Sunday, 30 June 2013

SSLv2 Depreciated Protocol - Validating the Findings

In this post, we will look at some tools used to analyze whether the web server is using SSL version 2.



SSLv2 Depereciated Protocol as stated by Acunetix
Ref: http://www.acunetix.com/vulnerabilities/ssl-2-0-deprecated-protoc/

Description
The remote service encrypts traffic using an old deprecated protocol with known weaknesses.

Detailed Information
The remote service accepts connections encrypted using SSL 2.0, which suffers from several cryptographic flaws and has been deprecated.

Impact
An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients.

Recommendation
Disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead.

OWASP Testing Guide

Testing for SSL-TLS (OWASP-CM-001)


THE TOOLS 

Using Nmap on BackTrack
#nmap -sV -p 443 --script sslv2 <host>


Using SSLscan on BackTrack
#sslscan --no-failed <host>


Using Openssl on BackTrack
#openssl s_client -sslv2 -host <target> -port 443


Using SSL Audit


Using Qualys
Note: Be aware of using the online Qualys SSL checker as it will stay permanently in the Qualys result database and will be made publicly available. 


Result of the online Qualys SSL Checker


Using Acunetix



THE SOLUTION: DISABLING SSLv2


1) Disable SSLv2 and Weak Ciphers

2) Disable SSLv2 on Windows Server 2008 (IIS 6 and 7)

3) Disable SSLv2 and Force to use SSLv3 and TLS v1 in IIS


4) Disabling Weak SSL Protocol and Ciphers in IIS

5) Disabling SSLv2 in IIS 7

6) Official M$ guide to Disable SSLv2

7) Disabling SSLv2 in IIS 7 and 7.5

No comments:

Post a Comment