PCI DSS – Remonter des Ciphers via NMAP

nmapLes auditeurs QSA demandent à récupérer l’ensemble des versions de SSL de nos composants (Cipher Suite)  et quand à plusieurs centaines d’équipements aussi bien réseaux, qu’applicatifs et autres consoles d’administrations, nous sommes vite confronté à une véritable problématique de temps. Les preuves ne sont valables que trois mois… Le parc étant vraiment hétérogène. J’ai demandé de l’aide à l’un de nos auditeurs  (+150Kg, 2,10m quand même, on se sent seul face à lui pourtant avec mon 1,90m j’ai avancé prudemment pour demander conseil).

L’astuce qu’il m’a proposé est une solution simple mais efficace. « Marc utilise NMAP sur tes serveurs d’administration (install source + compil) et à la fin du scan tu effaces ton binaire et tes sources » 🙂

Je vous propose d’installer NMAP sur un serveur Linux Ubuntu 12.04 LTS à partir des sources car la version contenu dans le Repository d’Ubuntu date un peu 5.3 au lieu de la 6.46 à ce jour.

 Installation du composant NMAP sur un serveur Linux Ubuntu LTS

Étape 1 : On installe les outils de compilations et librairies.

#apt-get install build-essential libssl-dev libpathfinder-openssl-1 liblinear-dev libpcap0.8-dev libpcre3-dev checkinstall

 

On valide l'installation de l'ensemble des composants

On valide l’installation de l’ensemble des composants de compilations & librairies par un simple « O »

Étape N°2 : On télécharge la dernière version de NMAP sur le site officiel

# wget http://nmap.org/dist/nmap-6.46.tar.bz2

Étape N°3 : On décompresse l’archive et on lance la compilation

root@smokeping:~/nmap-6.46# tar xvf nmap-6.46.tar.bz2 
root@smokeping#cd nmap-6.46
root@smokeping:~/nmap-6.46#./configure

nmap3

Étape N°4 : On fait un check de l’installation

On lance un checkinstall pour valider les paramètres de configuration de NMAP

root@smokeping:~/nmap-6.46# checkinstall 

checkinstall 1.6.2, Copyright 2009 Felipe Eduardo Sanchez Diaz Duran
           This software is released under the GNU GPL.


The package documentation directory ./doc-pak does not exist. 
Should I create a default set of package docs?  [y]: 

Preparing package documentation...OK

Please write a description for the package.
End your description with an empty line or EOF.
>> 

*****************************************
**** Debian package creation selected ***
*****************************************

This package will be built according to these values: 

0 -  Maintainer: [ root@smokeping ]
1 -  Summary: [ Package created with checkinstall 1.6.2 ]
2 -  Name:    [ nmap ]
3 -  Version: [ 6.46 ]
4 -  Release: [ 1 ]
5 -  License: [ GPL ]
6 -  Group:   [ checkinstall ]
7 -  Architecture: [ amd64 ]
8 -  Source location: [ nmap-6.46 ]
9 -  Alternate source location: [  ]
10 - Requires: [  ]
11 - Provides: [ nmap ]
12 - Conflicts: [  ]
13 - Replaces: [  ]

Enter a number to change any of them or press ENTER to continue: 

Installing with make install...

========================= Installation results ===========================
/usr/bin/install -c -d /usr/local/bin /usr/local/share/man/man1 /usr/local/share/nmap
/usr/bin/install -c -c -m 755 nmap /usr/local/bin/nmap
/usr/bin/strip -x /usr/local/bin/nmap
/usr/bin/install -c -c -m 644 docs/nmap.1 /usr/local/share/man/man1/
if [ "yes" = "yes" ]; then \
      for ll in de es fr hr hu it ja pl pt_BR pt_PT ro ru sk zh; do \
        /usr/bin/install -c -d /usr/local/share/man/$ll/man1; \
        /usr/bin/install -c -c -m 644 docs/man-xlate/nmap-$ll.1 /usr/local/share/man/$ll/man1/nmap.1; \
      done; \
    fi
/usr/bin/install -c -c -m 644 docs/nmap.xsl /usr/local/share/nmap/
/usr/bin/install -c -c -m 644 docs/nmap.dtd /usr/local/share/nmap/
/usr/bin/install -c -c -m 644 nmap-services /usr/local/share/nmap/
/usr/bin/install -c -c -m 644 nmap-payloads /usr/local/share/nmap/
/usr/bin/install -c -c -m 644 nmap-rpc /usr/local/share/nmap/
/usr/bin/install -c -c -m 644 nmap-os-db /usr/local/share/nmap/
/usr/bin/install -c -c -m 644 nmap-service-probes /usr/local/share/nmap/
/usr/bin/install -c -c -m 644 nmap-protocols /usr/local/share/nmap/
/usr/bin/install -c -c -m 644 nmap-mac-prefixes /usr/local/share/nmap/
/usr/bin/install -c -d /usr/local/share/nmap/scripts
/usr/bin/install -c -d /usr/local/share/nmap/nselib
(cd /usr/local/share/nmap/scripts && rm -f anonFTP.nse ASN.nse asn-to-prefix.nse brutePOP3.nse bruteTelnet.nse chargenTest.nse daytimeTest.nse dns-safe-recursion-port.nse dns-safe-recursion-txid.nse dns-test-open-recursion.nse domino-enum-passwords.nse echoTest.nse ftpbounce.nse HTTPAuth.nse HTTP_open_proxy.nse HTTPpasswd.nse HTTPtrace.nse iax2Detect.nse ircServerInfo.nse ircZombieTest.nse mac-geolocation.nse MSSQLm.nse MySQLinfo.nse netbios-smb-os-discovery.nse nfs-acls.nse nfs-dirlist.nse popcapa.nse PPTPversion.nse promiscuous.nse RealVNC_auth_bypass.nse ripeQuery.nse robots.nse showHTMLTitle.nse showHTTPVersion.nse showOwner.nse showSMTPVersion.nse showSSHVersion.nse skype_v2-version.nse smb-enumdomains.nse smb-enumsessions.nse smb-enumshares.nse smb-enumusers.nse smb-serverstats.nse smb-systeminfo.nse SMTPcommands.nse SMTP_openrelay_test.nse smtp-check-vulns.nse SNMPcommunitybrute.nse SNMPsysdescr.nse SQLInject.nse SSH-hostkey.nse SSHv1-support.nse SSLv2-support.nse strangeSMTPport.nse UPnP-info.nse xamppDefaultPass.nse zoneTrans.nse db2-info.nse db2-brute.nse html-title.nse robots.txt.nse xmpp.nse sql-injection.nse http-robtex-reverse-ip.nse)
/usr/bin/install -c -c -m 644 nse_main.lua /usr/local/share/nmap/
/usr/bin/install -c -c -m 644 scripts/script.db scripts/*.nse /usr/local/share/nmap/scripts
/usr/bin/install -c -c -m 644 nselib/*.lua nselib/*.luadoc /usr/local/share/nmap/nselib
/usr/bin/install -c -d /usr/local/share/nmap/nselib/data
for f in `find nselib/data -name .svn -prune -o -type d -print`; do \
        /usr/bin/install -c -d /usr/local/share/nmap/$f; \
    done
for f in `find nselib/data -name .svn -prune -o -type f -print`; do \
        /usr/bin/install -c -c -m 644 $f /usr/local/share/nmap/$f; \
    done
/usr/bin/install -c -d /usr/local/bin /usr/local/share/man/man1
cd zenmap && /usr/bin/python setup.py --quiet install --prefix "/usr/local" --force 
/usr/bin/install -c -c -m 644 docs/zenmap.1 /usr/local/share/man/man1/
if [ ! -f /usr/local/bin/nmapfe -o -L /usr/local/bin/nmapfe ]; then \
        ln -sf zenmap /usr/local/bin/nmapfe; \
    fi
ln -sf zenmap /usr/local/bin/xnmap
make[1]: entrant dans le répertoire « /root/nmap-6.46/ncat »
Installing Ncat
../shtool mkdir -f -p -m 755 /usr/local/bin /usr/local/share/man/man1
/usr/bin/install -c -c -m 755 ncat /usr/local/bin/ncat
/usr/bin/strip -x /usr/local/bin/ncat
if [ -n "certs/ca-bundle.crt" ]; then \
        ../shtool mkdir -f -p -m 755 /usr/local/share/ncat; \
        /usr/bin/install -c -c -m 644 certs/ca-bundle.crt /usr/local/share/ncat/; \
    fi
/usr/bin/install -c -c -m 644 docs/ncat.1 /usr/local/share/man/man1/ncat.1
make[1]: quittant le répertoire « /root/nmap-6.46/ncat »
cd ndiff && /usr/bin/python setup.py install --prefix "/usr/local" 
running install
running build
running build_py
running build_scripts
running install_lib
copying build/lib.linux-x86_64-2.7/ndiff.py -> /usr/local/lib/python2.7/dist-packages
byte-compiling /usr/local/lib/python2.7/dist-packages/ndiff.py to ndiff.pyc
running install_scripts
copying build/scripts-2.7/ndiff -> /usr/local/bin
changing mode of /usr/local/bin/ndiff to 755
running install_data
copying docs/ndiff.1 -> /usr/local/share/man/man1
running install_egg_info
make[1]: entrant dans le répertoire « /root/nmap-6.46/nping »
/usr/bin/install -c -d /usr/local/bin /usr/local/share/man/man1
/usr/bin/install -c -c -m 755 nping /usr/local/bin/nping
/usr/bin/strip -x /usr/local/bin/nping
/usr/bin/install -c -c -m 644 docs/nping.1 /usr/local/share/man/man1/
NPING SUCCESSFULLY INSTALLED
make[1]: quittant le répertoire « /root/nmap-6.46/nping »
NMAP SUCCESSFULLY INSTALLED

======================== Installation successful ==========================

Copying documentation directory...
./
./COPYING
./CHANGELOG
./README-WIN32
./docs/
./docs/nmap.dtd
./docs/3rd-party-licenses.txt
./docs/nmap.xsl
./docs/nmap-update.1
./docs/licenses/
./docs/licenses/BSD-simplified
./docs/licenses/LGPL-2
./docs/licenses/OpenSSL.txt
./docs/licenses/LGPL-2.1
./docs/licenses/MPL-1.1
./docs/win32-installer-zenmap-buildguide.txt
./docs/nse-scripts.dtd
./docs/nmap_gpgkeys.txt
./docs/zenmap.1
./docs/nmap.1
./docs/style/
./docs/style/lua-format
./docs/style/README
./docs/style/lua-format.lua
./docs/leet-nmap-ascii-art.txt
./docs/nmap.usage.txt
./docs/nmap-fo.xsl
./docs/committers.txt
./docs/device-types.txt
./docs/README
./docs/man-xlate/
./docs/man-xlate/nmap-hu.1
./docs/man-xlate/nmap-de.1
./docs/man-xlate/nmap-id.1
./docs/man-xlate/nmap-pt_PT.1
./docs/man-xlate/nmap-sk.1
./docs/man-xlate/nmap-pl.1
./docs/man-xlate/nmap-ro.1
./docs/man-xlate/nmap-it.1
./docs/man-xlate/nmap-zh.1
./docs/man-xlate/nmap-ru.1
./docs/man-xlate/nmap-es.1
./docs/man-xlate/nmap-hr.1
./docs/man-xlate/nmap-ja.1
./docs/man-xlate/nmap-fr.1
./docs/man-xlate/nmap-pt_BR.1
./HACKING
./INSTALL

Some of the files created by the installation are inside the build
directory: /root/nmap-6.46

You probably don't want them to be included in the package,
especially if they are inside your home directory.
Do you want me to list them?  [n]: 
Should I exclude them from the package? (Saying yes is a good idea)  [y]: 

Copying files to the temporary directory...
OK

Stripping ELF binaries and libraries...OK

Compressing man pages...OK

Building file list...OK

Building Debian package...OK

Installing Debian package...OK

Erasing temporary files...OK

Writing backup package...OK
OK

Deleting temp dir...OK


**********************************************************************

 Done. The new package has been installed and saved to

 /root/nmap-6.46/nmap_6.46-1_amd64.deb

 You can remove it from your system anytime using: 

      dpkg -r nmap

**********************************************************************

root@smokeping:~/nmap-6.46# 

Nous avons un nmap installé et opérationnel en quelques minutes (la gestion du changement prend un temps monstre à coté de cette installation from scratch).

root@smokeping:~/nmap-6.46# nmap -v

Starting Nmap 6.46 ( http://nmap.org ) at 2014-07-08 22:59 CEST
Read data files from: /usr/local/bin/../share/nmap
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.06 seconds
           Raw packets sent: 0 (0B) | Rcvd: 0 (0B)

Etape N°5 : Les commandes magiques de NMAP

La commande suivant permet de connaitre le Cypher

nmap --script ssl-enum-ciphers -p 443 <host>

Exemple de sortie via cette commande

root@smokeping:~/nmap-6.46# nmap --script ssl-enum-ciphers -p 443 www.monsiteamoi.com

Starting Nmap 6.46 ( http://nmap.org ) at 2014-07-08 23:02 CEST
Nmap scan report for monsiteamoi (10.59.149.230)
Host is up (0.17s latency).
Other addresses for www.monsiteamoi.com (not scanned): 10.59.150.39 10.59.148.82 10.59.149.198
rDNS record for 10.59.149.230: www4.monsiteamoi.com
PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers: 
|   SSLv3: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_RC4_128_MD5 - strong
|       TLS_RSA_WITH_RC4_128_SHA - strong
|     compressors: 
|       NULL
|   TLSv1.0: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_RC4_128_MD5 - strong
|       TLS_RSA_WITH_RC4_128_SHA - strong
|     compressors: 
|       NULL
|   TLSv1.1: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_RC4_128_MD5 - strong
|       TLS_RSA_WITH_RC4_128_SHA - strong
|     compressors: 
|       NULL
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_RC4_128_MD5 - strong
|       TLS_RSA_WITH_RC4_128_SHA - strong
|     compressors: 
|       NULL
|_  least strength: strong

Nmap done: 1 IP address (1 host up) scanned in 7.00 seconds

Et maintenant une commande qui permet de connaitre la validité des certificats

nmap --script ssl-cert,ssl-enum-ciphers -p 443 10.59.159.0/24 :-)

Je vous laisse découvrir le résultat 🙂

Starting Nmap 6.46 ( http://nmap.org ) at 2013-01-01 00:00 CEST
Nmap scan report for www.example.com (127.0.0.1)
Host is up (0.090s latency).
rDNS record for 127.0.0.1: www.example.com
PORT    STATE SERVICE
443/tcp open  https
| ssl-cert: Subject: commonName=www.example.org
| Issuer: commonName=*******
| Public Key type: rsa
| Public Key bits: 1024
| Not valid before: 2010-01-23T00:00:00+00:00
| Not valid after:  2020-02-28T23:59:59+00:00
| MD5:   *******
|_SHA-1: *******
| ssl-enum-ciphers: 
|   SSLv3: 
|     ciphers: 
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|       TLS_RSA_WITH_RC4_128_SHA - strong
|     compressors: 
|       NULL
|   TLSv1.0: 
|     ciphers: 
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|       TLS_RSA_WITH_RC4_128_SHA - strong
|     compressors: 
|       NULL
|_  least strength: strong

nmap done: 1 IP address (1 host up) scanned in 8.64 seconds

Enjoy and Thanks Lucien 🙂