Script sslv2-drown
Script types:
portrule
Categories:
intrusive, vuln
Download: https://svn.nmap.org/nmap/scripts/sslv2-drown.nse
Script Summary
Determines whether the server supports SSLv2, what ciphers it supports and tests for CVE-2015-3197, CVE-2016-0703 and CVE-2016-0800 (DROWN)
Script Arguments
- tls.servername
See the documentation for the tls library.
- smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername
See the documentation for the smbauth library.
- mssql.domain, mssql.instance-all, mssql.instance-name, mssql.instance-port, mssql.password, mssql.protocol, mssql.scanned-ports-only, mssql.timeout, mssql.username
See the documentation for the mssql library.
- smtp.domain
See the documentation for the smtp library.
- randomseed, smbbasic, smbport, smbsign
See the documentation for the smb library.
- vulns.short, vulns.showall
See the documentation for the vulns library.
Example Usage
nmap -sV --script=sslv2-drown <target>
Script Output
443/tcp open https | sslv2-drown: | ciphers: | SSL2_DES_192_EDE3_CBC_WITH_MD5 | SSL2_IDEA_128_CBC_WITH_MD5 | SSL2_RC2_128_CBC_WITH_MD5 | SSL2_RC4_128_WITH_MD5 | SSL2_DES_64_CBC_WITH_MD5 | forced_ciphers: | SSL2_RC2_128_CBC_EXPORT40_WITH_MD5 | SSL2_RC4_128_EXPORT40_WITH_MD5 | vulns: | CVE-2016-0800: | title: OpenSSL: Cross-protocol attack on TLS using SSLv2 (DROWN) | state: VULNERABLE | ids: | CVE:CVE-2016-0800 | description: | The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and | other products, requires a server to send a ServerVerify message before establishing | that a client possesses certain plaintext RSA data, which makes it easier for remote | attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding | oracle, aka a "DROWN" attack. | | refs: | https://www.openssl.org/news/secadv/20160301.txt |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0800
Requires
Author:
License: Same as Nmap--See https://nmap.org/book/man-legal.html