In a world where Nmap’s NSE scripts, like ssl-enum-ciphers exist, why would anyone want to go to the hassle of enumerating supported SSL ciphers by hand ? Well, there are a few reasons, some of which are practical while others are more academic.
When Nmap is not installed
Especially if you’re a pen-tester, there may be times when you’ve established a beachhead on a target network but there is no Nmap installed. Can you try forwarding an Nmap scan from your local system ? sure… but what if that’s not possible ?
When Nmap is old
You’ve found a great bastion host to serve as your pen-test beachhead. Nmap is actually installed, but the version of Nmap is so old it doesn’t support NSE scripts.
When Nmap is prohibited
Some organizations may have application whitelisting agents running that prevent the execution of unauthorized applications. Nmap isn’t an application that often makes it onto application whitelists.
When you want to understand it
The best way to learn how painful long-division is is to do long-division. Sure, it’s a bit painful, but you get a better understanding of how division works, and it sure helps you appreciate your calculator.
Using only Bash and OpenSSL you can achieve the same results:
#!/usr/bin/bash if [ ! -z $1 ]; then SERVER=$1 else echo Usage: ./scan-ciphers.sh HOSTNAME:PORT exit fi DELAY=1 ciphers=$(openssl ciphers 'ALL:eNULL' | sed -e 's/:/ /g') echo Obtaining cipher list from $(openssl version). for cipher in ${ciphers[@]}; do echo -n Testing $cipher... result=$(echo -n | openssl s_client -cipher "$cipher" -connect $SERVER 2>&1) if [[ "$result" =~ ":error:" ]] ; then error=$(echo -n $result | cut -d':' -f6) echo NO \($error\) else if [[ "$result" =~ "Cipher is ${cipher}" || "$result" =~ "Cipher :" ]] ; then echo YES else echo UNKNOWN RESPONSE echo $result fi fi sleep $DELAY done