Les auditeurs QSA demandent à récupérer l’ensemble des versions de SSL de nos composants (Cipher Suite) et quand à plusieurs centaines d’équipements aussi bien réseaux, qu’applicatifs et autres consoles d’administrations, nous sommes vite confronté à une véritable problématique de temps. Les preuves ne sont valables que trois mois… Le parc étant vraiment hétérogène. J’ai demandé de l’aide à l’un de nos auditeurs (+150Kg, 2,10m quand même, on se sent seul face à lui pourtant avec mon 1,90m j’ai avancé prudemment pour demander conseil).
L’astuce qu’il m’a proposé est une solution simple mais efficace. « Marc utilise NMAP sur tes serveurs d’administration (install source + compil) et à la fin du scan tu effaces ton binaire et tes sources » 🙂
Je vous propose d’installer NMAP sur un serveur Linux Ubuntu 12.04 LTS à partir des sources car la version contenu dans le Repository d’Ubuntu date un peu 5.3 au lieu de la 6.46 à ce jour.
Installation du composant NMAP sur un serveur Linux Ubuntu LTS
Étape 1 : On installe les outils de compilations et librairies.
#apt-get install build-essential libssl-dev libpathfinder-openssl-1 liblinear-dev libpcap0.8-dev libpcre3-dev checkinstall
Étape N°2 : On télécharge la dernière version de NMAP sur le site officiel
# wget http://nmap.org/dist/nmap-6.46.tar.bz2
Étape N°3 : On décompresse l’archive et on lance la compilation
root@smokeping:~/nmap-6.46# tar xvf nmap-6.46.tar.bz2 root@smokeping#cd nmap-6.46
root@smokeping:~/nmap-6.46#./configure
Étape N°4 : On fait un check de l’installation
On lance un checkinstall pour valider les paramètres de configuration de NMAP
root@smokeping:~/nmap-6.46# checkinstall checkinstall 1.6.2, Copyright 2009 Felipe Eduardo Sanchez Diaz Duran This software is released under the GNU GPL. The package documentation directory ./doc-pak does not exist. Should I create a default set of package docs? [y]: Preparing package documentation...OK Please write a description for the package. End your description with an empty line or EOF. >> ***************************************** **** Debian package creation selected *** ***************************************** This package will be built according to these values: 0 - Maintainer: [ root@smokeping ] 1 - Summary: [ Package created with checkinstall 1.6.2 ] 2 - Name: [ nmap ] 3 - Version: [ 6.46 ] 4 - Release: [ 1 ] 5 - License: [ GPL ] 6 - Group: [ checkinstall ] 7 - Architecture: [ amd64 ] 8 - Source location: [ nmap-6.46 ] 9 - Alternate source location: [ ] 10 - Requires: [ ] 11 - Provides: [ nmap ] 12 - Conflicts: [ ] 13 - Replaces: [ ] Enter a number to change any of them or press ENTER to continue: Installing with make install... ========================= Installation results =========================== /usr/bin/install -c -d /usr/local/bin /usr/local/share/man/man1 /usr/local/share/nmap /usr/bin/install -c -c -m 755 nmap /usr/local/bin/nmap /usr/bin/strip -x /usr/local/bin/nmap /usr/bin/install -c -c -m 644 docs/nmap.1 /usr/local/share/man/man1/ if [ "yes" = "yes" ]; then \ for ll in de es fr hr hu it ja pl pt_BR pt_PT ro ru sk zh; do \ /usr/bin/install -c -d /usr/local/share/man/$ll/man1; \ /usr/bin/install -c -c -m 644 docs/man-xlate/nmap-$ll.1 /usr/local/share/man/$ll/man1/nmap.1; \ done; \ fi /usr/bin/install -c -c -m 644 docs/nmap.xsl /usr/local/share/nmap/ /usr/bin/install -c -c -m 644 docs/nmap.dtd /usr/local/share/nmap/ /usr/bin/install -c -c -m 644 nmap-services /usr/local/share/nmap/ /usr/bin/install -c -c -m 644 nmap-payloads /usr/local/share/nmap/ /usr/bin/install -c -c -m 644 nmap-rpc /usr/local/share/nmap/ /usr/bin/install -c -c -m 644 nmap-os-db /usr/local/share/nmap/ /usr/bin/install -c -c -m 644 nmap-service-probes /usr/local/share/nmap/ /usr/bin/install -c -c -m 644 nmap-protocols /usr/local/share/nmap/ /usr/bin/install -c -c -m 644 nmap-mac-prefixes /usr/local/share/nmap/ /usr/bin/install -c -d /usr/local/share/nmap/scripts /usr/bin/install -c -d /usr/local/share/nmap/nselib (cd /usr/local/share/nmap/scripts && rm -f anonFTP.nse ASN.nse asn-to-prefix.nse brutePOP3.nse bruteTelnet.nse chargenTest.nse daytimeTest.nse dns-safe-recursion-port.nse dns-safe-recursion-txid.nse dns-test-open-recursion.nse domino-enum-passwords.nse echoTest.nse ftpbounce.nse HTTPAuth.nse HTTP_open_proxy.nse HTTPpasswd.nse HTTPtrace.nse iax2Detect.nse ircServerInfo.nse ircZombieTest.nse mac-geolocation.nse MSSQLm.nse MySQLinfo.nse netbios-smb-os-discovery.nse nfs-acls.nse nfs-dirlist.nse popcapa.nse PPTPversion.nse promiscuous.nse RealVNC_auth_bypass.nse ripeQuery.nse robots.nse showHTMLTitle.nse showHTTPVersion.nse showOwner.nse showSMTPVersion.nse showSSHVersion.nse skype_v2-version.nse smb-enumdomains.nse smb-enumsessions.nse smb-enumshares.nse smb-enumusers.nse smb-serverstats.nse smb-systeminfo.nse SMTPcommands.nse SMTP_openrelay_test.nse smtp-check-vulns.nse SNMPcommunitybrute.nse SNMPsysdescr.nse SQLInject.nse SSH-hostkey.nse SSHv1-support.nse SSLv2-support.nse strangeSMTPport.nse UPnP-info.nse xamppDefaultPass.nse zoneTrans.nse db2-info.nse db2-brute.nse html-title.nse robots.txt.nse xmpp.nse sql-injection.nse http-robtex-reverse-ip.nse) /usr/bin/install -c -c -m 644 nse_main.lua /usr/local/share/nmap/ /usr/bin/install -c -c -m 644 scripts/script.db scripts/*.nse /usr/local/share/nmap/scripts /usr/bin/install -c -c -m 644 nselib/*.lua nselib/*.luadoc /usr/local/share/nmap/nselib /usr/bin/install -c -d /usr/local/share/nmap/nselib/data for f in `find nselib/data -name .svn -prune -o -type d -print`; do \ /usr/bin/install -c -d /usr/local/share/nmap/$f; \ done for f in `find nselib/data -name .svn -prune -o -type f -print`; do \ /usr/bin/install -c -c -m 644 $f /usr/local/share/nmap/$f; \ done /usr/bin/install -c -d /usr/local/bin /usr/local/share/man/man1 cd zenmap && /usr/bin/python setup.py --quiet install --prefix "/usr/local" --force /usr/bin/install -c -c -m 644 docs/zenmap.1 /usr/local/share/man/man1/ if [ ! -f /usr/local/bin/nmapfe -o -L /usr/local/bin/nmapfe ]; then \ ln -sf zenmap /usr/local/bin/nmapfe; \ fi ln -sf zenmap /usr/local/bin/xnmap make[1]: entrant dans le répertoire « /root/nmap-6.46/ncat » Installing Ncat ../shtool mkdir -f -p -m 755 /usr/local/bin /usr/local/share/man/man1 /usr/bin/install -c -c -m 755 ncat /usr/local/bin/ncat /usr/bin/strip -x /usr/local/bin/ncat if [ -n "certs/ca-bundle.crt" ]; then \ ../shtool mkdir -f -p -m 755 /usr/local/share/ncat; \ /usr/bin/install -c -c -m 644 certs/ca-bundle.crt /usr/local/share/ncat/; \ fi /usr/bin/install -c -c -m 644 docs/ncat.1 /usr/local/share/man/man1/ncat.1 make[1]: quittant le répertoire « /root/nmap-6.46/ncat » cd ndiff && /usr/bin/python setup.py install --prefix "/usr/local" running install running build running build_py running build_scripts running install_lib copying build/lib.linux-x86_64-2.7/ndiff.py -> /usr/local/lib/python2.7/dist-packages byte-compiling /usr/local/lib/python2.7/dist-packages/ndiff.py to ndiff.pyc running install_scripts copying build/scripts-2.7/ndiff -> /usr/local/bin changing mode of /usr/local/bin/ndiff to 755 running install_data copying docs/ndiff.1 -> /usr/local/share/man/man1 running install_egg_info make[1]: entrant dans le répertoire « /root/nmap-6.46/nping » /usr/bin/install -c -d /usr/local/bin /usr/local/share/man/man1 /usr/bin/install -c -c -m 755 nping /usr/local/bin/nping /usr/bin/strip -x /usr/local/bin/nping /usr/bin/install -c -c -m 644 docs/nping.1 /usr/local/share/man/man1/ NPING SUCCESSFULLY INSTALLED make[1]: quittant le répertoire « /root/nmap-6.46/nping » NMAP SUCCESSFULLY INSTALLED ======================== Installation successful ========================== Copying documentation directory... ./ ./COPYING ./CHANGELOG ./README-WIN32 ./docs/ ./docs/nmap.dtd ./docs/3rd-party-licenses.txt ./docs/nmap.xsl ./docs/nmap-update.1 ./docs/licenses/ ./docs/licenses/BSD-simplified ./docs/licenses/LGPL-2 ./docs/licenses/OpenSSL.txt ./docs/licenses/LGPL-2.1 ./docs/licenses/MPL-1.1 ./docs/win32-installer-zenmap-buildguide.txt ./docs/nse-scripts.dtd ./docs/nmap_gpgkeys.txt ./docs/zenmap.1 ./docs/nmap.1 ./docs/style/ ./docs/style/lua-format ./docs/style/README ./docs/style/lua-format.lua ./docs/leet-nmap-ascii-art.txt ./docs/nmap.usage.txt ./docs/nmap-fo.xsl ./docs/committers.txt ./docs/device-types.txt ./docs/README ./docs/man-xlate/ ./docs/man-xlate/nmap-hu.1 ./docs/man-xlate/nmap-de.1 ./docs/man-xlate/nmap-id.1 ./docs/man-xlate/nmap-pt_PT.1 ./docs/man-xlate/nmap-sk.1 ./docs/man-xlate/nmap-pl.1 ./docs/man-xlate/nmap-ro.1 ./docs/man-xlate/nmap-it.1 ./docs/man-xlate/nmap-zh.1 ./docs/man-xlate/nmap-ru.1 ./docs/man-xlate/nmap-es.1 ./docs/man-xlate/nmap-hr.1 ./docs/man-xlate/nmap-ja.1 ./docs/man-xlate/nmap-fr.1 ./docs/man-xlate/nmap-pt_BR.1 ./HACKING ./INSTALL Some of the files created by the installation are inside the build directory: /root/nmap-6.46 You probably don't want them to be included in the package, especially if they are inside your home directory. Do you want me to list them? [n]: Should I exclude them from the package? (Saying yes is a good idea) [y]: Copying files to the temporary directory... OK Stripping ELF binaries and libraries...OK Compressing man pages...OK Building file list...OK Building Debian package...OK Installing Debian package...OK Erasing temporary files...OK Writing backup package...OK OK Deleting temp dir...OK ********************************************************************** Done. The new package has been installed and saved to /root/nmap-6.46/nmap_6.46-1_amd64.deb You can remove it from your system anytime using: dpkg -r nmap ********************************************************************** root@smokeping:~/nmap-6.46#
Nous avons un nmap installé et opérationnel en quelques minutes (la gestion du changement prend un temps monstre à coté de cette installation from scratch).
root@smokeping:~/nmap-6.46# nmap -v Starting Nmap 6.46 ( http://nmap.org ) at 2014-07-08 22:59 CEST Read data files from: /usr/local/bin/../share/nmap WARNING: No targets were specified, so 0 hosts scanned. Nmap done: 0 IP addresses (0 hosts up) scanned in 0.06 seconds Raw packets sent: 0 (0B) | Rcvd: 0 (0B)
Etape N°5 : Les commandes magiques de NMAP
La commande suivant permet de connaitre le Cypher
nmap --script ssl-enum-ciphers -p 443 <host>
Exemple de sortie via cette commande
root@smokeping:~/nmap-6.46# nmap --script ssl-enum-ciphers -p 443 www.monsiteamoi.com Starting Nmap 6.46 ( http://nmap.org ) at 2014-07-08 23:02 CEST Nmap scan report for monsiteamoi (10.59.149.230) Host is up (0.17s latency). Other addresses for www.monsiteamoi.com (not scanned): 10.59.150.39 10.59.148.82 10.59.149.198 rDNS record for 10.59.149.230: www4.monsiteamoi.com PORT STATE SERVICE 443/tcp open https | ssl-enum-ciphers: | SSLv3: | ciphers: | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong | TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA - strong | TLS_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_RC4_128_MD5 - strong | TLS_RSA_WITH_RC4_128_SHA - strong | compressors: | NULL | TLSv1.0: | ciphers: | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong | TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA - strong | TLS_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_RC4_128_MD5 - strong | TLS_RSA_WITH_RC4_128_SHA - strong | compressors: | NULL | TLSv1.1: | ciphers: | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong | TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA - strong | TLS_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_RC4_128_MD5 - strong | TLS_RSA_WITH_RC4_128_SHA - strong | compressors: | NULL | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong | TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA - strong | TLS_RSA_WITH_AES_128_GCM_SHA256 - strong | TLS_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_RC4_128_MD5 - strong | TLS_RSA_WITH_RC4_128_SHA - strong | compressors: | NULL |_ least strength: strong Nmap done: 1 IP address (1 host up) scanned in 7.00 seconds
Et maintenant une commande qui permet de connaitre la validité des certificats
nmap --script ssl-cert,ssl-enum-ciphers -p 443 10.59.159.0/24 :-)
Je vous laisse découvrir le résultat 🙂
Starting Nmap 6.46 ( http://nmap.org ) at 2013-01-01 00:00 CEST Nmap scan report for www.example.com (127.0.0.1) Host is up (0.090s latency). rDNS record for 127.0.0.1: www.example.com PORT STATE SERVICE 443/tcp open https | ssl-cert: Subject: commonName=www.example.org | Issuer: commonName=******* | Public Key type: rsa | Public Key bits: 1024 | Not valid before: 2010-01-23T00:00:00+00:00 | Not valid after: 2020-02-28T23:59:59+00:00 | MD5: ******* |_SHA-1: ******* | ssl-enum-ciphers: | SSLv3: | ciphers: | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong | TLS_RSA_WITH_RC4_128_SHA - strong | compressors: | NULL | TLSv1.0: | ciphers: | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong | TLS_RSA_WITH_RC4_128_SHA - strong | compressors: | NULL |_ least strength: strong nmap done: 1 IP address (1 host up) scanned in 8.64 seconds
Enjoy and Thanks Lucien 🙂