指令類型:portrule
Nmap Script摘要
確定服務器是否支持SSLv2,支持哪些加密套件,並測試CVE-2015-3197、CVE-2016-0703和CVE-2016-0800(DROWN漏洞)。
Nmap Script參數
tls.servername
參見tls庫的文檔。
smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername
參見smbauth庫的文檔。
mssql.domain, mssql.instance-all, mssql.instance-name, mssql.instance-port, mssql.password, mssql.protocol, mssql.scanned-ports-only, mssql.timeout, mssql.username
參見mssql庫的文檔。
smtp.domain
參見smtp庫的文檔。
randomseed, smbbasic, smbport, smbsign
參見smb庫的文檔。
vulns.short, vulns.showall
參見vulns庫的文檔。
Nmap Script範例
nmap -sV --script=sslv2-drown <target>
Nmap Script輸出
443/tcp open https
| sslv2-drown:
| ciphers:
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_IDEA_128_CBC_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| forced_ciphers:
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
| vulns:
| CVE-2016-0800:
| title: OpenSSL: Cross-protocol attack on TLS using SSLv2 (DROWN)
| state: VULNERABLE
| ids:
| CVE:CVE-2016-0800
| description:
| The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and
| other products, requires a server to send a ServerVerify message before establishing
| that a client possesses certain plaintext RSA data, which makes it easier for remote
| attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding
| oracle, aka a "DROWN" attack.
|
| refs:
| https://www.openssl.org/news/secadv/20160301.txt
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0800
Nmap Script作者:
Bertrand Bonnefoy-Claudet <bertrand@cryptosense.com>
License: Same as Nmap--See https://nmap.org/book/man-legal.html