PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-07 13:11:28 +00:00
Code Issues Projects Releases Wiki Activity

Warn if no ciphers support FS. See #1309

Browse Source
This commit is contained in:
dmiller
2018-08-27 15:02:48 +00:00
parent 069c76a1de
commit bc0935a51a
2 changed files with 11 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
nselib/tls.lua
View File

@@ -897,6 +897,7 @@ KEX_ALGORITHMS.RSA_EXPORT1024 = KEX_ALGORITHMS.RSA_EXPORT
KEX_ALGORITHMS.DHE_RSA={ KEX_ALGORITHMS.DHE_RSA={
pubkey="rsa", pubkey="rsa",
type = "dh", type = "dh",
pfs = true,
server_key_exchange = function (blob, protocol) server_key_exchange = function (blob, protocol)
local pos local pos
local ret = {} local ret = {}
@@ -909,17 +910,20 @@ KEX_ALGORITHMS.DHE_RSA_EXPORT={
export=true, export=true,
pubkey="rsa", pubkey="rsa",
type = "dh", type = "dh",
pfs = true,
server_key_exchange = KEX_ALGORITHMS.DHE_RSA.server_key_exchange server_key_exchange = KEX_ALGORITHMS.DHE_RSA.server_key_exchange
} }
KEX_ALGORITHMS.DHE_DSS={ KEX_ALGORITHMS.DHE_DSS={
pubkey="dsa", pubkey="dsa",
type = "dh", type = "dh",
pfs = true,
server_key_exchange = KEX_ALGORITHMS.DHE_RSA.server_key_exchange server_key_exchange = KEX_ALGORITHMS.DHE_RSA.server_key_exchange
} }
KEX_ALGORITHMS.DHE_DSS_EXPORT={ KEX_ALGORITHMS.DHE_DSS_EXPORT={
export=true, export=true,
pubkey="dsa", pubkey="dsa",
type = "dh", type = "dh",
pfs = true,
server_key_exchange = KEX_ALGORITHMS.DHE_RSA.server_key_exchange server_key_exchange = KEX_ALGORITHMS.DHE_RSA.server_key_exchange
} }
KEX_ALGORITHMS.DHE_DSS_EXPORT1024 = KEX_ALGORITHMS.DHE_DSS_EXPORT1024 KEX_ALGORITHMS.DHE_DSS_EXPORT1024 = KEX_ALGORITHMS.DHE_DSS_EXPORT1024
@@ -942,6 +946,7 @@ KEX_ALGORITHMS.DH_RSA_EXPORT={
KEX_ALGORITHMS.ECDHE_RSA={ KEX_ALGORITHMS.ECDHE_RSA={
pubkey="rsa", pubkey="rsa",
type = "ec", type = "ec",
pfs = true,
server_key_exchange = function (blob, protocol) server_key_exchange = function (blob, protocol)
local pos local pos
local ret = {} local ret = {}
@@ -953,6 +958,7 @@ KEX_ALGORITHMS.ECDHE_RSA={
KEX_ALGORITHMS.ECDHE_ECDSA={ KEX_ALGORITHMS.ECDHE_ECDSA={
pubkey="ec", pubkey="ec",
type = "ec", type = "ec",
pfs = true,
server_key_exchange = KEX_ALGORITHMS.ECDHE_RSA.server_key_exchange server_key_exchange = KEX_ALGORITHMS.ECDHE_RSA.server_key_exchange
} }
KEX_ALGORITHMS.ECDH_ECDSA={ KEX_ALGORITHMS.ECDH_ECDSA={
@@ -995,6 +1001,7 @@ KEX_ALGORITHMS.RSA_PSK = {
} }
KEX_ALGORITHMS.DHE_PSK = { KEX_ALGORITHMS.DHE_PSK = {
type = "dh", type = "dh",
pfs = true,
server_key_exchange = function (blob, protocol) server_key_exchange = function (blob, protocol)
local pos local pos
local ret = {} local ret = {}
@@ -1009,6 +1016,7 @@ KEX_ALGORITHMS.PSK_DHE = KEX_ALGORITHMS.DHE_PSK
--rfc5489 --rfc5489
KEX_ALGORITHMS.ECDHE_PSK={ KEX_ALGORITHMS.ECDHE_PSK={
type = "ec", type = "ec",
pfs = true,
server_key_exchange = function (blob, protocol) server_key_exchange = function (blob, protocol)
local pos local pos
local ret = {} local ret = {}

3
scripts/ssl-enum-ciphers.nse
View File

@@ -675,6 +675,7 @@ local function find_ciphers_group(host, port, protocol, group, scores)
scores.warnings["Broken cipher RC4 is deprecated by RFC 7465"] = true scores.warnings["Broken cipher RC4 is deprecated by RFC 7465"] = true
end end
local kex = tls.KEX_ALGORITHMS[info.kex] local kex = tls.KEX_ALGORITHMS[info.kex]
scores.any_pfs_ciphers = kex.pfs or scores.any_pfs_ciphers
local extra, kex_strength local extra, kex_strength
if kex.anon then if kex.anon then
kex_strength = 0 kex_strength = 0
@@ -815,6 +816,8 @@ local function find_ciphers(host, port, protocol)
end end
end end
if not next(results) then return nil end if not next(results) then return nil end
scores.warnings["Forward Secrecy not supported by any cipher"] = (not scores.any_pfs_ciphers) or nil
scores.any_pfs_ciphers = nil
return results, scores return results, scores
end end