Nmap - Zenmap GUI, OpenSSL, sslscan

This article covers additional tools used recently in my security adventures.

• Nmap - Zenmap GUI
• OpenSSL
• sslscan
• Netminer

I continued to explore using nmap at a deeper level. One handy link was the documentation with all the possible switches. I use a MacBook, Nmap 7.91 (latest at the time of writing). Nmap is an amazing tool and as I investigate the various switches, this practice helps learn more capabilities.

This week I used Nmap GUI tool, Nmap - Zenmap GUI

I investigated each option in the drop down, look at the command syntax and tried both in GUI as well as the command line.

OpenSSL

A recent adventure in my role is looking for "soon to be" and "expired" certificates. Monitoring certificates could be an entire article in itself. My goal is to briefly discuss using OpenSSL to retrieve certificate details using command line tools.

Mac / Linux

echo QUIT | openssl s_client -servername 10.10.10.10 -connect 10.10.10.10:443 2>/dev/null | openssl x509 -noout -issuer -dates -subject

 echo QUIT | openssl s_client -servername 10.10.10.10 -connect 10.10.10.10:443 2>/dev/null | openssl x509 -text | grep DNS

Windows

echo QUIT | openssl s_client -servername 10.10.10.10 -connect 10.10.10.10:443 2>&1 | openssl x509 -noout -issuer -dates -subject

The above commands assume OpenSSL is installed. On Mac and Linux, OpenSSL is there by default. You might need to update to later versions. For windows. I found a good reference here

I've embedded these commands in a python or powershell script file. Log results to a CSV file.

sslscan

sslscan is a powerfully for auditing ciphers, certificate information and more. I started using sslscan for more auditing, detecting information. Checkout github README for all details.

Here is detailed output.

Connected to 127.127.127.127

Testing SSL server example.org on port 443 using SNI name example.org

SSL/TLS Protocols:

SSLv2   disabled

SSLv3   disabled

TLSv1.0  enabled

TLSv1.1  enabled

TLSv1.2  enabled

TLSv1.3  enabled

 TLS Fallback SCSV:

Server supports TLS Fallback SCSV

 TLS renegotiation:

Secure session renegotiation supported

 TLS Compression:

OpenSSL version does not support compression

Rebuild with zlib1g-dev package for zlib support

Heartbleed:

TLSv1.3 not vulnerable to heartbleed

TLSv1.2 not vulnerable to heartbleed

TLSv1.1 not vulnerable to heartbleed

TLSv1.0 not vulnerable to heartbleed

 Supported Server Cipher(s):

Preferred TLSv1.3 128 bits TLS_AES_128_GCM_SHA256    Curve 25519 DHE 253

Accepted TLSv1.3 256 bits TLS_AES_256_GCM_SHA384    Curve 25519 DHE 253

Accepted TLSv1.3 256 bits TLS_CHACHA20_POLY1305_SHA256 Curve 25519 DHE 253

Preferred TLSv1.2 256 bits ECDHE-ECDSA-CHACHA20-POLY1305 Curve 25519 DHE 253

Accepted TLSv1.2 128 bits ECDHE-ECDSA-AES128-GCM-SHA256 Curve 25519 DHE 253

Accepted TLSv1.2 128 bits ECDHE-ECDSA-AES128-SHA    Curve 25519 DHE 253

Accepted TLSv1.2 128 bits ECDHE-ECDSA-AES128-SHA256   Curve 25519 DHE 253

Accepted TLSv1.2 256 bits ECDHE-ECDSA-AES256-GCM-SHA384 Curve 25519 DHE 253

Accepted TLSv1.2 256 bits ECDHE-ECDSA-AES256-SHA    Curve 25519 DHE 253

Accepted TLSv1.2 256 bits ECDHE-ECDSA-AES256-SHA384   Curve 25519 DHE 253

Preferred TLSv1.1 128 bits ECDHE-ECDSA-AES128-SHA    Curve 25519 DHE 253

Accepted TLSv1.1 256 bits ECDHE-ECDSA-AES256-SHA    Curve 25519 DHE 253

Preferred TLSv1.0 128 bits ECDHE-ECDSA-AES128-SHA    Curve 25519 DHE 253

Accepted TLSv1.0 256 bits ECDHE-ECDSA-AES256-SHA    Curve 25519 DHE 253

 Server Key Exchange Group(s):

TLSv1.3 128 bits secp256r1 (NIST P-256)

TLSv1.3 192 bits secp384r1 (NIST P-384)

TLSv1.3 260 bits secp521r1 (NIST P-521)

TLSv1.3 128 bits x25519

TLSv1.2 128 bits secp256r1 (NIST P-256)

TLSv1.2 192 bits secp384r1 (NIST P-384)

TLSv1.2 260 bits secp521r1 (NIST P-521)

TLSv1.2 128 bits x25519

 SSL Certificate:

Signature Algorithm: ecdsa-with-SHA256

ECC Curve Name:   prime256v1

ECC Key Strength:  128

Subject: sni.example.com

Altnames: DNS:sni.example.com, DNS:*.example.org, DNS:example.org

Issuer:  Example Inc ECC CA-3

Not valid before: Aug 8 00:00:00 2020 GMT

Not valid after: Aug 8 12:00:00 2021 GMT

The last tool is interesting. Network Netminer is a Network Forensic Analysis Tool (NFAT)

I enabled on my #homelab, and let it run. Notice my dropdown is running on a windows 10 machine, with hyper-v enabled. I had to select the 192.168.2.164 adapter. After that, I let NetworkMiner 2.6 run for a while and lots of interesting things was discovered on my home network. There is a free and professional version available. I don't have experience running in a production environment....yet. If you have more experience to share on this tool, please leave a comment.

In conclusion, this a brief overview of tools I investigated this past week. I continue to dive deeper into Nmap, which is a core tool for scanning, discovering and all kinds of interesting things on a network. Steve signing off for another week. Happy CyberSecurity hunting bugs this week!