Friday, December 4, 2009

Digging into SSL Cipher Checking


On a recent pentest one of the findings that came up (actually it seems like this finding is on every pentest) is the web server allowing SSLv2.

In the course of doing the report I of course wanted to point to a good reason why this was the case. It was actually difficult to find a CVE/CVSS/etc to say why its bad, in fact I never did. Kind of the same with allowing VRFY on your SMTP server. We all know its bad, but where is the proof.

Nevertheless, here are some links that were useful in understanding the problem.

http://www.foundstone.com/us/resources/whitepapers/wp_ssldigger.pdf
http://www.gnu.org/software/gnutls/manual/html_node/On-SSL-2-and-older-protocols.html
http://osvdb.org/show/osvdb/56387
http://www.schneier.com/paper-ssl.pdf
http://en.wikipedia.org/wiki/Secure_Sockets_Layer#Security
http://clearskies.net/blog/2009/03/01/insecure-ssl-and-how-pci-nearly-gets-it-right/

OSVDB updated their entry for SSLv2
http://osvdb.org/56387

Also a couple of tools to do some checking for you:

Foundstone's SSLDigger
http://www.foundstone.com/us/resources/proddesc/ssldigger.htm

nmap will do this for you with -A with port 443 open or with the sslv2 script
http://nmap.org/nsedoc/scripts/sslv2.html

ssl-cipher-check.pl from http://www.unspecific.com/ssl/

Example output from the tool site:

Usage:

$ perl ./ssl-cipher-check.pl
: SSL Cipher Check: 1.2
: written by Lee 'MadHat' Heath (at) Unspecific.com
Usage:
./ssl-cipher-check.pl [ -dvwas ] []
default port is 443
-d Add debug info (show it all, lots of stuff)
-v Verbose. Show more info about what is found
-w Show only weak ciphers enabled.
-a Show all ciphers, enabled or not
-s Show only the STRONG ciphers enabled.
Default Output:
$ perl ./ssl-cipher-check.pl mail.yahoo.com
Testing mail.yahoo.com:443
SSLv3:RC4-MD5 - ENABLED - STRONG 128 bits
SSLv3:DES-CBC3-SHA - ENABLED - STRONG 168 bits
SSLv3:RC4-SHA - ENABLED - STRONG 128 bits
** SSLv3:DES-CBC-SHA - ENABLED - WEAK 56 bits **
** SSLv3:EXP-RC4-MD5 - ENABLED - WEAK 40 bits **
** SSLv3:EXP-DES-CBC-SHA - ENABLED - WEAK 40 bits **
** SSLv3:EXP-RC2-CBC-MD5 - ENABLED - WEAK 40 bits **
SSLv3:AES128-SHA - ENABLED - STRONG 128 bits
SSLv3:AES256-SHA - ENABLED - STRONG 256 bits

TLSv1:RC4-MD5 - ENABLED - STRONG 128 bits
TLSv1:DES-CBC3-SHA - ENABLED - STRONG 168 bits
TLSv1:RC4-SHA - ENABLED - STRONG 128 bits
** TLSv1:DES-CBC-SHA - ENABLED - WEAK 56 bits **
** TLSv1:EXP-RC4-MD5 - ENABLED - WEAK 40 bits **
** TLSv1:EXP-DES-CBC-SHA - ENABLED - WEAK 40 bits **
** TLSv1:EXP-RC2-CBC-MD5 - ENABLED - WEAK 40 bits **
TLSv1:AES128-SHA - ENABLED - STRONG 128 bits
TLSv1:AES256-SHA - ENABLED - STRONG 256 bits

** SSLv2:RC4-MD5 - ENABLED - WEAK 128 bits **
** SSLv2:RC2-CBC-MD5 - ENABLED - WEAK 128 bits **
** SSLv2:DES-CBC-MD5 - ENABLED - WEAK 56 bits **
** SSLv2:EXP-RC4-MD5 - ENABLED - WEAK 40 bits **
** SSLv2:EXP-RC2-CBC-MD5 - ENABLED - WEAK 40 bits **
** SSLv2:DES-CBC3-MD5 - ENABLED - WEAK 168 bits **

*WARNING* 14 WEAK Ciphers Enabled.
Total Ciphers Enabled: 24

Links that go with the above tools

ssl-cipher-check author's talk slides
http://dc214.org/.go/presentations#mar2009

Disabling SSLv2 on a variety of services:
http://blog.zenone.org/2009/03/pci-compliance-disable-sslv2-and-weak.html

http://adamyoung.net/Disable-SSLv2-System-Wide
CG

4 comments:

Anonymous said...

sslscan, great tool, might have to disable elliptic curve ciphers in the code if your openssl doesnt support it.

john askew said...

I've used this tool before to good effect. It detects preferred ciphers as well.

https://www.titania.co.uk/index.php?option=com_content&view=article&id=56&Itemid=68

To add to concern, it appears that some popular modern mobile devices support weak ciphers.

http://michael-coates.blogspot.com/2009/12/iphone-android-support-weak-ssl-ciphers.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+MichaelCoates%2Fsecurity+%28Michael+Coates+Blogspot%29

Rory McCune said...

If you're looking for a ruby options for checking cipher suites, here's a script I knocked up a little while ago.

http://www.mccune.org.uk/code/ruby-ssl-checker.rb

planning to do a metasploit module for it soon...

cmlh said...

These are the URL hosted on OWASP:
1. http://www.owasp.org/index.php/Testing_for_SSL-TLS_%28OWASP-CM-001%29#References
2. http://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet