NMAP SSL Cipher Checking – Networking Lab

I was making changes on F5s to remove ciphers considered weak. Once the change has been made, the VIP on the F5 must be checked. If the VIP is public and has a DNS record then using SSL labs in very simple. However, if the VIP has no public DNS record, or is not public facing SSL labs will not be able to run the web based scan.
This is where NAMP comes in handy. This may be run against an IP or domain as long as the NMAP client has access to the server.

This particular NAMP scan is for SSL ciphers, details can be found here.
What I have done is to install NMAP on my WSL2 instance running Ubuntu 20.04.


$ sudo apt-get update
$ sudo apt-get install nmap

$ nmap --version
Nmap version 7.80 ( https://nmap.org )
Platform: x86_64-pc-linux-gnu
Compiled with: liblua-5.3.3 openssl-1.1.1d nmap-libssh2-1.8.2 libz-1.2.11 libpcre-8.39 libpcap-1.9.1 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select

$ sudo apt-get update

$ sudo apt-get install nmap

$ nmap --version

Nmap version 7.80 ( https://nmap.org )

Platform: x86_64-pc-linux-gnu

Compiled with: liblua-5.3.3 openssl-1.1.1d nmap-libssh2-1.8.2 libz-1.2.11 libpcre-8.39 libpcap-1.9.1 nmap-libdnet-1.12 ipv6

Compiled without:

Available nsock engines: epoll poll select

Running a quick test against Google.com. The Ciphers can be seen under the section “ssl-enum-ciphers:”. This command can be modified to use a different domain or IP, and ports can be changed from 443 to anything. This is really all there is to it.


$ nmap -sV --script ssl-enum-ciphers -p 443 google.com


Starting Nmap 7.80 ( https://nmap.org ) at 2023-01-04 14:59 GMT
Nmap scan report for google.com (172.217.169.46)
Host is up (0.0093s latency).
Other addresses for google.com (not scanned): 2a00:1450:4009:821::200e
rDNS record for 172.217.169.46: lhr48s08-in-f14.1e100.net

PORT    STATE SERVICE   VERSION
443/tcp open  ssl/https gws
| fingerprint-strings:
|   GetRequest:
|     HTTP/1.0 200 OK
|     Date: Wed, 04 Jan 2023 15:00:10 GMT
|     Expires: -1
|     Cache-Control: private, max-age=0
|     Content-Type: text/html; charset=ISO-8859-1
|     Cross-Origin-Opener-Policy-Report-Only: same-origin-allow-popups; report-to="gws"
|     Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/other"}]}
|     P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
|     Server: gws
|     X-XSS-Protection: 0
|     X-Frame-Options: SAMEORIGIN
|     Set-Cookie: SOCS=CAAaBgiAg9OdBg; expires=Sat, 03-Feb-2024 15:00:10 GMT; path=/; domain=.google.com; Secure; SameSite=lax
|     Set-Cookie: AEC=ARSKqsIRk1sbdkn2wtFH_gvjIG70g4_7PrE9rdgVV3393xiIYoaH_cmduQ; expires=Mon, 03-Jul-2023 15:00:10 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
|     Set-Cookie: __Secure-ENID=9.SE=IQzNrxqiDwgVzj73OiYRJvinvZ3J85_UrHzN-Ucwo8H6s2oCsA9l3XuRBDQynEH-WZpumRE4mu-8P1b59ycgO4H65
|   HTTPOptions:
|     HTTP/1.0 405 Method Not Allowed
|     Allow: GET, HEAD
|     Date: Wed, 04 Jan 2023 15:00:10 GMT
|     Content-Type: text/html; charset=UTF-8
|     Server: gws
|     Content-Length: 1592
|     X-XSS-Protection: 0
|     X-Frame-Options: SAMEORIGIN
|     Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
|     <!DOCTYPE html>
|     <html lang=en>
|     <meta charset=utf-8>
|     <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width">
|     <title>Error 405 (Method Not Allowed)!!1</title>
|     <style>
|_    *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22p
|_http-server-header: gws
| ssl-enum-ciphers:
|   TLSv1.0:
|     ciphers:
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|     compressors:
|       NULL
|     cipher preference: server
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|   TLSv1.1:
|     ciphers:
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|     compressors:
|       NULL
|     cipher preference: server
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: client
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|_  least strength: C
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port443-TCP:V=7.80%T=SSL%I=7%D=1/4%Time=63B5947A%P=x86_64-pc-linux-gnu%
SF:r(GetRequest,3714,"HTTP/1\.0\x20200\x20OK\r\nDate:\x20Wed,\x2004\x20Jan
SF:\x202023\x2015:00:10\x20GMT\r\nExpires:\x20-1\r\nCache-Control:\x20priv
SF:ate,\x20max-age=0\r\nContent-Type:\x20text/html;\x20charset=ISO-8859-1\
SF:r\nCross-Origin-Opener-Policy-Report-Only:\x20same-origin-allow-popups;
SF:\x20report-to=\"gws\"\r\nReport-To:\x20{\"group\":\"gws\",\"max_age\":2
SF:592000,\"endpoints\":\[{\"url\":\"https://csp\.withgoogle\.com/csp/repo
SF:rt-to/gws/other\"}\]}\r\nP3P:\x20CP=\"This\x20is\x20not\x20a\x20P3P\x20
SF:policy!\x20See\x20g\.co/p3phelp\x20for\x20more\x20info\.\"\r\nServer:\x
SF:20gws\r\nX-XSS-Protection:\x200\r\nX-Frame-Options:\x20SAMEORIGIN\r\nSe
SF:t-Cookie:\x20SOCS=CAAaBgiAg9OdBg;\x20expires=Sat,\x2003-Feb-2024\x2015:
SF:00:10\x20GMT;\x20path=/;\x20domain=\.google\.com;\x20Secure;\x20SameSit
SF:e=lax\r\nSet-Cookie:\x20AEC=ARSKqsIRk1sbdkn2wtFH_gvjIG70g4_7PrE9rdgVV33
SF:93xiIYoaH_cmduQ;\x20expires=Mon,\x2003-Jul-2023\x2015:00:10\x20GMT;\x20
SF:path=/;\x20domain=\.google\.com;\x20Secure;\x20HttpOnly;\x20SameSite=la
SF:x\r\nSet-Cookie:\x20__Secure-ENID=9\.SE=IQzNrxqiDwgVzj73OiYRJvinvZ3J85_
SF:UrHzN-Ucwo8H6s2oCsA9l3XuRBDQynEH-WZpumRE4mu-8P1b59ycgO4H65")%r(HTTPOpti
SF:ons,7BC,"HTTP/1\.0\x20405\x20Method\x20Not\x20Allowed\r\nAllow:\x20GET,
SF:\x20HEAD\r\nDate:\x20Wed,\x2004\x20Jan\x202023\x2015:00:10\x20GMT\r\nCo
SF:ntent-Type:\x20text/html;\x20charset=UTF-8\r\nServer:\x20gws\r\nContent
SF:-Length:\x201592\r\nX-XSS-Protection:\x200\r\nX-Frame-Options:\x20SAMEO
SF:RIGIN\r\nAlt-Svc:\x20h3=\":443\";\x20ma=2592000,h3-29=\":443\";\x20ma=2
SF:592000,h3-Q050=\":443\";\x20ma=2592000,h3-Q046=\":443\";\x20ma=2592000,
SF:h3-Q043=\":443\";\x20ma=2592000,quic=\":443\";\x20ma=2592000;\x20v=\"46
SF:,43\"\r\n\r\n<!DOCTYPE\x20html>\n<html\x20lang=en>\n\x20\x20<meta\x20ch
SF:arset=utf-8>\n\x20\x20<meta\x20name=viewport\x20content=\"initial-scale
SF:=1,\x20minimum-scale=1,\x20width=device-width\">\n\x20\x20<title>Error\
SF:x20405\x20\(Method\x20Not\x20Allowed\)!!1</title>\n\x20\x20<style>\n\x2
SF:0\x20\x20\x20\*{margin:0;padding:0}html,code{font:15px/22px\x20arial,sa
SF:ns-serif}html{background:#fff;color:#222;padding:15px}body{margin:7%\x2
SF:0auto\x200;max-width:390px;min-height:180px;padding:30px\x200\x2015px}\
SF:*\x20>\x20body{background:url\(//www\.google\.com/images/errors/robot\.
SF:png\)\x20100%\x205px\x20no-repeat;padding-right:205px}p{margin:11px\x20
SF:0\x2022p");

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 66.18 seconds

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

$ nmap -sV --script ssl-enum-ciphers -p 443 google.com

Starting Nmap 7.80 ( https://nmap.org ) at 2023-01-04 14:59 GMT

Nmap scan report for google.com (172.217.169.46)

Host is up (0.0093s latency).

Other addresses for google.com (not scanned): 2a00:1450:4009:821::200e

rDNS record for 172.217.169.46: lhr48s08-in-f14.1e100.net

PORT STATE SERVICE VERSION

443/tcp open ssl/https gws

| fingerprint-strings:

| GetRequest:

| HTTP/1.0 200 OK

| Date: Wed, 04 Jan 2023 15:00:10 GMT

| Expires: -1

| Cache-Control: private, max-age=0

| Content-Type: text/html; charset=ISO-8859-1

| Cross-Origin-Opener-Policy-Report-Only: same-origin-allow-popups; report-to="gws"

| Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/other"}]}

| P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."

| Server: gws

| X-XSS-Protection: 0

| X-Frame-Options: SAMEORIGIN

| Set-Cookie: SOCS=CAAaBgiAg9OdBg; expires=Sat, 03-Feb-2024 15:00:10 GMT; path=/; domain=.google.com; Secure; SameSite=lax

| Set-Cookie: AEC=ARSKqsIRk1sbdkn2wtFH_gvjIG70g4_7PrE9rdgVV3393xiIYoaH_cmduQ; expires=Mon, 03-Jul-2023 15:00:10 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax

| Set-Cookie: __Secure-ENID=9.SE=IQzNrxqiDwgVzj73OiYRJvinvZ3J85_UrHzN-Ucwo8H6s2oCsA9l3XuRBDQynEH-WZpumRE4mu-8P1b59ycgO4H65

| HTTPOptions:

| HTTP/1.0 405 Method Not Allowed

| Allow: GET, HEAD

| Date: Wed, 04 Jan 2023 15:00:10 GMT

| Content-Type: text/html; charset=UTF-8

| Server: gws

| Content-Length: 1592

| X-XSS-Protection: 0

| X-Frame-Options: SAMEORIGIN

| Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"

| <!DOCTYPE html>

| <html lang=en>

| <meta charset=utf-8>

| <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width">

| <title>Error 405 (Method Not Allowed)!!1</title>

| <style>

|_ *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22p

|_http-server-header: gws

| ssl-enum-ciphers:

| TLSv1.0:

| ciphers:

| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A

| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A

| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A

| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A

| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A

| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A

| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C

| compressors:

| NULL

| cipher preference: server

| warnings:

| 64-bit block cipher 3DES vulnerable to SWEET32 attack

| TLSv1.1:

| ciphers:

| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A

| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A

| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A

| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A

| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A

| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A

| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C

| compressors:

| NULL

| cipher preference: server

| warnings:

| 64-bit block cipher 3DES vulnerable to SWEET32 attack

| TLSv1.2:

| ciphers:

| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A

| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A

| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A

| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A

| TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A

| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A

| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A

| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A

| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A

| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A

| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C

| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A

| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A

| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A

| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A

| compressors:

| NULL

| cipher preference: client

| warnings:

| 64-bit block cipher 3DES vulnerable to SWEET32 attack

|_ least strength: C

1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :

SF-Port443-TCP:V=7.80%T=SSL%I=7%D=1/4%Time=63B5947A%P=x86_64-pc-linux-gnu%

SF:r(GetRequest,3714,"HTTP/1\.0\x20200\x20OK\r\nDate:\x20Wed,\x2004\x20Jan

SF:\x202023\x2015:00:10\x20GMT\r\nExpires:\x20-1\r\nCache-Control:\x20priv

SF:ate,\x20max-age=0\r\nContent-Type:\x20text/html;\x20charset=ISO-8859-1\

SF:r\nCross-Origin-Opener-Policy-Report-Only:\x20same-origin-allow-popups;

SF:\x20report-to=\"gws\"\r\nReport-To:\x20{\"group\":\"gws\",\"max_age\":2

SF:592000,\"endpoints\":\[{\"url\":\"https://csp\.withgoogle\.com/csp/repo

SF:rt-to/gws/other\"}\]}\r\nP3P:\x20CP=\"This\x20is\x20not\x20a\x20P3P\x20

SF:policy!\x20See\x20g\.co/p3phelp\x20for\x20more\x20info\.\"\r\nServer:\x

SF:20gws\r\nX-XSS-Protection:\x200\r\nX-Frame-Options:\x20SAMEORIGIN\r\nSe

SF:t-Cookie:\x20SOCS=CAAaBgiAg9OdBg;\x20expires=Sat,\x2003-Feb-2024\x2015:

SF:00:10\x20GMT;\x20path=/;\x20domain=\.google\.com;\x20Secure;\x20SameSit

SF:e=lax\r\nSet-Cookie:\x20AEC=ARSKqsIRk1sbdkn2wtFH_gvjIG70g4_7PrE9rdgVV33

SF:93xiIYoaH_cmduQ;\x20expires=Mon,\x2003-Jul-2023\x2015:00:10\x20GMT;\x20

SF:path=/;\x20domain=\.google\.com;\x20Secure;\x20HttpOnly;\x20SameSite=la

SF:x\r\nSet-Cookie:\x20__Secure-ENID=9\.SE=IQzNrxqiDwgVzj73OiYRJvinvZ3J85_

SF:UrHzN-Ucwo8H6s2oCsA9l3XuRBDQynEH-WZpumRE4mu-8P1b59ycgO4H65")%r(HTTPOpti

SF:ons,7BC,"HTTP/1\.0\x20405\x20Method\x20Not\x20Allowed\r\nAllow:\x20GET,

SF:\x20HEAD\r\nDate:\x20Wed,\x2004\x20Jan\x202023\x2015:00:10\x20GMT\r\nCo

SF:ntent-Type:\x20text/html;\x20charset=UTF-8\r\nServer:\x20gws\r\nContent

SF:-Length:\x201592\r\nX-XSS-Protection:\x200\r\nX-Frame-Options:\x20SAMEO

SF:RIGIN\r\nAlt-Svc:\x20h3=\":443\";\x20ma=2592000,h3-29=\":443\";\x20ma=2

SF:592000,h3-Q050=\":443\";\x20ma=2592000,h3-Q046=\":443\";\x20ma=2592000,

SF:h3-Q043=\":443\";\x20ma=2592000,quic=\":443\";\x20ma=2592000;\x20v=\"46

SF:,43\"\r\n\r\n<!DOCTYPE\x20html>\n<html\x20lang=en>\n\x20\x20<meta\x20ch

SF:arset=utf-8>\n\x20\x20<meta\x20name=viewport\x20content=\"initial-scale

SF:=1,\x20minimum-scale=1,\x20width=device-width\">\n\x20\x20<title>Error\

SF:x20405\x20$Method\x20Not\x20Allowed$!!1</title>\n\x20\x20<style>\n\x2

SF:0\x20\x20\x20\*{margin:0;padding:0}html,code{font:15px/22px\x20arial,sa

SF:ns-serif}html{background:#fff;color:#222;padding:15px}body{margin:7%\x2

SF:0auto\x200;max-width:390px;min-height:180px;padding:30px\x200\x2015px}\

SF:*\x20>\x20body{background:url\(//www\.google\.com/images/errors/robot\.

SF:png\)\x20100%\x205px\x20no-repeat;padding-right:205px}p{margin:11px\x20

SF:0\x2022p");

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 66.18 seconds

Leave a Comment Cancel Reply