Jumpnow Technologies

home

Using Nmap to check certs and supported TLS algorithms

03 Dec 2019

Nmap scripts can be used to quickly check a server certificate and the TLS algorithms supported.

The OWASP site has a whole lot more on testing SSL/TLS, but using Nmap scripts is convenient.

Use the ssl-cert script to look at a certificate

$ nmap --script ssl-cert -p 443 jumpnowtek.com
Starting Nmap 7.80SVN ( https://nmap.org ) at 2019-12-03 15:48 EST
Nmap scan report for jumpnowtek.com (166.78.186.4)
Host is up (0.072s latency).

PORT    STATE SERVICE
443/tcp open  https
| ssl-cert: Subject: commonName=jumpnowtek.com
| Subject Alternative Name: DNS:jumpnowtek.com
| Issuer: commonName=Let's Encrypt Authority X3/organizationName=Let's Encrypt/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2019-10-25T09:57:29
| Not valid after:  2020-01-23T09:57:29
| MD5:   04f2 5741 dda8 faed f0b7 9373 d2ae 50f6
|_SHA-1: cca2 eb0d 2d9c 9b44 50e8 da39 8cd3 2f36 2baa fd5f

Nmap done: 1 IP address (1 host up) scanned in 0.98 seconds

Use the ssl-enum-ciphers script to see the SSL/TLS algorithms a server supports

$ nmap --script ssl-enum-ciphers -p 443 jumpnowtek.com
Starting Nmap 7.80SVN ( https://nmap.org ) at 2019-12-03 15:50 EST
Nmap scan report for jumpnowtek.com (166.78.186.4)
Host is up (0.075s latency).

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers: 
|   TLSv1.0: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: server
|   TLSv1.1: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: server
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: server
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 8.27 seconds

See the manual for the meaning of the ratings, but A is good.

You can also use Nmap scripts to look for well-known ssl and tls vulnerabilities

You can run all the ssl/tls tests at once using a wildcard

$ nmap --script ssl* -p 443 jumpnowtek.com

Or you can comma separate the specific tests you want

$ nmap --script ssl-cert,ssl-enum-ciphers -p 443 jumpnowtek.com

If you want to Nmap to check all potential ports that are running TLS services you can use the -sV option and Nmap will figure out which ports are appropriate to run the tests.

$ nmap -sV --script -ssl-cert jumpnowtek.com