The ssl-enum-ciphers is a script used with the network scanning tool Nmap. It’s designed to enumerate the SSL/TLS cipher suites that a particular server offers. Here’s what it does and how it’s used:
• Enumerates Cipher Suites: The script initiates SSL/TLS connections to a server, trying different ciphers each time and recording whether the host accepts or rejects them.
• Rates Cipher Strength: It also rates the cipher suites based on cryptographic strength, giving them a letter grade from A to F.
• Identifies Server Preferences: It can determine the order of preference for cipher suites that a server has, which can be important for security testing.
• Useful for Security Testing: It’s particularly useful for penetration testing and ensuring compliance with security standards like PCI DSS.
To use the script, you would typically run a command like:
# nmap –script ssl-enum-ciphers -p 443 www.techjunction.co
This command would list the ciphers supported by the server at www.techjunction.co on port 443, which is the standard port for HTTPS traffic. The output includes detailed information about each cipher suite, including its strength rating. It’s a valuable tool for network administrators and security professionals to assess the security of SSL/TLS servers.
Example:
# nmap –script ssl-enum-ciphers -p 443 www.techjunction.co
Starting Nmap 7.80 ( https://nmap.org ) at 2024-05-23 16:28 CAT
Nmap scan report for www.techjunction.co (50.116.84.38)
Host is up (0.31s latency).
rDNS record for 50.116.84.38: cloud74.hostgator.com
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) – A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) – A
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) – A
| compressors:
| NULL
| cipher preference: server
|_ least strength: A
Nmap done: 1 IP address (1 host up) scanned in 11.31 seconds