Nigel Matthews and Max McFarlane (Free Tools Development Team, Titania)
About the Authors
Titania’s Free Tools Team have worked hard to build and maintain a number of free tools which have now been released to help assist other auditors and penetration testers with their work.
Since the developers at Titania come from a penetration testing background, over the years they have created a number of tools to assist with their work. Furthermore, some of those tools have been released to help assist other penetration testers with their work. This article takes a look at two of those tools, SSL Scan and Banner Grab, and will also offer an exclusive insight into a number of updates that will be released soon.
Although packages are available on Linux platforms for some of these tools, they are distributed in source code form. This article shows how they can be compiled from the source code and run.
The purpose of SSL Scan is to determine what encryption ciphers are supported by a particular SSL service. It also obtains a copy of the SSL certificate, determines default ciphers and can send additional service probes to determine if the cipher can actually be used with the service. Some SSL servers will accept negotiation with an encryption cipher, but the service then disallows it.
SSL Scan makes use of the OpenSSL library to create a list of potential ciphers that are then used to test a service.
From the SSL Scan page on the Titania website, follow the link to download SSL Scan (the latest version is 1.8.2). You will also need OpenSSL (and the development libraries, if these are separate on your system) and the GNU C++ compiler. You may be able to use Cygwin / MinGW on Windows.
Extract the source code to a directory and then option a command prompt in that directory. You can then compile the source code using the following command:
gcc -lssl -lcrypto -o sslscan sslscan.c
On Apple Mac OS X systems, the procedure is slightly different as you need to use the Ports version of OpenSSL, rather than the restricted version that Apple supply. You can download and install Ports from macports.org. Once installed execute the following command to install the Ports version of OpenSSL:
sudo port install openssl
Then you can compile SSL Scan using the following command:
gcc -I/opt/local/include -L/opt/local/lib -lssl -lcrypto -o sslscan sslscan.c
Using SSL Scan
Now that SSL Scan is compiled, you can obtain help on the command line options by typing the following command (see Listing 1):
Listing 1. ‘sslscan –help’ results
./sslscan [Options] [host:port | host]
–targets=<file> A file containing a list of hosts to
check. Hosts can be supplied with
ports (i.e. host:port).
–no-failed List only accepted ciphers (default
is to listing all ciphers).
–ssl2 Only check SSLv2 ciphers.
–ssl3 Only check SSLv3 ciphers.
–tls1 Only check TLSv1 ciphers.
–pk=<file> A file containing the private key or
a PKCS#12 file containing a private
key/certificate pair (as produced by
MSIE and Netscape).
–pkpass=<password> The password for the private key or
–certs=<file> A file containing PEM/ASN1 formatted
–starttls If a STARTTLS is required to kick an
SMTP service into action.
–http Test a HTTP connection.
–bugs Enable SSL implementation bug workarounds.
–xml=<file> Output results to an XML file.
–version Display the program version.
–quiet Be quiet
–help Display the help text you are now
To use SSL Scan to determine what ciphers a standard HTTPS server operating on port 443 supports (using Google as an example):
You will then receive information similar to what you can see in Listing 2.
Listing 2. Testing SSL server www.google.com on port 443
Testing SSL server www.google.com on port 443
SSL Scan can be integrated in to third-party products by using the XML output option. The XML results can then be easily imported and managed by your own custom applications. To do this you can use the following command:./sslscan –xml=scan-results.xml www.google.com
When performing a penetration assessment, obtaining network service banners can often provide useful information. This information is not always accurately processed and reported by vulnerability scanners. Information leakage from a network service banner can have the potential to lead an attacker toward software vulnerabilities. For example, SSH service banners will often include both software and version details.
Titania developed Banner Grab to go and get the service banner information for you. In addition to standard service banners, Banner Grab has the ability to send specially formatted triggers for different types of service in order to obtain as much information as possible. By default Banner Grab will send triggers when a common port is used that has a trigger defined.
From the Banner Grab page on the Titania website, follow the link to download Banner Grab (the latest version is 3.6). If you want to compile Banner Grab with SSL support then you will need to download OpenSSL (and the development libraries, if these are separate on your system). You will also need the GNU C++ compiler. You may be able to use Cygwin / MinGW on Windows.
Extract the source code to a directory and then option a command prompt in that directory. You can then compile the source code using the following command:gcc –lssl –lcrypto –o bannergrab bannergrab.c
If you want to build Banner Grab without SSL support you can use the following:
gcc –DNOSSL –o bannergrab bannergrab.c
Using Banner Grab
Once compiled you can get help on Banner Grab by typing the following command:
The result should be similar to what you can see in Listing 3.
Listing 3. ‘./bannergrab –help’ results
./bannergrab [Options] host port
–udp Connect to a port using UDP. The default is to use TCP.
–no-triggers Collect only the connection banner, no triggers and no SSL.
–trigger=<trigger> Specify the trigger to use. Specify
DEFAULT to use the default trigger.
–no-ssl Prevent SSL connection creation.
–no-hex Output containing non-printable
characters are converted to hex. This option prevents the conversion.
–conn-time=<secs> Connection timeout (default is 5s).
–read-time=<secs> Read timeout (default is 3s).
–verbose Show additional program details such as any errors.
–show-triggers Show the supported triggers.
–version Show the program version.
–help Display the help text you are reading now.
./bannergrab 127.0.0.1 80
To get a simple banner from an SSH server you could type the following:
./bannergrab 192.168.0.22 22
On my test SSH service the result was:
As you can see the SSH service returned not only the SSH protocol but the SSH service software and version. This is very useful information for an attacker attempting to identify software vulnerabilities to exploit.
I mentioned earlier about Banner Grab sending triggers to a service to identify additional information. In the next example I will use Banner Grab to get service information from a SNMP service. The command was:
./bannergrab –udp 192.168.0.12 161
See the results in Listing 4.
Listing 4. ‘./bannergrab –udp 192.168.0.12 161’ results
When the information returned from a service includes non-printable characters, Banner Grab returns the information in a HEX value format with the printable characters to the right. As you can see from the returned information it appears to be a HP device and has community strings of “public” and “private” supported.
There are a number of exciting updates coming through the Titania Free Tool Development Team at the moment. SSL Scan and Banner Grab tools described in this article are being updated, together with graphical versions of the tools. The Banner Grab tool now also includes a port scanning tool to identify the live ports on a device prior to performing the banner grabbing.
The Free Tool Team has also been updating our other tools such as IP Calculator, which now includes IPv6 support and provides much more address details. Plus there will be pre-compiled binary packages available for Windows, Linux and Mac systems making them all much easier to use. For more information on our full portfolio of free tools, visit our website.