📌 ssl-cert
📌 ssl-cert-intaddr
📌 ssl-date
📌 ssl-enum-ciphers
📌 ssl-known-key
📌 sslv2
Nmap –script ssl-cert ip address:
Retrieves a server’s SSL certificate. The amount of information printed about the certificate depends on the verbosity level. With no extra verbosity, the script prints the validity period and the common name, organization Name, state Or Province Name, and country Name of the subject.
Nmap –script ssl-cert-intaddr ip address:
Reports any private (RFC1918) IPv4 addresses found in the various fields of an SSL service’s certificate. These will only be reported if the target address itself is not private. Nmap v7.30 or later is required.
Nmap –script ssl-date ip address:
Retrieves a target host’s time and date from its TLS ServerHello response.
Nmap –script ssl-enum-ciphers ip address:
This script repeatedly initiates SSLv3/TLS connections, each time trying a new cipher or compressor while recording whether a host accepts or rejects it. The end result is a list of all the ciphersuites and compressors that a server accepts.
Each ciphersuite is shown with a letter grade (A through F) indicating the strength of the connection. The grade is based on the cryptographic strength of the key exchange and of the stream cipher. The message integrity (hash) algorithm choice is not a factor. The output line beginning with Least strength shows the strength of the weakest cipher offered. The scoring is based on the Qualys SSL Labs SSL Server Rating Guide, but does not take protocol support (TLS version) into account, which makes up 30% of the SSL Labs rating.
SSLv3/TLSv1 requires more effort to determine which ciphers and compression methods a server supports than SSLv2. A client lists the ciphers and compressors that it is capable of supporting, and the server will respond with a single cipher and compressor chosen, or a rejection notice. Some servers use the client’s cipher suite
Nmap –script ssl-known-key ip address:
Checks whether the SSL certificate used by a host has a fingerprint that matches an included database of problematic keys.
The only databases currently checked are the LittleBlackBox 0.1 database of compromised keys from various devices, some keys reportedly used by the Chinese state-sponsored hacking division APT1 (https://www.fireeye.com/blog/threat-research/2013/03/md5-sha1.html), and the key used by CARBANAK malware (https://www.fireeye.com/blog/threat-research/2017/06/behind-the- carbanak-backdoor.html). However, any file of fingerprints will serve just as well. For example, this could be used to find weak Debian OpenSSL keys using the widely available (but too large to include with Nmap) list.
Nmap –script sslv2 ip address:
Determines whether the server supports obsolete and less secure SSLv2, and discovers which ciphers it supports.
Nmap –script tls-alpn ip address:
Enumerates a TLS server’s supported application-layer protocols using the ALPN protocol.
Nmap –script tls-nextprotoneg ip address:
Enumerates a TLS server’s supported protocols by using the next protocol negotiation extension. This works by adding the next protocol negotiation extension in the client hello packet and parsing the returned server hello’s NPN extension data.
