In this blog, we will go over some of the methods and tools to assess the TLS security posture during an engagement. Please remember to document all of the information that you found that could bring values to customers.
I. Enumeration Supported Protocols and Cipher Suites
Nmap has an extensive scripts that do various security checks, fortunately there is a script that helps us enumerate the cipher cipher of the TLS.
nmap --script ssl-enum-ciphers -p 443 domain.comNote: The default TLS port in web is 443 but this could be changed so it’s recommended to perform a port scanning first.
II. Weak Cipher Suites
Based on the output returned from Nmap or other tools, we need to know what the weak cipher suites are so we can analyze and compare.
1. Anonymous DH suites
Static DH running in anonymous mode which lacks authentication and impersonation which is vulnerable via MITM.
2. Suites using null cipher
Most null cipher suites (e.g., TLS_RSA_WITH_NULL_SHA) perform key exchange and authentication but send material in plaintext.
3. Export-grade suites
Cipher suites deems as export-grade use bulk symmetric encryption algorithms with 40 and 56 bit keys. Data is encrypted, but not the short key lengths permits decrypted via brute-force attack.
4. Suites with weak encryption algorithms
DES, 3DES, IDEA, RC2, and RC4 ciphers used to provide bulk symmetric encryption have known weaknesses. Although byte bias attacks against RC4 are practically cumbersome to undertake, most big tech companies have removed RC4 support from their product which means you will hardly see it.
III. Enumerating Supported Features and Extensions
1. Session resumption
TLS endpoints support resumption via session IDs or RFC 5077 tickets. Handshake flooding can result in denial of service, thus many TLS servers limit the number of session IDs cached for a particular source.
sslyze --resum www.domain.com:4432. Session renegotiation
sslyze --reneg www.domain.com:443sslyze --reneg --startls=smtp aspmx.1.google.com:253. Listing supported TLS extensions using openssl
openssl s_client -tlsextdebug -connect www.google.com:443openssl s_client -tlsextdebug -connect www.google.com:4434. Compression support
sslyze --compression www.google.com:4435. Fallback support
openssl s_client -connect www.google.com:443 -no_tls1_2 -fallback_scsvIV. TLS Hardening
Consider going through the following list to hardening your TLS endpoint as:
- Upgrade software to the latest version
- Disable support for SSL 3.0
- Disable weak encryption algorithms
- Disable support for client-initiated renegotiation
- Enforce minimum key lengths
- Ensure that private keys are generated, handled, and stored in a secure fashion
- Use a reputable CA to sign your certificates
V. Summary
Throughout the series, we have gone over some of the important points when it comes to TLS as:
- Identify the TLS library and version
- Enumerate supported protocols and cipher suites
- List supported extensions and features
- Manually qualify vulnerabilities
- TLS Hardening
TLS Security (Part I), SECURITY FEATURES on MacOSX, SHODAN For PENETRATION TESTER, Introduction to IDS and IPS, Data Security
