SSLv2 Depreciated Protocol - Validating the Findings

In this post, we will look at some tools used to analyze whether the web server is using SSL version 2.

SSLv2 Depereciated Protocol as stated by Acunetix

Ref: http://www.acunetix.com/vulnerabilities/ssl-2-0-deprecated-protoc/

Description

The remote service encrypts traffic using an old deprecated protocol with known weaknesses.

Detailed Information

The remote service accepts connections encrypted using SSL 2.0, which suffers from several cryptographic flaws and has been deprecated.

Impact

An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients.

Recommendation

Disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead.

OWASP Testing Guide

Testing for SSL-TLS (OWASP-CM-001)

Ref: https://www.owasp.org/index.php/Testing_for_SSL-TLS_(OWASP-CM-001)

THE TOOLS 

Using Nmap on BackTrack

#nmap -sV -p 443 --script sslv2 <host>

Using SSLscan on BackTrack

#sslscan --no-failed <host>

Using Openssl on BackTrack

#openssl s_client -sslv2 -host <target> -port 443

Using SSL Audit

Website: http://www.g-sec.lu/tools.html

Download: http://www.g-sec.lu/sslaudit/sslaudit.zip

Using Qualys

Website: https://www.ssllabs.com/ssltest/analyze.html

Note: Be aware of using the online Qualys SSL checker as it will stay permanently in the Qualys result database and will be made publicly available. 

Result of the online Qualys SSL Checker

Using Acunetix

Website: http://www.acunetix.com/

THE SOLUTION: DISABLING SSLv2

1) Disable SSLv2 and Weak Ciphers

http://blog.zenone.org/2009/03/pci-compliance-disable-sslv2-and-weak.html

2) Disable SSLv2 on Windows Server 2008 (IIS 6 and 7)

http://jespermchristensen.wordpress.com/2011/03/23/remember-to-disable-ssl-2-0-on-windows-server-2008-iis-67/

3) Disable SSLv2 and Force to use SSLv3 and TLS v1 in IIS

http://spinplate.com/2010/08/how-to-disable-ssl-2-0-and-force-ssl-3-0-and-tls-1-0-in-iis/

4) Disabling Weak SSL Protocol and Ciphers in IIS

http://www.waynezim.com/2011/03/how-to-disable-weak-ssl-protocols-and-ciphers-in-iis/

5) Disabling SSLv2 in IIS 7

http://www.sslshopper.com/article-how-to-disable-ssl-2.0-in-iis-7.html

6) Official M$ guide to Disable SSLv2

http://support.microsoft.com/kb/187498

7) Disabling SSLv2 in IIS 7 and 7.5

http://bloke.org/windows/how-to-disable-ssl-2-0-in-iis-7-and-7-5/

MSSQL Enumeration - Using Open Source/Freeware Tools

In this article, we will demonstrate on how to find available M$ SQL servers within a network range and enumerate or get information about them.

Using Metasploit

msf > use auxiliary/scanner/mssql/mssql_ping

msf auxiliary(mssql_ping) > set RHOSTS <IP Address/range>

msf auxiliary(mssql_ping) > set THREADS 10

msf auxiliary(mssql_ping) > run

Website: http://www.metasploit.com/modules/auxiliary/scanner/mssql/mssql_ping

Using Nessus Cmd

#nessuscmd -i 10674 <IP range> --max-hosts 25

Website: http://pauldotcom.com/2009/11/attacking-mssql-with-metasploi.html

Using Nmap

#nmap -p 1434 --script ms-sql-info --script-args mssql.instance-port=1434 <IP range>

Using SQLRecon

Result of the Scan

SQLRecon: http://www.4shared.com/get/VmkLFFCW/SQLRecon_Setup.html

Website: http://www.specialopssecurity.com/labs/sqlrecon/

Using SQL Ping v3

SQL Ping v3 and SQL Recon has the same interface. The difference is that SQL Ping v3 has additional option for Brute Forcing Passwords with the ability to input the User and Password list.

Result of the Scan

Website: http://www.sqlsecurity.com/downloads

I will find more tools that can be used to gather information for SQL servers and will list them down here in future. If there's anything out there you readers are aware of, do share!