Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Sslscan Windows Download
156 views
Skip to first unread message
Niccoletta Boyer
Jan 3, 2024, 9:24:56 PM1/3/24
to
I'm neither a windows expert nor an information security expert. Recently I inherited some Windows server 2012 R2 hosts that I have to manage. For reasons explained in this other post I realized (using sslscan with the --show-sigs option against the winrm port 5986) that all those hosts only support one Server Signature Algorithm, namely rsa_pkcs1-sha1 (see screenshot below).
sslscan windows download
Download https://1demphisvstiggo.blogspot.com/?bg=2x27Ba
For step by step actions, take a look at -us/troubleshoot/windows-client/system-management-components/configure-winrm-for-https The article is for Windows 10, so some commands might differ, but the concept is the same
You can also use different tools to test the available cipher suites, this is what SSL Labs, etc.provide for TLS enabled websites as well. This posthighlights some tools and scripts such as sslscan or testssl.sh
1 root kali:# sslscan -h 2 3 __ 4 / / / / __/ ` ' \ 5 _ _ \ _ \ ( ( 6 ///__, 7 8 9 1.11.5-static10 OpenSSL 1.0.2h-dev xx XXX xxxx11 Command:12 sslscan [Options] [host:port host]13 14 Options:15 --targets= A file containing a list of hosts to check.16 Hosts can be supplied with ports (host:port)17 --ipv4 Only use IPv418 --ipv6 Only use IPv619 --show-certificate Show full certificate information20 --no-check-certificate Don't warn about weak certificate algorithm or keys21 --show-client-cas Show trusted CAs for TLS client auth22 --show-ciphers Show supported client ciphers23 --show-cipher-ids Show cipher ids24 --show-times Show handhake times in milliseconds25 --ssl2 Only check SSLv2 ciphers26 --ssl3 Only check SSLv3 ciphers27 --tls10 Only check TLSv1.0 ciphers28 --tls11 Only check TLSv1.1 ciphers29 --tls12 Only check TLSv1.2 ciphers30 --tlsall Only check TLS ciphers (all versions)31 --ocsp Request OCSP response from server32 --pk= A file containing the private key or a PKCS#12 file33 containing a private key/certificate pair34 --pkpass= The password for the private key or PKCS#12 file35 --certs= A file containing PEM/ASN1 formatted client certificates36 --no-ciphersuites Do not check for supported ciphersuites37 --no-renegotiation Do not check for TLS renegotiation38 --no-compression Do not check for TLS compression (CRIME)39 --no-heartbleed Do not check for OpenSSL Heartbleed (CVE-2014-0160)40 --starttls-ftp STARTTLS setup for FTP41 --starttls-imap STARTTLS setup for IMAP42 --starttls-irc STARTTLS setup for IRC43 --starttls-pop3 STARTTLS setup for POP344 --starttls-smtp STARTTLS setup for SMTP45 --starttls-xmpp STARTTLS setup for XMPP46 --starttls-psql STARTTLS setup for PostgreSQL47 --xmpp-server Use a server-to-server XMPP handshake48 --http Test a HTTP connection49 --rdp Send RDP preamble before starting scan50 --bugs Enable SSL implementation bug work-arounds51 --timeout= Set socket timeout. Default is 3s52 --sleep= Pause between connection request. Default is disabled53 --xml= Output results to an XML file54 --version Display the program version55 --verbose Display verbose output56 --no-cipher-details Disable EC curve names and EDH/RSA key lengths output57 --no-colour Disable coloured output58 --help Display the help text you are now reading59 60 Example:61 sslscan 127.0.0.162 sslscan [::1]
1 root kali:# sslscan mail.google.com 2 Version: 1.11.5-static 3 OpenSSL 1.0.2h-dev xx XXX xxxx 4 5 Testing SSL server mail.google.com on port 443 6 7 TLS renegotiation: 8 Secure session renegotiation supported 9 10 TLS Compression:11 Compression disabled12 13 Heartbleed:14 TLS 1.2 not vulnerable to heartbleed15 TLS 1.1 not vulnerable to heartbleed16 TLS 1.0 not vulnerable to heartbleed17 18 Supported Server Cipher(s):19 Preferred TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 25620 Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 25621 Accepted TLSv1.2 128 bits AES128-GCM-SHA256
22 Accepted TLSv1.2 128 bits AES128-SHA
23 Accepted TLSv1.2 128 bits AES128-SHA256
24 Accepted TLSv1.2 112 bits DES-CBC3-SHA
25 Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 25626 Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA256 Curve P-256 DHE 25627 Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 25628 Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA384 Curve P-256 DHE 25629 Accepted TLSv1.2 256 bits AES256-GCM-SHA384
30 Accepted TLSv1.2 256 bits AES256-SHA
31 Accepted TLSv1.2 256 bits AES256-SHA256
32 Preferred TLSv1.1 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 25633 Accepted TLSv1.1 128 bits AES128-SHA
34 Accepted TLSv1.1 112 bits DES-CBC3-SHA
35 Accepted TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 25636 Accepted TLSv1.1 256 bits AES256-SHA
37 Preferred TLSv1.0 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 25638 Accepted TLSv1.0 128 bits AES128-SHA
39 Accepted TLSv1.0 112 bits DES-CBC3-SHA
40 Accepted TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 25641 Accepted TLSv1.0 256 bits AES256-SHA
42 43 SSL Certificate:44 Signature Algorithm: sha256WithRSAEncryption45 RSA Key Strength: 204846 47 Subject: mail.google.com48 Altnames: DNS:mail.google.com, DNS:inbox.google.com49 Issuer: Google Internet Authority G250 51 Not valid before: Jul 20 10:25:50 2016 GMT52 Not valid after: Oct 12 09:58:00 2016 GMT
I know I designed a windows service that uses SSL certificates and it is designed to accept a connection request unencrypted and then ONLY reply when specific commands are sent to it on an encrypted connection. if you ran nmap or openssl against it, it would not respond because it is designed to ONLY respond to specific commands and it is HIGHLY unlikely that either of these tools send the correct commands by default. All network traffic is encrypted by SSL certificates, but unless you know the correct commands to send and the correct order to send them in, you wouldn't get a reply or you would get error responses.
This is the command sslscan that can be run in the OnWorks free hosting provider using one of our multiple free online workstations such as Ubuntu Online, Fedora Online, Windows online emulator or MAC OS online emulator
However, before we open the firewall, an internal test should be executed to validate the SSL hardening. You can run the sslscan tool (you can download from here sslscan) from another computer in the DMZ or the WAP server itself. DNS resolving of the federation or application name must resolve to the external Load Balancer or interface of the WAP server. Example for SSL Server Ciphers before SSL Hardening (left side) and after SSL Hardening (right side):
Building on Windows
Thanks to a patch by jtesta, sslscan can now be compiled on Windows. This can either be done natively or by cross-compiling from Linux. See INSTALL for instructions.
Note that sslscan was originally written for Linux, and has not been extensively tested on Windows. As such, the Windows version should be considered experimental.
Pre-build cross-compiled Windows binaries are available on the GitHub Releases Page .
which will clone the OpenSSL repository , and configure/compile/test OpenSSL prior to compiling sslscan .
Please note: Out of the box, OpenSSL cannot compiled with clang without further customization (which is not done by the provided Makefile ). For more information on this, see Modifying Build Settings in the OpenSSL wiki.
You can verify whether you have a statically linked OpenSSL version, if
Building on Debian
It is recommended that you statically build sslscan using the instructions listed above. If this is not an option and you want to compile your system OpenSSL with support for legacy protocols such as SSLv2 and SSLv3 then follow the instructions below.
Note that many modern distros (including Debian) ship with a version of OpenSSL that disables support for SSLv2 ciphers. If sslscan is compiled on one of these distros, it will not be able to detect SSLv2.
This issue can be resolved by rebuilding OpenSSL from source after removing the patch that disables SSLv2 support.
The build_openssl_debian.sh script automates this process for Debian systems. It has been tested on Debian Squeeze/Wheezy; it may work on other Debian based distros, but has not been tested. The built version of OpenSSL will be installed using dpkg .
If it is not possible to rebuild OpenSSL, sslscan will still compile (thanks to a patch from digineo/sslscan , based on the debian patch). However, a warning will be displayed in the output to notify the user that SSLv2 ciphers will not be detected.
Building on Windows
Thanks to a patch by jtesta, sslscan can now be compiled on Windows. This can either be done natively or by cross-compiling from Linux. See INSTALL for instructions.
Note that sslscan was originally written for Linux, and has not been extensively tested on Windows. As such, the Windows version should be considered experimental.
Pre-build cross-compiled Windows binaries are available on the GitHub Releases Page .Building on OS X
There is experimental support for statically building on OS X, however this should be considered unsupported. You may need to install any dependencies required to compile OpenSSL from source on OS X. Once you have, just run:
Disabling deprecated ciphers suites is just as fun in windows, honest. For this example I will be using a fresh install of Server 2012 R2 on a virtual machine. Here we will see the before and after affects of disabling the likes of SSLv3. In order to test this I have simply setup IIS and presented a basic HTML page and added SSL/443 in the bindings with the use of a self signed certificate. A self signed certificate is appropriate in this instance as we just want to negotiate a secure connection. Disabling the cipher suites in windows server 2012 R2 along with the previous versions of windows is achieved through the registry, under the following reg keys:
35fe9a5643
sslscan windows download
Download https://1demphisvstiggo.blogspot.com/?bg=2x27Ba
For step by step actions, take a look at -us/troubleshoot/windows-client/system-management-components/configure-winrm-for-https The article is for Windows 10, so some commands might differ, but the concept is the same
You can also use different tools to test the available cipher suites, this is what SSL Labs, etc.provide for TLS enabled websites as well. This posthighlights some tools and scripts such as sslscan or testssl.sh
1 root kali:# sslscan -h 2 3 __ 4 / / / / __/ ` ' \ 5 _ _ \ _ \ ( ( 6 ///__, 7 8 9 1.11.5-static10 OpenSSL 1.0.2h-dev xx XXX xxxx11 Command:12 sslscan [Options] [host:port host]13 14 Options:15 --targets= A file containing a list of hosts to check.16 Hosts can be supplied with ports (host:port)17 --ipv4 Only use IPv418 --ipv6 Only use IPv619 --show-certificate Show full certificate information20 --no-check-certificate Don't warn about weak certificate algorithm or keys21 --show-client-cas Show trusted CAs for TLS client auth22 --show-ciphers Show supported client ciphers23 --show-cipher-ids Show cipher ids24 --show-times Show handhake times in milliseconds25 --ssl2 Only check SSLv2 ciphers26 --ssl3 Only check SSLv3 ciphers27 --tls10 Only check TLSv1.0 ciphers28 --tls11 Only check TLSv1.1 ciphers29 --tls12 Only check TLSv1.2 ciphers30 --tlsall Only check TLS ciphers (all versions)31 --ocsp Request OCSP response from server32 --pk= A file containing the private key or a PKCS#12 file33 containing a private key/certificate pair34 --pkpass= The password for the private key or PKCS#12 file35 --certs= A file containing PEM/ASN1 formatted client certificates36 --no-ciphersuites Do not check for supported ciphersuites37 --no-renegotiation Do not check for TLS renegotiation38 --no-compression Do not check for TLS compression (CRIME)39 --no-heartbleed Do not check for OpenSSL Heartbleed (CVE-2014-0160)40 --starttls-ftp STARTTLS setup for FTP41 --starttls-imap STARTTLS setup for IMAP42 --starttls-irc STARTTLS setup for IRC43 --starttls-pop3 STARTTLS setup for POP344 --starttls-smtp STARTTLS setup for SMTP45 --starttls-xmpp STARTTLS setup for XMPP46 --starttls-psql STARTTLS setup for PostgreSQL47 --xmpp-server Use a server-to-server XMPP handshake48 --http Test a HTTP connection49 --rdp Send RDP preamble before starting scan50 --bugs Enable SSL implementation bug work-arounds51 --timeout= Set socket timeout. Default is 3s52 --sleep= Pause between connection request. Default is disabled53 --xml= Output results to an XML file54 --version Display the program version55 --verbose Display verbose output56 --no-cipher-details Disable EC curve names and EDH/RSA key lengths output57 --no-colour Disable coloured output58 --help Display the help text you are now reading59 60 Example:61 sslscan 127.0.0.162 sslscan [::1]
1 root kali:# sslscan mail.google.com 2 Version: 1.11.5-static 3 OpenSSL 1.0.2h-dev xx XXX xxxx 4 5 Testing SSL server mail.google.com on port 443 6 7 TLS renegotiation: 8 Secure session renegotiation supported 9 10 TLS Compression:11 Compression disabled12 13 Heartbleed:14 TLS 1.2 not vulnerable to heartbleed15 TLS 1.1 not vulnerable to heartbleed16 TLS 1.0 not vulnerable to heartbleed17 18 Supported Server Cipher(s):19 Preferred TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 25620 Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 25621 Accepted TLSv1.2 128 bits AES128-GCM-SHA256
22 Accepted TLSv1.2 128 bits AES128-SHA
23 Accepted TLSv1.2 128 bits AES128-SHA256
24 Accepted TLSv1.2 112 bits DES-CBC3-SHA
25 Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 25626 Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA256 Curve P-256 DHE 25627 Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 25628 Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA384 Curve P-256 DHE 25629 Accepted TLSv1.2 256 bits AES256-GCM-SHA384
30 Accepted TLSv1.2 256 bits AES256-SHA
31 Accepted TLSv1.2 256 bits AES256-SHA256
32 Preferred TLSv1.1 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 25633 Accepted TLSv1.1 128 bits AES128-SHA
34 Accepted TLSv1.1 112 bits DES-CBC3-SHA
35 Accepted TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 25636 Accepted TLSv1.1 256 bits AES256-SHA
37 Preferred TLSv1.0 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 25638 Accepted TLSv1.0 128 bits AES128-SHA
39 Accepted TLSv1.0 112 bits DES-CBC3-SHA
40 Accepted TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 25641 Accepted TLSv1.0 256 bits AES256-SHA
42 43 SSL Certificate:44 Signature Algorithm: sha256WithRSAEncryption45 RSA Key Strength: 204846 47 Subject: mail.google.com48 Altnames: DNS:mail.google.com, DNS:inbox.google.com49 Issuer: Google Internet Authority G250 51 Not valid before: Jul 20 10:25:50 2016 GMT52 Not valid after: Oct 12 09:58:00 2016 GMT
I know I designed a windows service that uses SSL certificates and it is designed to accept a connection request unencrypted and then ONLY reply when specific commands are sent to it on an encrypted connection. if you ran nmap or openssl against it, it would not respond because it is designed to ONLY respond to specific commands and it is HIGHLY unlikely that either of these tools send the correct commands by default. All network traffic is encrypted by SSL certificates, but unless you know the correct commands to send and the correct order to send them in, you wouldn't get a reply or you would get error responses.
This is the command sslscan that can be run in the OnWorks free hosting provider using one of our multiple free online workstations such as Ubuntu Online, Fedora Online, Windows online emulator or MAC OS online emulator
However, before we open the firewall, an internal test should be executed to validate the SSL hardening. You can run the sslscan tool (you can download from here sslscan) from another computer in the DMZ or the WAP server itself. DNS resolving of the federation or application name must resolve to the external Load Balancer or interface of the WAP server. Example for SSL Server Ciphers before SSL Hardening (left side) and after SSL Hardening (right side):
Building on Windows
Thanks to a patch by jtesta, sslscan can now be compiled on Windows. This can either be done natively or by cross-compiling from Linux. See INSTALL for instructions.
Note that sslscan was originally written for Linux, and has not been extensively tested on Windows. As such, the Windows version should be considered experimental.
Pre-build cross-compiled Windows binaries are available on the GitHub Releases Page .
which will clone the OpenSSL repository , and configure/compile/test OpenSSL prior to compiling sslscan .
Please note: Out of the box, OpenSSL cannot compiled with clang without further customization (which is not done by the provided Makefile ). For more information on this, see Modifying Build Settings in the OpenSSL wiki.
You can verify whether you have a statically linked OpenSSL version, if
Building on Debian
It is recommended that you statically build sslscan using the instructions listed above. If this is not an option and you want to compile your system OpenSSL with support for legacy protocols such as SSLv2 and SSLv3 then follow the instructions below.
Note that many modern distros (including Debian) ship with a version of OpenSSL that disables support for SSLv2 ciphers. If sslscan is compiled on one of these distros, it will not be able to detect SSLv2.
This issue can be resolved by rebuilding OpenSSL from source after removing the patch that disables SSLv2 support.
The build_openssl_debian.sh script automates this process for Debian systems. It has been tested on Debian Squeeze/Wheezy; it may work on other Debian based distros, but has not been tested. The built version of OpenSSL will be installed using dpkg .
If it is not possible to rebuild OpenSSL, sslscan will still compile (thanks to a patch from digineo/sslscan , based on the debian patch). However, a warning will be displayed in the output to notify the user that SSLv2 ciphers will not be detected.
Building on Windows
Thanks to a patch by jtesta, sslscan can now be compiled on Windows. This can either be done natively or by cross-compiling from Linux. See INSTALL for instructions.
Note that sslscan was originally written for Linux, and has not been extensively tested on Windows. As such, the Windows version should be considered experimental.
Pre-build cross-compiled Windows binaries are available on the GitHub Releases Page .Building on OS X
There is experimental support for statically building on OS X, however this should be considered unsupported. You may need to install any dependencies required to compile OpenSSL from source on OS X. Once you have, just run:
Disabling deprecated ciphers suites is just as fun in windows, honest. For this example I will be using a fresh install of Server 2012 R2 on a virtual machine. Here we will see the before and after affects of disabling the likes of SSLv3. In order to test this I have simply setup IIS and presented a basic HTML page and added SSL/443 in the bindings with the use of a self signed certificate. A self signed certificate is appropriate in this instance as we just want to negotiate a secure connection. Disabling the cipher suites in windows server 2012 R2 along with the previous versions of windows is achieved through the registry, under the following reg keys:
35fe9a5643
0 new messages