported on 10.0.0.5:3389: TLSv1.0 RSA_WITH_AES_256_SHA[0035] NO_PFS

[+] Preferred TLSv1.0 cipher suite on 10.0.0.5:3389: RSA_WITH_AES_128_SHA[002f] NO_PFS

[+] 7 TLSv1.0 cipher suites supported

[V] 10.0.0.5:3389 - Most encrypted connections will not use forward secrecy
[+] Summary of support cipher suites for 10.0.0.5:3389

TLSv1.0:
* RSA_RC4_128_MD5
* RSA_RC4_128_SHA
* RSA_DES_192_CBC3_SHA
* RSA_WITH_AES_128_SHA
* RSA_WITH_AES_256_SHA
* ECDHE_RSA_WITH_AES_128_CBC_SHA
* ECDHE_RSA_WITH_AES_256_CBC_SHA

[+] Summary of weakness "NO_PFS" for 10.0.0.5:3389

TLSv1.0:
* RSA_RC4_128_MD5
* RSA_RC4_128_SHA
* RSA_DES_192_CBC3_SHA
* RSA_WITH_AES_128_SHA
* RSA_WITH_AES_256_SHA


=== Scan Complete ===

[+] ssl-cipher-suite-enum v0.9 completed at Thu Jul 12 07:08:21 2012.  227 connections in 22 secs.

SSHatter | Content

Wed, 16 Feb 2011 12:19:48 GMT

Password brute forcer for SSH.

Features:

Multi threaded
Supports both SSH v1 and v2 protocols
Supports key based brute forcing
Support for post brute force exploration
Mass mode to run one command across all targets
Support for sudo based privilege escalation
Integrated file transfer support

udp-proto-scanner | Content

Wed, 26 Nov 2008 16:23:36 GMT

udp-proto-scanner.pl discovers UDP services by sending triggers to a list of hosts:

$ udp-proto-scanner.pl -f ips.txt
$ udp-proto-scanner.pl 10.0.0.0/16 172.16.16.1 192.168.0.1
$ udp-proto-scanner.pl -p ntp -f ips.txt

The probe names (for -p) are defined in udp-proto-scanner.conf. List probe names using the -l option:

$ udp-proto-scanner.pl -l

What's it Used For?

It's used in the host-discovery and service-discovery phases of a pentest.

It can be helpful if you need to discover hosts that only offer UDP services
and are otherwise well firewalled - e.g. if you want to find all the DNS
servers in a range of IP addresses. Alternatively on a LAN, you might want
a quick way to find all the TFTP servers.

Not all UDP services can be discovered in this way (e.g. SNMPv1 won't respond
unless you know a valid community string). However, many UDP services can be
discovered, e.g.:

DNS
TFTP
NTP
NBT
SunRPC
MS SQL
DB2
SNMPv3

It's Not a Portscanner

It won't give you a list of open and closed ports for each host. It's simply
looking for specific UDP services.

Efficiency

It's most efficient to run udp-proto-scanner.pl against whole networks (e.g.
256 IPs or more). If you run it against small numbers of hosts it will seem
quite slow because it waits for 1 second between each different type of probe.

One cool feature of udp-proto-scanner is that it doesn't load the whole host list
into memory. Therefore if you want to scan 17 million IPs, you can. It'll
take a while, but you won't run out of memory.

Credits

The UDP probes are mainly taken from amap, nmap and ike-scan.
Inspiration for the scanning code was drawn from ike-scan.
Net::Netmask by David Muir Sharnoff is included in this tool.

Apache Users | Content

Thu, 11 Sep 2008 11:22:18 GMT

This Perl script will enumerate the usernames on any system that uses Apache with the UserDir module.

acccheck | Content

Wed, 09 Apr 2008 18:48:49 GMT

The tool is designed as a password dictionary attack tool that targets windows authentication via the SMB protocol. It is really a wrapper script around the 'smbclient' binary, and as a result is dependent on it for its execution.

The simplest way to run the tool is as follows:

./acccheck.pl -t 10.10.10.1

This mode of execution attempts to connect to the target ADMIN$ share with the username 'Administrator' and a [BLANK] for the password.

./acccheck.pl -t 10.10.10.1 -u test -p test

This mode of execution attempts to connect to the target IPC$ share with the username 'test' and a password 'test'.

Each -t, -u and -p flags can be substituted by -T, -U and -P, where each represents an input file rather than a single input from standard in.

E.g.
./acccheck.pl -T iplist -U userfile -P passwordfile

Only use -v mode on very small dictionaries, otherwise, this has the affect of slowing the scan down to the rate the system writes to standard out.

Any username/password combinations found are written to a file called 'cracked' in the working directory.

MIBparse | Content

Mon, 07 Apr 2008 23:38:19 GMT

MIBparse.pl has been designed as an offline parser to quickly parse output from SNMP tools such as 'snmpwalk' (NET-SNMP project 'net-snmp.sourceforge.net'). The output returned depends on the options that are selected by the user. Typically, information relating to the system, services, open ports, users, shares and installed components is some of the information that can be extracted by the tool.

Requirements

The only requirement is Perl.

Running

The simplest way to run the tool is as follows:

./MIBparse -f public.txt

Where "public.txt" is the output from 'snmpwalk' piped to a file. In this mode all available information is displayed to the user as standard out.

The information that is output can be tailored using the '-a' flag. The following values can be used in conjunction with this flag:

1 = All
2 = System
3 = Routing information
4 = Services
5 = TCP ports
6 = UDP ports
7 = Users
8 = Shares
9 = Domain
10 = Installed components
11 = Community strings

Each value corresponds to the type of information that is output. As an example, '-a 7' will output all of the users from a Windows system. The example execution in this case would include:

./MIBparse.pl -f public.txt -a 7

If you wish to execute the tool from a working directory which is not in your $PATH then the '-b' option can be used to specify the location of the 'tags' file. This option can also be used to specify any file as a tags file as long as the format of the file conforms to the example that is provided. The example execution in such a case would be:

./MIBparse.pl -f public.txt -b ./tags
OR
./MIBparse.pl -f public.txt -b ./mytagsfile

Finally, the '-b' flag can be used in conjunction with the '-a' flag. The example execution in such a case would be:

./MIBparse.pl -f public.txt -b ./mytagsfile -a 7

BSQL brute forcer V2 | Content

Wed, 18 Jun 2008 12:21:58 GMT

This is a modified version of 'bsqlbfv1.2-th.pl'. This perl script allows extraction of data from Blind SQL Injections. It accepts custom SQL queries as a command line parameter and it works for both integer and string based injections. Databases supported:-

0. MS-SQL
1. MySQl
2. Postgres
3. Oracle

The tool supports 2 attack modes(-type switch):-

Type 0:- Blind SQL Injection based on true and false conditions returned by back-end server

Type 1:- Blind SQL Injection based on true and error(e.g syntax error) returned by back-end server.

Usage example:
$./bsqlbf-v2.pl -url http://192.168.1.1/injection_string_post/1.asp?p=1 -method post -match true -database 0 -sql "select top 1 name from sysobjects where xtype='U'"

ManySSL | Content

Tue, 09 Dec 2008 15:40:49 GMT

This PERL script will enumerate the SSL ciphers in use on any SSL encrypted service. It is not restricted to HTTPS and can be used on SMTP servers that support STARTTLS.

Features Include

Warn the operator if a self-signed certificate is detected.
Warn the operator if an expired certificate is detected.
Full cipher, key-exchange and authentication key strength output.
Use of a client specificed SSL certificate.

http-dir-enum | Content

Fri, 28 Mar 2008 16:49:57 GMT

http-dir-enum is a tool for finding content that is not linked on a website. Its main use is for finding directories that exist on a server. Simply provide a dictionary file and a URL.

This tool is written in PERL and uses the LWP library.

Features include:

Automatic detection of which HTTP response code to ignore (normally 404, but can vary on some sites)
Support for bruteforcing Files and Directories
Can search for directories recursively
Proxy support
Support for HTTP Basic Authentication
Support for sending custom cookies
Save scan output in XML format
Command line (lack of GUI is a feature, not a bug)
Mutli-threading for extra speed
HTTP keep alive support for extra speed (can be turned off)

Check out the usage page for a full list of options. There are also lots of examples to get you started.

enum4linux | Content

Tue, 16 Sep 2008 11:29:28 GMT

Enum4linux is a tool for enumerating information from Windows and Samba systems. It attempts to offer similar functionality to enum.exe formerly available from www.bindview.com.

It is written in PERL and is basically a wrapper around the Samba tools smbclient, rpclient, net and nmblookup. The samba package is therefore a dependency.

Features include:

RID Cycling (When RestrictAnonymous is set to 1 on Windows 2000)
User Listing (When RestrictAnonymous is set to 0 on Windows 2000)
Listing of Group Membership Information
Share Enumeration
Detecting if host is in a Workgroup or a Domain
Identifying the remote Operating System
Password Policy Retrieval (using polenum)

Check out the usage page for a full list of options. There are also lots of examples to get you started.