Wednesday, June 01, 2016

Powershell tidbit of the week

Some of you are familiar with SSLLabs.com

Of those who have used it, some of you probably have run into at least one of these limitations:
It doesn't work for sites on your intranet. It doesn't work for sites with no DNS. It doesn't work with SNI sites (sites whit more than one site on a server under different DNS names). It doesn't work  for any port other than 443, and it has to be a web server, not a mail server. so no way to test TLS is working  on your SMTP server and what ciphers it uses.... but NMAP has that if you can remember what command line options to feed it.

I put these 3 lines in a file called testTLSCiphers.ps1 to make it easier for me to remember, and you might want to do that too.

$ServerName = Read-Host -Prompt 'Input your server  name'
$Port = Read-Host -Prompt 'Input your server TCP port number (443 is most common)'
nmap --script ssl-enum-ciphers -p $Port $ServerName



The output looks something like this:
PS C:\Users\rod> C:\scripts\Powershell scripts\testTLSCiphers.ps1
Input your server  name: internalsite.local
Input your server TCP port number (443 is most common): 443
Starting Nmap 6.49BETA1 ( http://nmap.org ) at 2016-06-01 15:29 Eastern Daylight Time
Nmap scan report for internalsite.local (192.168.1.6)
Host is up (0.0010s latency).
PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers:
|   TLSv1.0:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (dh 256) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 256) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 256) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (dh 256) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 256) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 256) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: server
|   TLSv1.1:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (dh 256) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 256) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 256) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (dh 256) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 256) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 256) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: server
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (dh 256) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (dh 256) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (dh 256) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (dh 256) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 256) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 256) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 256) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 256) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (dh 256) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (dh 256) - A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 256) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 256) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 256) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 256) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: server
|_  least strength: A
Nmap done: 1 IP address (1 host up) scanned in 3.38 seconds