local nmap = require "nmap" local shortport = require "shortport" local sslcert = require "sslcert" local stdnse = require "stdnse" local string = require "string" local math = require "math" local table = require "table" local tls = require "tls" local vulns = require "vulns" local have_ssl, openssl = pcall(require, "openssl") description = [[ Weak ephemeral Diffie-Hellman parameter detection for SSL/TLS services. This script simulates SSL/TLS handshakes using ciphersuites that have ephemeral Diffie-Hellman as the key exchange algorithm. Diffie-Hellman MODP group parameters are extracted and analyzed for vulnerability to Logjam (CVE 2015-4000) and other weaknesses. Opportunistic STARTTLS sessions are established on services that support them. ]] --- -- @usage -- nmap --script ssl-dh-params -- -- @output -- Host script results: -- | ssl-dh-params: -- | VULNERABLE: -- | Transport Layer Security (TLS) Protocol DHE_EXPORT Ciphers Downgrade MitM (Logjam) -- | State: VULNERABLE -- | IDs: OSVDB:122331 CVE:CVE-2015-4000 -- | The Transport Layer Security (TLS) protocol contains a flaw that is triggered -- | when handling Diffie-Hellman key exchanges defined with the DHE_EXPORT cipher. -- | This may allow a man-in-the-middle attacker to downgrade the security of a TLS -- | session to 512-bit export-grade cryptography, which is significantly weaker, -- | allowing the attacker to more easily break the encryption and monitor or tamper -- | with the encrypted stream. -- | Disclosure date: 2015-5-19 -- | Check results: -- | EXPORT-GRADE DH GROUP 1 -- | Ciphersuite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA -- | Modulus Type: Non-safe prime -- | Modulus Source: sun.security.provider/512-bit DSA group with 160-bit prime order subgroup -- | Modulus Length: 512 bits -- | Generator Length: 512 bits -- | Public Key Length: 512 bits -- | References: -- | https://weakdh.org -- | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000 -- | http://osvdb.org/122331 -- | -- | Diffie-Hellman Key Exchange Insufficient Diffie-Hellman Group Strength -- | State: VULNERABLE -- | Transport Layer Security (TLS) services that use Diffie-Hellman groups of -- | insuffficient strength, especially those using one of a few commonly shared -- | groups, may be susceptible to passive eavesdropping attacks. -- | Check results: -- | WEAK DH GROUP 1 -- | Ciphersuite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA -- | Modulus Type: Safe prime -- | Modulus Source: Unknown/Custom-generated -- | Modulus Length: 512 bits -- | Generator Length: 8 bits -- | Public Key Length: 512 bits -- | References: -- | https://weakdh.org -- | -- | Diffie-Hellman Key Exchange Potentially Unsafe Group Parameters -- | State: VULNERABLE -- | This TLS service appears to be using a modulus that is not a safe prime and does -- | not correspond to any well-known DSA group for Diffie-Hellman key exchange. -- | These parameters MAY be secure if: -- | - They were generated according to the procedure described in FIPS 186-4 for -- | DSA Domain Parameter Generation, or -- | - The generator g generates a subgroup of large prime order -- | Additional testing may be required to verify the security of these parameters. -- | Check results: -- | NON-SAFE DH GROUP 1 -- | Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA -- | Modulus Type: Non-safe prime -- | Modulus Source: Unknown/Custom-generated -- | Modulus Length: 1024 bits -- | Generator Length: 1024 bits -- | Public Key Length: 1024 bits -- | References: -- | https://weakdh.org -- |_ http://www2.esentire.com/TLSUnjammedWP author = "Jacob Gajek" license = "Same as Nmap--See https://nmap.org/book/man-legal.html" categories = {"vuln", "safe"} -- Anonymous Diffie-Hellman key exchange variants local DH_anon_ALGORITHMS = { ["DH_anon_EXPORT"] = 1, ["DH_anon"] = 1 } -- Full-strength ephemeral Diffie-Hellman key exchange variants local DHE_ALGORITHMS = { ["DHE_RSA"] = 1, ["DHE_DSS"] = 1, ["DHE_PSK"] = 1 } -- Export-grade ephemeral Diffie-Hellman key exchange variants local DHE_ALGORITHMS_EXPORT = { ["DHE_RSA_EXPORT"] = 1, ["DHE_DSS_EXPORT"] = 1, ["DHE_DSS_EXPORT1024"] = 1 } -- Helper function to convert hex string to byte array local function fromhex(hexstr) return string.gsub(hexstr, "%s*(%x%x)%s*", function(c) return string.char(tonumber(c, 16)) end ) end -- Common Diffie-Hellman groups -- -- The primes from weakdh.org were harvested by: -- 1) Scanning the IPv4 space -- 2) Scanning Alexa Top 1 million (seen >100 times) -- -- The list from weakdh.org overlaps the original script source code, therefore those were removed. -- The primes were not searchable on Google (hope for source code match) - they may belong to closed -- source software. If someone happens to find/match it, send a pull request. local DHE_PRIMES = { [fromhex([[ D4BCD524 06F69B35 994B88DE 5DB89682 C8157F62 D8F33633 EE5772F1 1F05AB22 D6B5145B 9F241E5A CC31FF09 0A4BC711 48976F76 795094E7 1E790352 9F5A824B ]])] = "mod_ssl 2.0.x/512-bit MODP group with safe prime modulus", [fromhex([[ E6969D3D 495BE32C 7CF180C3 BDD4798E 91B78182 51BB055E 2A206490 4A79A770 FA15A259 CBD523A6 A6EF09C4 3048D5A2 2F971F3C 20129B48 000E6EDD 061CBC05 3E371D79 4E5327DF 611EBBBE 1BAC9B5C 6044CF02 3D76E05E EA9BAD99 1B13A63C 974E9EF1 839EB5DB 125136F7 262E56A8 871538DF D823C650 5085E21F 0DD5C86B ]])] = "mod_ssl 2.0.x/1024-bit MODP group with safe prime modulus", [fromhex([[ 9FDB8B8A 004544F0 045F1737 D0BA2E0B 274CDF1A 9F588218 FB435316 A16E3741 71FD19D8 D8F37C39 BF863FD6 0E3E3006 80A3030C 6E4C3757 D08F70E6 AA871033 ]])] = "mod_ssl 2.2.x/512-bit MODP group with safe prime modulus", [fromhex([[ D67DE440 CBBBDC19 36D693D3 4AFD0AD5 0C84D239 A45F520B B88174CB 98BCE951 849F912E 639C72FB 13B4B4D7 177E16D5 5AC179BA 420B2A29 FE324A46 7A635E81 FF590137 7BEDDCFD 33168A46 1AAD3B72 DAE88600 78045B07 A7DBCA78 74087D15 10EA9FCC 9DDD3305 07DD62DB 88AEAA74 7DE0F4D6 E2BD68B0 E7393E0F 24218EB3 ]])] = "mod_ssl 2.2.x/1024-bit MODP group with safe prime modulus", [fromhex([[ BBBC2DCA D8467490 7C43FCF5 80E9CFDB D958A3F5 68B42D4B 08EED4EB 0FB3504C 6C030276 E710800C 5CCBBAA8 922614C5 BEECA565 A5FDF1D2 87A2BC04 9BE67780 60E91A92 A757E304 8F68B076 F7D36CC8 F29BA5DF 81DC2CA7 25ECE662 70CC9A50 35D8CECE EF9EA027 4A63AB1E 58FAFD49 88D0F65D 146757DA 071DF045 CFE16B9B ]])] = "nginx/1024-bit MODP group with safe prime modulus", [fromhex([[ FCA682CE 8E12CABA 26EFCCF7 110E526D B078B05E DECBCD1E B4A208F3 AE1617AE 01F35B91 A47E6DF6 3413C5E1 2ED0899B CD132ACD 50D99151 BDC43EE7 37592E17 ]])] = "sun.security.provider/512-bit DSA group with 160-bit prime order subgroup", [fromhex([[ E9E64259 9D355F37 C97FFD35 67120B8E 25C9CD43 E927B3A9 670FBEC5 D8901419 22D2C3B3 AD248009 3799869D 1E846AAB 49FAB0AD 26D2CE6A 22219D47 0BCE7D77 7D4A21FB E9C270B5 7F607002 F3CEF839 3694CF45 EE3688C1 1A8C56AB 127A3DAF ]])] = "sun.security.provider/768-bit DSA group with 160-bit prime order subgroup", [fromhex([[ FD7F5381 1D751229 52DF4A9C 2EECE4E7 F611B752 3CEF4400 C31E3F80 B6512669 455D4022 51FB593D 8D58FABF C5F5BA30 F6CB9B55 6CD7813B 801D346F F26660B7 6B9950A5 A49F9FE8 047B1022 C24FBBA9 D7FEB7C6 1BF83B57 E7C6A8A6 150F04FB 83F6D3C5 1EC30235 54135A16 9132F675 F3AE2B61 D72AEFF2 2203199D D14801C7 ]])] = "sun.security.provider/1024-bit DSA group with 160-bit prime order subgroup", [fromhex([[ DA583C16 D9852289 D0E4AF75 6F4CCA92 DD4BE533 B804FB0F ED94EF9C 8A4403ED 574650D3 6999DB29 D776276B A2D3D412 E218F4DD 1E084CF6 D8003E7C 4774E833 ]])] = "openssl/512-bit MODP group with safe prime modulus", [fromhex([[ 97F64261 CAB505DD 2828E13F 1D68B6D3 DBD0F313 047F40E8 56DA58CB 13B8A1BF 2B783A4C 6D59D5F9 2AFC6CFF 3D693F78 B23D4F31 60A9502E 3EFAF7AB 5E1AD5A6 5E554313 828DA83B 9FF2D941 DEE95689 FADAEA09 36ADDF19 71FE635B 20AF4703 64603C2D E059F54B 650AD8FA 0CF70121 C74799D7 587132BE 9B999BB9 B787E8AB ]])] = "openssl/1024-bit MODP group with safe prime modulus", [fromhex([[ ED928935 824555CB 3BFBA276 5A690461 BF21F3AB 53D2CD21 DAFF7819 1152F10E C1E255BD 686F6800 53B9226A 2FE49A34 1F65CC59 328ABDB1 DB49EDDF A71266C3 FD210470 18F07FD6 F7585119 72827B22 A934181D 2FCB21CF 6D92AE43 B6A829C7 27A3CB00 C5F2E5FB 0AA45985 A2BDAD45 F0B3ADF9 E08135EE D983B3CC AEEAEB66 E6A95766 B9F128A5 3F2280D7 0BA6F671 939B810E F85A90E6 CCCA6F66 5F7AC010 1A1EF0FC 2DB6080C 6228B0EC DB8928EE 0CA83D65 94691669 533C5360 13B02BA7 D48287AD 1C729E41 35FCC27C E951DE61 85FC199B 76600F33 F86BB3CA 520E29C3 07E89016 CCCC0019 B6ADC3A4 308B33A1 AFD88C8D 9D01DBA4 C4DD7F0B BD6F38C3 ]])] = "openssl/2048-bit MODP group with safe prime modulus", [fromhex([[ AED037C3 BDF33FA2 EEDC4390 B70A2089 7B770175 E9B92EB2 0F8061CC D4B5A591 723C7934 FDA9F9F3 274490F8 50647283 5BE05927 1C4F2C03 5A4EE756 A36613F1 382DBD47 4DE8A4A0 322122E8 C730A83C 3E4800EE BD6F8548 A5181711 BA545231 C843FAC4 175FFAF8 49C440DB 446D8462 C1C3451B 49EFA829 F5C48A4C 7BAC7F64 7EE00015 1AA9ED81 101B36AB 5C39AAFF EC54A3F8 F97C1B7B F406DCB4 2DC092A5 BAA06259 EFEB3FAB 12B42698 2E8F3EF4 B3F7B4C3 302A24C8 AA4213D8 45035CE4 A8ADD31F 816616F1 9E21A5C9 5080597F 8980AD6B 814E3585 5B79E684 4491527D 552B72B7 C78D8D6B 993A736F 8486B305 88B8F1B8 7E89668A 8BD3F13D DC517D4B ]])] = "openssl/2048-bit MODP group with safe prime modulus", [fromhex([[ FEEAD19D BEAF90F6 1CFCA106 5D69DB08 839A2A2B 6AEF2488 ABD7531F BB3E462E 7DCECEFB CEDCBBBD F56549EE 95153056 8188C3D9 7294166B 6AABA0AA 5CC8555F 9125503A 180E9032 4C7F39C6 A3452F31 42EE72AB 7DFFC74C 528DB6DA 76D9C644 F55D083E 9CDE74F7 E742413B 69476617 D2670F2B F6D59FFC D7C3BDDE ED41E2BD 2CCDD9E6 12F1056C AB88C441 D7F9BA74 651ED1A8 4D407A27 D71895F7 77AB6C77 63CC00E6 F1C30B2F E7944692 7E74BC73 B8431B53 011AF5AD 1515E63D C1DE83CC 802ECE7D FC71FBDF 179F8E41 D7F1B43E BA75D5A9 C3B11D4F 1B0B5A09 88A9AACB CCC10512 26DC8410 E41693EC 8591E31E E2F5AFDF AEDE122D 1277FC27 0BE4D25C 1137A58B E961EAC9 F27D4C71 E2391904 DD6AB27B ECE5BD6C 64C79B14 6C2D208C D63A4B74 F8DAE638 DBE2C880 6BA10773 8A8DF5CF E214A4B7 3D03C912 75FBA572 8146CE5F EC01775B 74481ADF 86F4854D 65F5DA4B B67F882A 60CE0BCA 0ACD157A A377F10B 091AD0B5 68893039 ECA33CDC B61BA8C9 E32A87A2 F5D8B7FD 26734D2F 09679235 2D70ADE9 F4A51D84 88BC57D3 2A638E0B 14D6693F 6776FFFB 355FEDF6 52201FA7 0CB8DB34 FB549490 951A701E 04AD49D6 71B74D08 9CAA8C0E 5E833A21 291D6978 F918F25D 5C769BDB E4BB72A8 4A1AFE6A 0BBAD18D 3EACC7B4 54AF408D 4F1CCB23 B9AE576F DAE2D1A6 8F43D275 741DB19E EDC3B81B 5E56964F 5F8C3363 ]])] = "openssl/4096-bit MODP group with safe prime modulus", [fromhex([[ FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 E485B576 625E7EC6 F44C42E9 A63A3620 FFFFFFFF FFFFFFFF ]])] = "RFC2409/Oakley Group 1", [fromhex([[ FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 FFFFFFFF FFFFFFFF ]])] = "RFC2409/Oakley Group 2", [fromhex([[ FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F 83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D 670C354E 4ABC9804 F1746C08 CA237327 FFFFFFFF FFFFFFFF ]])] = "RFC3526/Oakley Group 5", [fromhex([[ FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F 83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D 670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9 DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510 15728E5A 8AACAA68 FFFFFFFF FFFFFFFF ]])] = "RFC3526/Oakley Group 14", [fromhex([[ FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F 83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D 670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9 DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510 15728E5A 8AAAC42D AD33170D 04507A33 A85521AB DF1CBA64 ECFB8504 58DBEF0A 8AEA7157 5D060C7D B3970F85 A6E1E4C7 ABF5AE8C DB0933D7 1E8C94E0 4A25619D CEE3D226 1AD2EE6B F12FFA06 D98A0864 D8760273 3EC86A64 521F2B18 177B200C BBE11757 7A615D6C 770988C0 BAD946E2 08E24FA0 74E5AB31 43DB5BFC E0FD108E 4B82D120 A93AD2CA FFFFFFFF FFFFFFFF ]])] = "RFC3526/Oakley Group 15", [fromhex([[ FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F 83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D 670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9 DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510 15728E5A 8AAAC42D AD33170D 04507A33 A85521AB DF1CBA64 ECFB8504 58DBEF0A 8AEA7157 5D060C7D B3970F85 A6E1E4C7 ABF5AE8C DB0933D7 1E8C94E0 4A25619D CEE3D226 1AD2EE6B F12FFA06 D98A0864 D8760273 3EC86A64 521F2B18 177B200C BBE11757 7A615D6C 770988C0 BAD946E2 08E24FA0 74E5AB31 43DB5BFC E0FD108E 4B82D120 A9210801 1A723C12 A787E6D7 88719A10 BDBA5B26 99C32718 6AF4E23C 1A946834 B6150BDA 2583E9CA 2AD44CE8 DBBBC2DB 04DE8EF9 2E8EFC14 1FBECAA6 287C5947 4E6BC05D 99B2964F A090C3A2 233BA186 515BE7ED 1F612970 CEE2D7AF B81BDD76 2170481C D0069127 D5B05AA9 93B4EA98 8D8FDDC1 86FFB7DC 90A6C08F 4DF435C9 34063199 FFFFFFFF FFFFFFFF ]])] = "RFC3526/Oakley Group 16", [fromhex([[ B10B8F96 A080E01D DE92DE5E AE5D54EC 52C99FBC FB06A3C6 9A6A9DCA 52D23B61 6073E286 75A23D18 9838EF1E 2EE652C0 13ECB4AE A9061123 24975C3C D49B83BF ACCBDD7D 90C4BD70 98488E9C 219A7372 4EFFD6FA E5644738 FAA31A4F F55BCCC0 A151AF5F 0DC8B4BD 45BF37DF 365C1A65 E68CFDA7 6D4DA708 DF1FB2BC 2E4A4371 ]])] = "RFC5114/1024-bit DSA group with 160-bit prime order subgroup", [fromhex([[ AD107E1E 9123A9D0 D660FAA7 9559C51F A20D64E5 683B9FD1 B54B1597 B61D0A75 E6FA141D F95A56DB AF9A3C40 7BA1DF15 EB3D688A 309C180E 1DE6B85A 1274A0A6 6D3F8152 AD6AC212 9037C9ED EFDA4DF8 D91E8FEF 55B7394B 7AD5B7D0 B6C12207 C9F98D11 ED34DBF6 C6BA0B2C 8BBC27BE 6A00E0A0 B9C49708 B3BF8A31 70918836 81286130 BC8985DB 1602E714 415D9330 278273C7 DE31EFDC 7310F712 1FD5A074 15987D9A DC0A486D CDF93ACC 44328387 315D75E1 98C641A4 80CD86A1 B9E587E8 BE60E69C C928B2B9 C52172E4 13042E9B 23F10B0E 16E79763 C9B53DCF 4BA80A29 E3FB73C1 6B8E75B9 7EF363E2 FFA31F71 CF9DE538 4E71B81C 0AC4DFFE 0C10E64F ]])] = "RFC5114/2048-bit DSA group with 224-bit prime order subgroup", [fromhex([[ 87A8E61D B4B6663C FFBBD19C 65195999 8CEEF608 660DD0F2 5D2CEED4 435E3B00 E00DF8F1 D61957D4 FAF7DF45 61B2AA30 16C3D911 34096FAA 3BF4296D 830E9A7C 209E0C64 97517ABD 5A8A9D30 6BCF67ED 91F9E672 5B4758C0 22E0B1EF 4275BF7B 6C5BFC11 D45F9088 B941F54E B1E59BB8 BC39A0BF 12307F5C 4FDB70C5 81B23F76 B63ACAE1 CAA6B790 2D525267 35488A0E F13C6D9A 51BFA4AB 3AD83477 96524D8E F6A167B5 A41825D9 67E144E5 14056425 1CCACB83 E6B486F6 B3CA3F79 71506026 C0B857F6 89962856 DED4010A BD0BE621 C3A3960A 54E710C3 75F26375 D7014103 A4B54330 C198AF12 6116D227 6E11715F 693877FA D7EF09CA DB094AE9 1E1A1597 ]])] = "RFC5114/2048-bit DSA group with 256-bit prime order subgroup", [fromhex([[ D6C094AD 57F5374F 68D58C7B 096872D9 45CEE1F8 2664E059 4421E1D5 E3C8E98B C3F0A6AF 8F92F19E 3FEF9337 B99B9C93 A055D55A 96E42573 4005A68E D47040FD F00A5593 6EBA4B93 F64CBA1A 004E4513 611C9B21 7438A703 A2060C20 38D0CFAA FFBBA48F B9DAC4B2 450DC58C B0320A03 17E2A31B 44A02787 C657FB0C 0CBEC11D ]])] = "weakdh.org/1024-bit MODP group with non-safe prime modulus", [fromhex([[ C9BBF5F7 74A8297B 0F97CDDA 3A3468C7 117B6BF7 99A13D9F 1F5DAC48 7B2241FE 95EFB13C 2855DFD2 F898B3F9 9188E24E DF326DD6 8C76CC85 53728351 2D46F195 3129C693 364D8C71 202EABB3 EBC85C1D F53907FB D0B7EB49 0AD0BC99 28968680 0C46AB04 BF7CDD9A D425E6FB 25592EB6 258A0655 D75E93B2 671746AE 349E721B ]])] = "weakdh.org/1024-bit MODP group with safe prime modulus", [fromhex([[ 829FEBFC E3EE0434 862D3364 A62BDE7B 65F0C74A 3A53B555 291414FC AE5E86D7 34B16DBD CC952B1C 5EB443B1 54B3B466 62E811E1 1D8BC731 34018A5E A7B5B6A9 720D84BC 28B74822 C5AF24C9 04E5BB5A DABF8FF2 A5ED7B45 6688D6CA B82F8AF0 188A456C 3ED62D2F EACF6BD3 FD47337D 884DFA09 F0A3D696 75E35806 E3AE9593 ]])] = "weakdh.org/1024-bit MODP group with safe prime modulus", [fromhex([[ 92402435 C3A12E44 D3730D8E 78CADFA7 8E2F5B51 A956BFF4 DB8E5652 3E9695E6 3E32506C FEB912F2 A77D22E7 1BB54C86 80893B82 AD1BCF33 7F7F7796 D3FB9681 81D9BA1F 7034ABFB 1F97B310 4CF3203F 663E8199 0B7E090F 6C4C5EE1 A0E57EC1 74D3E84A D9E72E6A C7DA6AEA 12DF297C 131854FB F21AC4E8 79C23BBC 60B4F753 ]])] = "weakdh.org/1024-bit MODP group with safe prime modulus", [fromhex([[ A9A34811 446C7B69 A29FF999 7C2181EC FAAAD139 CCDE2455 755D42F4 2E700AFD 86779D54 8A7C07CA 5DE42332 61117D0A 5773F245 9C331AF1 A1B08EF8 360A14DE 4046F274 62DA36AA 47D9FDE2 92B8815D 598C3A9C 546E7ED3 95D22EC3 9119F5B9 22CC41B3 0AF220FF 47BDE1B8 8334AD29 81DDC5ED 923F11C3 DDD3B22C 949DC41B ]])] = "weakdh.org/1024-bit MODP group with safe prime modulus", [fromhex([[ CA6B8564 6DC21765 7605DACF E801FAD7 59845383 4AF126C8 CC765E0F 81014F24 93546AB7 DDE5C677 C32D5B06 05B1BBFA 4C5DBFA3 253ADB33 205B7D8C 67DF98C4 BCE81C78 13F9FC26 15F1C332 F953AB39 CE8B7FE7 E3951FB7 3131407F 4D5489B6 B17C6875 9A2EAF8B 195A8DE8 0A165E4E B7520774 B167A00F A5629FDC 5A9A25F3 ]])] = "weakdh.org/1024-bit MODP group with safe prime modulus", [fromhex([[ EB373E94 AB618DF8 20D233ED 93E3EBCB 319BDAC2 0994C1DF 003986A7 9FAFFF76 54151CC9 E0641314 92698B47 496F5FDC FAF12892 679D8BC3 1580D7D4 1CD83F81 529C7951 3D58EC67 2E0E87FC D008C137 E3E5861A B2D3A02F 4D372CEE 4F220FEB 2C9039AC 997664A7 EBB75444 6AA69EB3 E0EF3C60 F91C2639 2B54EC35 A970A7BB ]])] = "weakdh.org/1024-bit MODP group with safe prime modulus", [fromhex([[ 80A68ADC 5327E05C AAD07C44 64B8ADEA 908432AF 9651B237 F47A7A8B F84D568F DFDAFAB0 6621C0C4 28450F1C 55F7D4A8 ECE383F2 7D6055AD DF60C4B8 37DCC1E3 B8374E37 99517929 39FDC3BB B4285112 C8B4A9F6 FCE4DD53 AA23F99E 2647C394 CE4D8BB8 2E773F41 EB786CE8 4CD0C3DD 4C31D755 D1CF9E9B 70C45EE2 8ECDABAB ]])] = "weakdh.org/1024-bit MODP group with safe prime modulus", [fromhex([[ C0EB5F3A 4CB30A9F FE3786E8 4C038141 69B52030 5AD49F54 EFD8CAAC 31A69B29 73CC9F57 B4B8F80D 2C5FB68B 3913B617 2042D2E5 BD53381A 5E597696 C9E97BD6 488DB339 5581320D DD4AF9CD E4A4EBE2 9118C688 28E5B392 89C26728 0B4FDC25 10C288B2 174D77EE 0AAD9C1E 17EA5ED3 7CF971B6 B19A8711 8E529826 591CA14B ]])] = "weakdh.org/1024-bit MODP group with safe prime modulus", [fromhex([[ 8FC0E1E2 0574D6AB 3C76DDEA 64524C20 76446B67 98E5B6BD 2614F966 9A5061D6 99034DB4 819780EC 8EE28A4E 66B5C4E0 A634E47B F9C981A5 EC4908EE 1B83A410 813165AC 0AB6BDCF D3257188 AC49399D 541C16F2 960F9D64 B9C51EC0 85AD0BB4 FE389013 18F0CD61 65D4B1B3 1C723953 B83217F8 B3EBF870 8160E82D 7911754B ]])] = "weakdh.org/1024-bit MODP group with safe prime modulus" } -- DSA parameters local DSA_PARAMS = { -- sun.security.provider/512-bit DSA group with 160-bit prime order subgroup [fromhex([[ FCA682CE 8E12CABA 26EFCCF7 110E526D B078B05E DECBCD1E B4A208F3 AE1617AE 01F35B91 A47E6DF6 3413C5E1 2ED0899B CD132ACD 50D99151 BDC43EE7 37592E17 ]])] = fromhex([[ 678471B2 7A9CF44E E91A49C5 147DB1A9 AAF244F0 5A434D64 86931D2D 14271B9E 35030B71 FD73DA17 9069B32E 2935630E 1C206235 4D0DA20A 6C416E50 BE794CA4 ]]), -- sun.security.provider/768-bit DSA group with 160-bit prime order subgroup [fromhex([[ E9E64259 9D355F37 C97FFD35 67120B8E 25C9CD43 E927B3A9 670FBEC5 D8901419 22D2C3B3 AD248009 3799869D 1E846AAB 49FAB0AD 26D2CE6A 22219D47 0BCE7D77 7D4A21FB E9C270B5 7F607002 F3CEF839 3694CF45 EE3688C1 1A8C56AB 127A3DAF ]])] = fromhex([[ 30470AD5 A005FB14 CE2D9DCD 87E38BC7 D1B1C5FA CBAECBE9 5F190AA7 A31D23C4 DBBCBE06 17454440 1A5B2C02 0965D8C2 BD2171D3 66844577 1F74BA08 4D2029D8 3C1C1585 47F3A9F1 A2715BE2 3D51AE4D 3E5A1F6A 7064F316 933A346D 3F529252 ]]), -- sun.security.provider/1024-bit DSA group with 160-bit prime order subgroup [fromhex([[ FD7F5381 1D751229 52DF4A9C 2EECE4E7 F611B752 3CEF4400 C31E3F80 B6512669 455D4022 51FB593D 8D58FABF C5F5BA30 F6CB9B55 6CD7813B 801D346F F26660B7 6B9950A5 A49F9FE8 047B1022 C24FBBA9 D7FEB7C6 1BF83B57 E7C6A8A6 150F04FB 83F6D3C5 1EC30235 54135A16 9132F675 F3AE2B61 D72AEFF2 2203199D D14801C7 ]])] = fromhex([[ F7E1A085 D69B3DDE CBBCAB5C 36B857B9 7994AFBB FA3AEA82 F9574C0B 3D078267 5159578E BAD4594F E6710710 8180B449 167123E8 4C281613 B7CF0932 8CC8A6E1 3C167A8B 547C8D28 E0A3AE1E 2BB3A675 916EA37F 0BFA2135 62F1FB62 7A01243B CCA4F1BE A8519089 A883DFE1 5AE59F06 928B665E 807B5525 64014C3B FECF492A ]]), -- RFC5114/1024-bit DSA group with 160-bit prime order subgroup [fromhex([[ B10B8F96 A080E01D DE92DE5E AE5D54EC 52C99FBC FB06A3C6 9A6A9DCA 52D23B61 6073E286 75A23D18 9838EF1E 2EE652C0 13ECB4AE A9061123 24975C3C D49B83BF ACCBDD7D 90C4BD70 98488E9C 219A7372 4EFFD6FA E5644738 FAA31A4F F55BCCC0 A151AF5F 0DC8B4BD 45BF37DF 365C1A65 E68CFDA7 6D4DA708 DF1FB2BC 2E4A4371 ]])] = fromhex([[ A4D1CBD5 C3FD3412 6765A442 EFB99905 F8104DD2 58AC507F D6406CFF 14266D31 266FEA1E 5C41564B 777E690F 5504F213 160217B4 B01B886A 5E91547F 9E2749F4 D7FBD7D3 B9A92EE1 909D0D22 63F80A76 A6A24C08 7A091F53 1DBF0A01 69B6A28A D662A4D1 8E73AFA3 2D779D59 18D08BC8 858F4DCE F97C2A24 855E6EEB 22B3B2E5 ]]), -- RFC5114/2048-bit DSA group with 224-bit prime order subgroup [fromhex([[ AD107E1E 9123A9D0 D660FAA7 9559C51F A20D64E5 683B9FD1 B54B1597 B61D0A75 E6FA141D F95A56DB AF9A3C40 7BA1DF15 EB3D688A 309C180E 1DE6B85A 1274A0A6 6D3F8152 AD6AC212 9037C9ED EFDA4DF8 D91E8FEF 55B7394B 7AD5B7D0 B6C12207 C9F98D11 ED34DBF6 C6BA0B2C 8BBC27BE 6A00E0A0 B9C49708 B3BF8A31 70918836 81286130 BC8985DB 1602E714 415D9330 278273C7 DE31EFDC 7310F712 1FD5A074 15987D9A DC0A486D CDF93ACC 44328387 315D75E1 98C641A4 80CD86A1 B9E587E8 BE60E69C C928B2B9 C52172E4 13042E9B 23F10B0E 16E79763 C9B53DCF 4BA80A29 E3FB73C1 6B8E75B9 7EF363E2 FFA31F71 CF9DE538 4E71B81C 0AC4DFFE 0C10E64F ]])] = fromhex([[ AC4032EF 4F2D9AE3 9DF30B5C 8FFDAC50 6CDEBE7B 89998CAF 74866A08 CFE4FFE3 A6824A4E 10B9A6F0 DD921F01 A70C4AFA AB739D77 00C29F52 C57DB17C 620A8652 BE5E9001 A8D66AD7 C1766910 1999024A F4D02727 5AC1348B B8A762D0 521BC98A E2471504 22EA1ED4 09939D54 DA7460CD B5F6C6B2 50717CBE F180EB34 118E98D1 19529A45 D6F83456 6E3025E3 16A330EF BB77A86F 0C1AB15B 051AE3D4 28C8F8AC B70A8137 150B8EEB 10E183ED D19963DD D9E263E4 770589EF 6AA21E7F 5F2FF381 B539CCE3 409D13CD 566AFBB4 8D6C0191 81E1BCFE 94B30269 EDFE72FE 9B6AA4BD 7B5A0F1C 71CFFF4C 19C418E1 F6EC0179 81BC087F 2A7065B3 84B890D3 191F2BFA ]]), -- RFC5114/2048-bit DSA group with 256-bit prime order subgroup [fromhex([[ 87A8E61D B4B6663C FFBBD19C 65195999 8CEEF608 660DD0F2 5D2CEED4 435E3B00 E00DF8F1 D61957D4 FAF7DF45 61B2AA30 16C3D911 34096FAA 3BF4296D 830E9A7C 209E0C64 97517ABD 5A8A9D30 6BCF67ED 91F9E672 5B4758C0 22E0B1EF 4275BF7B 6C5BFC11 D45F9088 B941F54E B1E59BB8 BC39A0BF 12307F5C 4FDB70C5 81B23F76 B63ACAE1 CAA6B790 2D525267 35488A0E F13C6D9A 51BFA4AB 3AD83477 96524D8E F6A167B5 A41825D9 67E144E5 14056425 1CCACB83 E6B486F6 B3CA3F79 71506026 C0B857F6 89962856 DED4010A BD0BE621 C3A3960A 54E710C3 75F26375 D7014103 A4B54330 C198AF12 6116D227 6E11715F 693877FA D7EF09CA DB094AE9 1E1A1597 ]])] = fromhex([[ 3FB32C9B 73134D0B 2E775066 60EDBD48 4CA7B18F 21EF2054 07F4793A 1A0BA125 10DBC150 77BE463F FF4FED4A AC0BB555 BE3A6C1B 0C6B47B1 BC3773BF 7E8C6F62 901228F8 C28CBB18 A55AE313 41000A65 0196F931 C77A57F2 DDF463E5 E9EC144B 777DE62A AAB8A862 8AC376D2 82D6ED38 64E67982 428EBC83 1D14348F 6F2F9193 B5045AF2 767164E1 DFC967C1 FB3F2E55 A4BD1BFF E83B9C80 D052B985 D182EA0A DB2A3B73 13D3FE14 C8484B1E 052588B9 B7D2BBD2 DF016199 ECD06E15 57CD0915 B3353BBB 64E0EC37 7FD02837 0DF92B52 C7891428 CDC67EB6 184B523D 1DB246C3 2F630784 90F00EF8 D647D148 D4795451 5E2327CF EF98C582 664B4C0F 6CC41659 ]]) } -- Add additional context (protocol) to debug output local function ctx_log(level, protocol, fmt, ...) return stdnse.debug(level, "(%s) " .. fmt, protocol, ...) end -- returns a function that yields a new tls record each time it is called local function get_record_iter(sock) local buffer = "" local i = 1 local fragment return function () local record i, record = tls.record_read(buffer, i, fragment) if record == nil then local status, err status, buffer, err = tls.record_buffer(sock, buffer, i) if not status then return nil, err end i, record = tls.record_read(buffer, i, fragment) if record == nil then return nil, "done" end end fragment = record.fragment return record end end local function get_server_response(host, port, t) local timeout = stdnse.get_timeout(host, 10000, 5000) -- Create socket. local status, sock, err local starttls = sslcert.getPrepareTLSWithoutReconnect(port) if starttls then status, sock = starttls(host, port) if not status then ctx_log(1, t.protocol, "Can't connect: %s", sock) return nil end else sock = nmap.new_socket() sock:set_timeout(timeout) status, err = sock:connect(host, port) if not status then ctx_log(1, t.protocol, "Can't connect: %s", err) sock:close() return nil end end sock:set_timeout(timeout) -- Send request. local req = tls.client_hello(t) status, err = sock:send(req) if not status then ctx_log(1, t.protocol, "Can't send: %s", err) sock:close() return nil end -- Read response. local get_next_record = get_record_iter(sock) local records = {} while true do local record record, err = get_next_record() if not record then ctx_log(1, t.protocol, "Couldn't read a TLS record: %s", err) sock:close() return records end -- Collect message bodies into one record per type records[record.type] = records[record.type] or record local done = false for j = 1, #record.body do -- no ipairs because we append below local b = record.body[j] done = ((record.type == "alert" and b.level == "fatal") or (record.type == "handshake" and b.type == "server_hello_done")) table.insert(records[record.type].body, b) end if done then sock:close() return records end end end -- If protocol fails (i.e. no ciphers will ever succeed) then returns false -- If no ciphers were supported, but the protocol is valid, then returns nil -- else returns the cipher and dh params local function get_dhe_params(host, port, protocol, ciphers) local cipher, packed local t = {} local pos = 1 t.protocol = protocol t.extensions = {} if host.targetname then t.extensions.server_name = tls.EXTENSION_HELPERS.server_name(host.targetname) end -- Keep ClientHello record size below 255 bytes and the number of ciphersuites -- to 64 or less in order to avoid implementation issues with some TLS servers -- Get handshake record size with just one cipher t.ciphers = { "TLS_NULL_WITH_NULL_NULL" } local len = #tls.client_hello(t) local room = math.floor(math.max(0, (255 - len) / 2)) local function next_chunk(t, ciphers, pos) -- Compute number of ciphers to fit in next chunk local last = math.min(#ciphers, pos + math.min(63, room)) t.ciphers = {} for i = pos, last do table.insert(t.ciphers, ciphers[i]) end return last + 1 end while pos <= #ciphers do pos = next_chunk(t, ciphers, pos) local records = get_server_response(host, port, t) if not records then stdnse.debug1("Connection failed") return false end local alert = records.alert if alert then for j = 1, #alert.body do ctx_log(2, protocol, "Received alert: %s", alert.body[j].description) if alert["protocol"] ~= protocol then ctx_log(1, protocol, "Protocol rejected.") return false end end end -- Extract negotiated cipher suite and key exchange data local handshake = records.handshake if handshake then for j = 1, #handshake.body do if handshake.body[j].type == "server_hello" then if handshake.body[j].protocol ~= protocol then ctx_log(1, protocol, "Protocol rejected in server hello") return false end cipher = handshake.body[j].cipher elseif handshake.body[j].type == "server_key_exchange" then packed = handshake.body[j].data end end end -- Only try next chunk if current chunk was rejected if cipher and packed then local info = tls.cipher_info(cipher) local data = tls.KEX_ALGORITHMS[info.kex].server_key_exchange(packed, protocol) return cipher, data.dhparams end end return nil end local function get_dhe_ciphers() local dh_anons = {} local dhe_ciphers = {} local dhe_exports = {} for cipher, _ in pairs(tls.CIPHERS) do local info = tls.cipher_info(cipher) if DH_anon_ALGORITHMS[info.kex] then dh_anons[#dh_anons + 1] = cipher end if DHE_ALGORITHMS[info.kex] then dhe_ciphers[#dhe_ciphers + 1] = cipher end if DHE_ALGORITHMS_EXPORT[info.kex] then dhe_exports[#dhe_exports + 1] = cipher end end return dh_anons, dhe_ciphers, dhe_exports end local fields_order = { "Cipher Suite", "Modulus Type", "Modulus Source", "Modulus Length", "Generator Length", "Public Key Length", } local group_metatable = { __tostring = function(g) local out = {} for i=1, #fields_order do local k = fields_order[i] if g[k] then out[#out+1] = (" %s: %s"):format(k, g[k]) end end return table.concat(out, "\n") end } local function check_dhgroup(anondh, logjam, weakdh, nosafe, cipher, dhparams) local source = DHE_PRIMES[dhparams.p] local length = #dhparams.p * 8 local genlen = #dhparams.g * 8 local pubkeylen = #dhparams.y * 8 local modulus = stdnse.tohex(dhparams.p) local generator = stdnse.tohex(dhparams.g) local pubkey = stdnse.tohex(dhparams.y) local is_prime, is_safe local group = { ["Cipher Suite"] = cipher, ["Modulus Source"] = source or "Unknown/Custom-generated", ["Modulus Length"] = length, ["Modulus"] = modulus, ["Generator Length"] = genlen, ["Generator"] = generator, ["Public Key Length"] = pubkeylen } setmetatable(group, group_metatable) if have_ssl then local bn = openssl.bignum_bin2bn(dhparams.p) is_safe, is_prime = openssl.bignum_is_safe_prime(bn) group["Modulus Type"] = (is_safe and "Safe prime") or (is_prime and "Non-safe prime") or "Composite" end if string.find(cipher, "DH_anon") then anondh[#anondh + 1] = group elseif string.find(cipher, "EXPORT") then logjam[#logjam + 1] = group elseif length <= 1024 then weakdh[#weakdh + 1] = group end -- The use of non-safe primes requires carefully generated parameters -- in order to be secure. Do some rudimentary validation checks here. if have_ssl and not is_safe and not DSA_PARAMS[dhparams.p] then nosafe[#nosafe + 1] = group elseif DSA_PARAMS[dhparams.p] and DSA_PARAMS[dhparams.p] ~= dhparams.g then nosafe[#nosafe + 1] = group end end portrule = function(host, port) return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port) end local function format_check(t, label) local out = {} for i, v in ipairs(t) do out[i] = string.format("%s %d\n%s", label, i, v) end return out end action = function(host, port) local dh_anons, dhe_ciphers, dhe_exports = get_dhe_ciphers() local cipher local dhparams local anondh = {} local logjam = {} local weakdh = {} local nosafe = {} local primes = {} local anons = {} local vuln_table_anondh = { title = "Anonymous Diffie-Hellman Key Exchange MitM Vulnerability", description = [[ Transport Layer Security (TLS) services that use anonymous Diffie-Hellman key exchange only provide protection against passive eavesdropping, and are vulnerable to active man-in-the-middle attacks which could completely compromise the confidentiality and integrity of any data exchanged over the resulting session.]], state = vulns.STATE.NOT_VULN, references = { "https://www.ietf.org/rfc/rfc2246.txt" } } local vuln_table_logjam = { title = "Transport Layer Security (TLS) Protocol DHE_EXPORT Ciphers Downgrade MitM (Logjam)", description = [[ The Transport Layer Security (TLS) protocol contains a flaw that is triggered when handling Diffie-Hellman key exchanges defined with the DHE_EXPORT cipher. This may allow a man-in-the-middle attacker to downgrade the security of a TLS session to 512-bit export-grade cryptography, which is significantly weaker, allowing the attacker to more easily break the encryption and monitor or tamper with the encrypted stream.]], state = vulns.STATE.NOT_VULN, IDS = { CVE = 'CVE-2015-4000', OSVDB = '122331' }, SCORES = { CVSSv2 = '4.3' }, dates = { disclosure = { year = 2015, month = 5, day = 19 } }, references = { "https://weakdh.org" } } local vuln_table_weakdh = { title = "Diffie-Hellman Key Exchange Insufficient Group Strength", description = [[ Transport Layer Security (TLS) services that use Diffie-Hellman groups of insufficient strength, especially those using one of a few commonly shared groups, may be susceptible to passive eavesdropping attacks.]], state = vulns.STATE.NOT_VULN, references = { "https://weakdh.org" } } local vuln_table_nosafe = { title = "Diffie-Hellman Key Exchange Incorrectly Generated Group Parameters", description = [[ This TLS service appears to be using a modulus that is not a safe prime and does not correspond to any well-known DSA group for Diffie-Hellman key exchange. These parameters MAY be secure if: - They were generated according to the procedure described in FIPS 186-4 for DSA Domain Parameter Generation, or - The generator g generates a subgroup of large prime order Additional testing may be required to verify the security of these parameters.]], state = vulns.STATE.NOT_VULN, references = { "https://weakdh.org", "http://www2.esentire.com/TLSUnjammedWP" } } for protocol in pairs(tls.PROTOCOLS) do -- Try anonymous DH ciphersuites cipher, dhparams = get_dhe_params(host, port, protocol, dh_anons) -- Explicit test for false needed because nil just means no ciphers supported. if cipher == false then goto NEXT_PROTOCOL end if dhparams and not anons[dhparams.p] then vuln_table_anondh.state = vulns.STATE.VULN check_dhgroup(anondh, logjam, weakdh, nosafe, cipher, dhparams) anons[dhparams.p] = 1 end -- Try DHE_EXPORT ciphersuites cipher, dhparams = get_dhe_params(host, port, protocol, dhe_exports) if dhparams and not primes[dhparams.p] then check_dhgroup(anondh, logjam, weakdh, nosafe, cipher, dhparams) primes[dhparams.p] = 1 end -- Try non-export DHE ciphersuites cipher, dhparams = get_dhe_params(host, port, protocol, dhe_ciphers) if dhparams and not primes[dhparams.p] then check_dhgroup(anondh, logjam, weakdh, nosafe, cipher, dhparams) primes[dhparams.p] = 1 end ::NEXT_PROTOCOL:: end local report = vulns.Report:new(SCRIPT_NAME, host, port) vuln_table_anondh.check_results = format_check(anondh, "ANONYMOUS DH GROUP") vuln_table_logjam.check_results = format_check(logjam, "EXPORT-GRADE DH GROUP") vuln_table_weakdh.check_results = format_check(weakdh, "WEAK DH GROUP") vuln_table_nosafe.check_results = format_check(nosafe, "NON-SAFE GROUP") if #anondh > 0 then vuln_table_anondh.state = vulns.STATE.VULN end if #logjam > 0 then vuln_table_logjam.state = vulns.STATE.VULN end if #weakdh > 0 then vuln_table_weakdh.state = vulns.STATE.VULN end if #nosafe > 0 then vuln_table_nosafe.state = vulns.STATE.LIKELY_VULN end return report:make_output(vuln_table_anondh, vuln_table_logjam, vuln_table_weakdh, vuln_table_nosafe) end