SSL/TLS Version Detection - Metasploit
This page contains detailed information about how to use the auxiliary/scanner/ssl/ssl_version metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: SSL/TLS Version Detection
Module: auxiliary/scanner/ssl/ssl_version
Source code: modules/auxiliary/scanner/ssl/ssl_version.rb
Disclosure date: 2014-10-14
Last modification time: 2022-11-05 07:23:14 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): 443
List of CVEs: CVE-2011-3389, CVE-2013-2566, CVE-2014-3566, CVE-2015-4000, CVE-2016-0800, CVE-2022-3358
Check if a server supports a given version of SSL/TLS and cipher suites. The certificate is stored in loot, and any known vulnerabilities against that SSL version and cipher suite combination are checked. These checks include POODLE, deprecated protocols, expired/not valid certs, low key strength, null cipher suites, certificates signed with MD5, DROWN, RC4 ciphers, exportable ciphers, LOGJAM, and BEAST.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
This module is a scanner module, and is capable of testing against multiple hosts.
msf > use auxiliary/scanner/ssl/ssl_version
msf auxiliary(ssl_version) > show options
... show and set options ...
msf auxiliary(ssl_version) > set RHOSTS ip-range
msf auxiliary(ssl_version) > exploit
Other examples of setting the RHOSTS option:
Example 1:
msf auxiliary(ssl_version) > set RHOSTS 192.168.1.3-192.168.1.200
Example 2:
msf auxiliary(ssl_version) > set RHOSTS 192.168.1.1/24
Example 3:
msf auxiliary(ssl_version) > set RHOSTS file:/tmp/ip_list.txt
Required Options
RHOSTS: The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT: The target port
Knowledge Base
Vulnerable Application
Description
Check if a server supports a given version of SSL/TLS and cipher suites.
The certificate is stored in loot, and any known vulnerabilities against that SSL version and cipher suite combination are checked. These checks include POODLE, deprecated protocols, expired/not valid certs, low key strength, null cipher suites, certificates signed with MD5, DROWN, RC4 ciphers, exportable ciphers, LOGJAM, and BEAST.
Options
SSLVersion
Which SSL/TLS Version to use. all
implies all SSL/TLS versions which are usable by the metasploit + ruby + OpenSSL
versions installed on the system. List is dynamically generated. Defaults to all
SSLCipher
Which SSL/TLS Cipher to use. all
implies all ciphers avaiable for the version of SSL/TLS being used and which
are usable by the metasploit + ruby + OpenSSL versions installed on the system.
List is dynamically generated. Defaults to all
Verification Steps
- Do:
use auxiliary/scanner/ssl/ssl_version
- Do:
set RHOSTS [IP]
- Do:
set THREADS [num of threads]
- Do:
run
Scenarios
No issues found
An example run against google.com
, no real issues as expected.
msf6 > use auxiliary/scanner/ssl/ssl_version
msf6 auxiliary(scanner/ssl/ssl_version) > set RHOSTS 172.217.12.238
RHOSTS => 172.217.12.238
msf6 auxiliary(scanner/ssl/ssl_version) > run
[+] 172.217.12.238:443 - Connected with SSL Version: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384
[+] 172.217.12.238:443 - Certificate saved to loot: /home/gwillcox/.msf4/loot/20221107150747_default_172.217.12.238_ssl.certificate_342145.txt
[*] 172.217.12.238:443 - Certificate Information:
[*] 172.217.12.238:443 - Subject: /CN=*.google.com
[*] 172.217.12.238:443 - Issuer: /C=US/O=Google Trust Services LLC/CN=GTS CA 1C3
[*] 172.217.12.238:443 - Signature Alg: sha256WithRSAEncryption
[*] 172.217.12.238:443 - Public Key Size: 2048 bits
[*] 172.217.12.238:443 - Not Valid Before: 2022-10-17 08:16:43 UTC
[*] 172.217.12.238:443 - Not Valid After: 2023-01-09 08:16:42 UTC
[*] 172.217.12.238:443 - CA Issuer: http://pki.goog/repo/certs/gts1c3.der
[*] 172.217.12.238:443 - Has common name *.google.com
[+] 172.217.12.238:443 - Connected with SSL Version: TLSv1.2, Cipher: ECDHE-RSA-CHACHA20-POLY1305
[+] 172.217.12.238:443 - Connected with SSL Version: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256
[+] 172.217.12.238:443 - Connected with SSL Version: TLSv1.2, Cipher: AES256-GCM-SHA384
[+] 172.217.12.238:443 - Connected with SSL Version: TLSv1.2, Cipher: AES128-GCM-SHA256
[*] 172.217.12.238:443 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ssl/ssl_version) > show options
Module options (auxiliary/scanner/ssl/ssl_version):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 172.217.12.238 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 443 yes The target port (TCP)
SSLCipher All yes SSL cipher to test (Accepted: All, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_GCM_SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-RSA-A
ES256-GCM-SHA384, DHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305, DHE-RSA-CHACHA20-POLY1305, ECDHE-ECDSA-AES128-GCM-
SHA256, ECDHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES256-SHA384, DHE-RSA-AES256-SHA256, ECDHE-ECDSA-AES1
28-SHA256, ECDHE-RSA-AES128-SHA256, DHE-RSA-AES128-SHA256, ECDHE-ECDSA-AES256-SHA, ECDHE-RSA-AES256-SHA, DHE-RSA-AES256-SHA, ECDHE-ECDSA-AES128-SHA, ECDHE-
RSA-AES128-SHA, DHE-RSA-AES128-SHA, RSA-PSK-AES256-GCM-SHA384, DHE-PSK-AES256-GCM-SHA384, RSA-PSK-CHACHA20-POLY1305, DHE-PSK-CHACHA20-POLY1305, ECDHE-PSK-C
HACHA20-POLY1305, AES256-GCM-SHA384, PSK-AES256-GCM-SHA384, PSK-CHACHA20-POLY1305, RSA-PSK-AES128-GCM-SHA256, DHE-PSK-AES128-GCM-SHA256, AES128-GCM-SHA256,
PSK-AES128-GCM-SHA256, AES256-SHA256, AES128-SHA256, ECDHE-PSK-AES256-CBC-SHA384, ECDHE-PSK-AES256-CBC-SHA, SRP-RSA-AES-256-CBC-SHA, SRP-AES-256-CBC-SHA,
RSA-PSK-AES256-CBC-SHA384, DHE-PSK-AES256-CBC-SHA384, RSA-PSK-AES256-CBC-SHA, DHE-PSK-AES256-CBC-SHA, AES256-SHA, PSK-AES256-CBC-SHA384, PSK-AES256-CBC-SHA
, ECDHE-PSK-AES128-CBC-SHA256, ECDHE-PSK-AES128-CBC-SHA, SRP-RSA-AES-128-CBC-SHA, SRP-AES-128-CBC-SHA, RSA-PSK-AES128-CBC-SHA256, DHE-PSK-AES128-CBC-SHA256
, RSA-PSK-AES128-CBC-SHA, DHE-PSK-AES128-CBC-SHA, AES128-SHA, PSK-AES128-CBC-SHA256, PSK-AES128-CBC-SHA)
SSLVersion All yes SSL version to test (Accepted: All, SSLv3, TLSv1.0, TLSv1.2, TLSv1.3)
THREADS 1 yes The number of concurrent threads (max one per host)
msf6 auxiliary(scanner/ssl/ssl_version) >
Expired certificate
msf6 > use auxiliary/scanner/ssl/ssl_version
msf6 auxiliary(scanner/ssl/ssl_version) > set RHOSTS expired.badssl.com
RHOSTS => expired.badssl.com
msf6 auxiliary(scanner/ssl/ssl_version) > run
[+] 104.154.89.105:443 - Connected with SSL Version: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384
[+] 104.154.89.105:443 - Certificate saved to loot: /home/gwillcox/.msf4/loot/20221107150939_default_104.154.89.105_ssl.certificate_786557.txt
[*] 104.154.89.105:443 - Certificate Information:
[*] 104.154.89.105:443 - Subject: /C=US/ST=California/L=San Francisco/O=BadSSL Fallback. Unknown subdomain or no SNI./CN=badssl-fallback-unknown-subdomain-or-no-sni
[*] 104.154.89.105:443 - Issuer: /C=US/ST=California/L=San Francisco/O=BadSSL/CN=BadSSL Intermediate Certificate Authority
[*] 104.154.89.105:443 - Signature Alg: sha256WithRSAEncryption
[*] 104.154.89.105:443 - Public Key Size: 2048 bits
[*] 104.154.89.105:443 - Not Valid Before: 2016-08-08 21:17:05 UTC
[*] 104.154.89.105:443 - Not Valid After: 2018-08-08 21:17:05 UTC
[+] 104.154.89.105:443 - Certificate contains no CA Issuers extension... possible self signed certificate
[*] 104.154.89.105:443 - Has common name badssl-fallback-unknown-subdomain-or-no-sni
[+] 104.154.89.105:443 - Certificate expired: 2018-08-08 21:17:05 UTC
[+] 104.154.89.105:443 - Connected with SSL Version: TLSv1.2, Cipher: DHE-RSA-AES256-GCM-SHA384
[+] 104.154.89.105:443 - Connected with SSL Version: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256
[+] 104.154.89.105:443 - Connected with SSL Version: TLSv1.2, Cipher: DHE-RSA-AES128-GCM-SHA256
[+] 104.154.89.105:443 - Connected with SSL Version: TLSv1.2, Cipher: ECDHE-RSA-AES256-SHA384
[+] 104.154.89.105:443 - Connected with SSL Version: TLSv1.2, Cipher: DHE-RSA-AES256-SHA256
[+] 104.154.89.105:443 - Connected with SSL Version: TLSv1.2, Cipher: ECDHE-RSA-AES128-SHA256
[+] 104.154.89.105:443 - Connected with SSL Version: TLSv1.2, Cipher: DHE-RSA-AES128-SHA256
[+] 104.154.89.105:443 - Connected with SSL Version: TLSv1.2, Cipher: AES256-GCM-SHA384
[+] 104.154.89.105:443 - Connected with SSL Version: TLSv1.2, Cipher: AES128-GCM-SHA256
[+] 104.154.89.105:443 - Connected with SSL Version: TLSv1.2, Cipher: AES256-SHA256
[+] 104.154.89.105:443 - Connected with SSL Version: TLSv1.2, Cipher: AES128-SHA256
[*] expired.badssl.com:443 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ssl/ssl_version) > show options
Module options (auxiliary/scanner/ssl/ssl_version):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS expired.badssl.com yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 443 yes The target port (TCP)
SSLCipher All yes SSL cipher to test (Accepted: All, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_GCM_SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-RS
A-AES256-GCM-SHA384, DHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305, DHE-RSA-CHACHA20-POLY1305, ECDHE-ECDSA-AES12
8-GCM-SHA256, ECDHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES256-SHA384, DHE-RSA-AES256-SHA256, ECDHE-E
CDSA-AES128-SHA256, ECDHE-RSA-AES128-SHA256, DHE-RSA-AES128-SHA256, ECDHE-ECDSA-AES256-SHA, ECDHE-RSA-AES256-SHA, DHE-RSA-AES256-SHA, ECDHE-ECDSA-AES128
-SHA, ECDHE-RSA-AES128-SHA, DHE-RSA-AES128-SHA, RSA-PSK-AES256-GCM-SHA384, DHE-PSK-AES256-GCM-SHA384, RSA-PSK-CHACHA20-POLY1305, DHE-PSK-CHACHA20-POLY13
05, ECDHE-PSK-CHACHA20-POLY1305, AES256-GCM-SHA384, PSK-AES256-GCM-SHA384, PSK-CHACHA20-POLY1305, RSA-PSK-AES128-GCM-SHA256, DHE-PSK-AES128-GCM-SHA256,
AES128-GCM-SHA256, PSK-AES128-GCM-SHA256, AES256-SHA256, AES128-SHA256, ECDHE-PSK-AES256-CBC-SHA384, ECDHE-PSK-AES256-CBC-SHA, SRP-RSA-AES-256-CBC-SHA,
SRP-AES-256-CBC-SHA, RSA-PSK-AES256-CBC-SHA384, DHE-PSK-AES256-CBC-SHA384, RSA-PSK-AES256-CBC-SHA, DHE-PSK-AES256-CBC-SHA, AES256-SHA, PSK-AES256-CBC-SH
A384, PSK-AES256-CBC-SHA, ECDHE-PSK-AES128-CBC-SHA256, ECDHE-PSK-AES128-CBC-SHA, SRP-RSA-AES-128-CBC-SHA, SRP-AES-128-CBC-SHA, RSA-PSK-AES128-CBC-SHA256
, DHE-PSK-AES128-CBC-SHA256, RSA-PSK-AES128-CBC-SHA, DHE-PSK-AES128-CBC-SHA, AES128-SHA, PSK-AES128-CBC-SHA256, PSK-AES128-CBC-SHA)
SSLVersion All yes SSL version to test (Accepted: All, SSLv3, TLSv1.0, TLSv1.2, TLSv1.3)
THREADS 1 yes The number of concurrent threads (max one per host)
msf6 auxiliary(scanner/ssl/ssl_version) >
Go back to menu.
Msfconsole Usage
Here is how the scanner/ssl/ssl_version auxiliary module looks in the msfconsole:
msf6 > use auxiliary/scanner/ssl/ssl_version
msf6 auxiliary(scanner/ssl/ssl_version) > show info
Name: SSL/TLS Version Detection
Module: auxiliary/scanner/ssl/ssl_version
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2014-10-14
Provided by:
todb <[email protected]>
et <[email protected]>
Chris John Riley
Veit Hailperin <[email protected]>
h00die
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 443 yes The target port (TCP)
SSLCipher All yes SSL cipher to test (Accepted: All, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_GCM_SHA256, ECDHE-ECDSA
-AES256-GCM-SHA384, ECDHE-RSA-AES256-GCM-SHA384, DHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA2
0-POLY1305, DHE-RSA-CHACHA20-POLY1305, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES128-GCM-SHA256
, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES256-SHA384, DHE-RSA-AES256-SHA256, ECDHE-ECDSA-AES128-SHA256, ECDHE-RSA-AES128-SHA
256, DHE-RSA-AES128-SHA256, ECDHE-ECDSA-AES256-SHA, ECDHE-RSA-AES256-SHA, DHE-RSA-AES256-SHA, ECDHE-ECDSA-AES128-SHA, ECDHE-
RSA-AES128-SHA, DHE-RSA-AES128-SHA, RSA-PSK-AES256-GCM-SHA384, DHE-PSK-AES256-GCM-SHA384, RSA-PSK-CHACHA20-POLY1305, DHE-PSK
-CHACHA20-POLY1305, ECDHE-PSK-CHACHA20-POLY1305, AES256-GCM-SHA384, PSK-AES256-GCM-SHA384, PSK-CHACHA20-POLY1305, RSA-PSK-AE
S128-GCM-SHA256, DHE-PSK-AES128-GCM-SHA256, AES128-GCM-SHA256, PSK-AES128-GCM-SHA256, AES256-SHA256, AES128-SHA256, ECDHE-PS
K-AES256-CBC-SHA384, ECDHE-PSK-AES256-CBC-SHA, SRP-RSA-AES-256-CBC-SHA, SRP-AES-256-CBC-SHA, RSA-PSK-AES256-CBC-SHA384, DHE-
PSK-AES256-CBC-SHA384, RSA-PSK-AES256-CBC-SHA, DHE-PSK-AES256-CBC-SHA, AES256-SHA, PSK-AES256-CBC-SHA384, PSK-AES256-CBC-SHA
, ECDHE-PSK-AES128-CBC-SHA256, ECDHE-PSK-AES128-CBC-SHA, SRP-RSA-AES-128-CBC-SHA, SRP-AES-128-CBC-SHA, RSA-PSK-AES128-CBC-SH
A256, DHE-PSK-AES128-CBC-SHA256, RSA-PSK-AES128-CBC-SHA, DHE-PSK-AES128-CBC-SHA, AES128-SHA, PSK-AES128-CBC-SHA256, PSK-AES1
28-CBC-SHA)
SSLVersion All yes SSL version to test (Accepted: All, SSLv3, TLSv1.0, TLSv1.2, TLSv1.3)
THREADS 1 yes The number of concurrent threads (max one per host)
Description:
Check if a server supports a given version of SSL/TLS and cipher
suites. The certificate is stored in loot, and any known
vulnerabilities against that SSL version and cipher suite
combination are checked. These checks include POODLE, deprecated
protocols, expired/not valid certs, low key strength, null cipher
suites, certificates signed with MD5, DROWN, RC4 ciphers, exportable
ciphers, LOGJAM, and BEAST.
References:
https://security.googleblog.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
https://nvd.nist.gov/vuln/detail/CVE-2014-3566
https://www.openssl.org/~bodo/ssl-poodle.pdf
https://datatracker.ietf.org/doc/rfc8996/
https://datatracker.ietf.org/doc/html/rfc6176
https://datatracker.ietf.org/doc/html/rfc7568
https://www.win.tue.nl/hashclash/rogue-ca/
https://cwe.mitre.org/data/definitions/328.html
https://drownattack.com/
https://nvd.nist.gov/vuln/detail/CVE-2016-0800
https://nvd.nist.gov/vuln/detail/CVE-2011-3389
http://www.isg.rhul.ac.uk/tls/
https://nvd.nist.gov/vuln/detail/CVE-2013-2566
https://nvd.nist.gov/vuln/detail/CVE-2015-4000
https://nvd.nist.gov/vuln/detail/CVE-2022-3358
https://cwe.mitre.org/data/definitions/319.html
https://cwe.mitre.org/data/definitions/298.html
https://cwe.mitre.org/data/definitions/327.html
https://cwe.mitre.org/data/definitions/326.html
View the full module info with the info -d command.
Module Options
This is a complete list of options available in the scanner/ssl/ssl_version auxiliary module:
msf6 auxiliary(scanner/ssl/ssl_version) > show options
Module options (auxiliary/scanner/ssl/ssl_version):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 443 yes The target port (TCP)
SSLCipher All yes SSL cipher to test (Accepted: All, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_GCM_SHA256, ECDHE-ECDS
A-AES256-GCM-SHA384, ECDHE-RSA-AES256-GCM-SHA384, DHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACH
A20-POLY1305, DHE-RSA-CHACHA20-POLY1305, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES128-GCM-SHA
256, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES256-SHA384, DHE-RSA-AES256-SHA256, ECDHE-ECDSA-AES128-SHA256, ECDHE-RSA-AES128
-SHA256, DHE-RSA-AES128-SHA256, ECDHE-ECDSA-AES256-SHA, ECDHE-RSA-AES256-SHA, DHE-RSA-AES256-SHA, ECDHE-ECDSA-AES128-SHA, E
CDHE-RSA-AES128-SHA, DHE-RSA-AES128-SHA, RSA-PSK-AES256-GCM-SHA384, DHE-PSK-AES256-GCM-SHA384, RSA-PSK-CHACHA20-POLY1305, D
HE-PSK-CHACHA20-POLY1305, ECDHE-PSK-CHACHA20-POLY1305, AES256-GCM-SHA384, PSK-AES256-GCM-SHA384, PSK-CHACHA20-POLY1305, RSA
-PSK-AES128-GCM-SHA256, DHE-PSK-AES128-GCM-SHA256, AES128-GCM-SHA256, PSK-AES128-GCM-SHA256, AES256-SHA256, AES128-SHA256,
ECDHE-PSK-AES256-CBC-SHA384, ECDHE-PSK-AES256-CBC-SHA, SRP-RSA-AES-256-CBC-SHA, SRP-AES-256-CBC-SHA, RSA-PSK-AES256-CBC-SHA
384, DHE-PSK-AES256-CBC-SHA384, RSA-PSK-AES256-CBC-SHA, DHE-PSK-AES256-CBC-SHA, AES256-SHA, PSK-AES256-CBC-SHA384, PSK-AES2
56-CBC-SHA, ECDHE-PSK-AES128-CBC-SHA256, ECDHE-PSK-AES128-CBC-SHA, SRP-RSA-AES-128-CBC-SHA, SRP-AES-128-CBC-SHA, RSA-PSK-AE
S128-CBC-SHA256, DHE-PSK-AES128-CBC-SHA256, RSA-PSK-AES128-CBC-SHA, DHE-PSK-AES128-CBC-SHA, AES128-SHA, PSK-AES128-CBC-SHA2
56, PSK-AES128-CBC-SHA)
SSLVersion All yes SSL version to test (Accepted: All, SSLv3, TLSv1.0, TLSv1.2, TLSv1.3)
THREADS 1 yes The number of concurrent threads (max one per host)
View the full module info with the info, or info -d command.
Advanced Options
Here is a complete list of advanced options supported by the scanner/ssl/ssl_version auxiliary module:
msf6 auxiliary(scanner/ssl/ssl_version) > show advanced
Module advanced options (auxiliary/scanner/ssl/ssl_version):
Name Current Setting Required Description
---- --------------- -------- -----------
CHOST no The local client address
CPORT no The local client port
ConnectTimeout 10 yes Maximum number of seconds to establish a TCP connection
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
SSL true no Negotiate SSL/TLS for outgoing connections
SSLServerNameIndication no SSL/TLS Server Name Indication (SNI)
SSLVerifyMode PEER no SSL verification method (Accepted: CLIENT_ONCE, FAIL_IF_NO_PEER_CERT, NONE, PEER)
ShowProgress true yes Display progress messages during a scan
ShowProgressPercent 10 yes The interval in percent that progress should be shown
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
View the full module info with the info, or info -d command.
Auxiliary Actions
This is a list of all auxiliary actions that the scanner/ssl/ssl_version module can do:
msf6 auxiliary(scanner/ssl/ssl_version) > show actions
Auxiliary actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the scanner/ssl/ssl_version auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(scanner/ssl/ssl_version) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
TCP::max_send_size 0 no Maxiumum tcp segment size. (0 = disable)
TCP::send_delay 0 no Delays inserted before every send. (0 = disable)
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
SSL Connection Error: <E>
Here is a relevant code snippet related to the "SSL Connection Error: <E>" error message:
487: end
488: rescue ::OpenSSL::SSL::SSLError => e
489: error_message = e.message.match(/ state=(.+)$/)
490:
491: if error_message.nil?
492: vprint_error("\tSSL Connection Error: #{e}")
493: next
494: end
495:
496: # catch if the ssl_version/protocol isn't allowed and then we can skip out of it.
497: if error_message[1].include? 'no protocols available'
no protocols available
Here is a relevant code snippet related to the "no protocols available" error message:
492: vprint_error("\tSSL Connection Error: #{e}")
493: next
494: end
495:
496: # catch if the ssl_version/protocol isn't allowed and then we can skip out of it.
497: if error_message[1].include? 'no protocols available'
498: skip_ssl_version = true
499: vprint_error("\tDoesn't accept #{version} connections, Skipping")
500: break
501: end
502: vprint_error("\tDoes not accept #{version} using cipher #{cipher}, error message: #{error_message[1]}")
Doesn't accept <VERSION> connections, Skipping
Here is a relevant code snippet related to the "Doesn't accept <VERSION> connections, Skipping" error message:
494: end
495:
496: # catch if the ssl_version/protocol isn't allowed and then we can skip out of it.
497: if error_message[1].include? 'no protocols available'
498: skip_ssl_version = true
499: vprint_error("\tDoesn't accept #{version} connections, Skipping")
500: break
501: end
502: vprint_error("\tDoes not accept #{version} using cipher #{cipher}, error message: #{error_message[1]}")
503: rescue ArgumentError => e
504: if e.message.match(%r{This version of Ruby does not support the requested SSL/TLS version})
Does not accept <VERSION> using cipher <CIPHER>, error message: <ERROR_MESSAGE:1>
Here is a relevant code snippet related to the "Does not accept <VERSION> using cipher <CIPHER>, error message: <ERROR_MESSAGE:1>" error message:
497: if error_message[1].include? 'no protocols available'
498: skip_ssl_version = true
499: vprint_error("\tDoesn't accept #{version} connections, Skipping")
500: break
501: end
502: vprint_error("\tDoes not accept #{version} using cipher #{cipher}, error message: #{error_message[1]}")
503: rescue ArgumentError => e
504: if e.message.match(%r{This version of Ruby does not support the requested SSL/TLS version})
505: skip_ssl_version = true
506: vprint_error("\t#{e.message}, Skipping")
507: break
<E.MESSAGE>, Skipping
Here is a relevant code snippet related to the "<E.MESSAGE>, Skipping" error message:
501: end
502: vprint_error("\tDoes not accept #{version} using cipher #{cipher}, error message: #{error_message[1]}")
503: rescue ArgumentError => e
504: if e.message.match(%r{This version of Ruby does not support the requested SSL/TLS version})
505: skip_ssl_version = true
506: vprint_error("\t#{e.message}, Skipping")
507: break
508: end
509: print_error("Exception encountered: #{e}")
510: rescue StandardError => e
511: if e.message.match(/connection was refused/) || e.message.match(/timed out/)
Exception encountered: <E>
Here is a relevant code snippet related to the "Exception encountered: <E>" error message:
504: if e.message.match(%r{This version of Ruby does not support the requested SSL/TLS version})
505: skip_ssl_version = true
506: vprint_error("\t#{e.message}, Skipping")
507: break
508: end
509: print_error("Exception encountered: #{e}")
510: rescue StandardError => e
511: if e.message.match(/connection was refused/) || e.message.match(/timed out/)
512: print_error("\tPort closed or timeout occured.")
513: return 'Port closed or timeout occured.'
514: end
Port closed or timeout occured.
Here is a relevant code snippet related to the "Port closed or timeout occured." error message:
507: break
508: end
509: print_error("Exception encountered: #{e}")
510: rescue StandardError => e
511: if e.message.match(/connection was refused/) || e.message.match(/timed out/)
512: print_error("\tPort closed or timeout occured.")
513: return 'Port closed or timeout occured.'
514: end
515: print_error("\tException encountered: #{e}")
516: ensure
517: disconnect
Exception encountered: <E>
Here is a relevant code snippet related to the "Exception encountered: <E>" error message:
510: rescue StandardError => e
511: if e.message.match(/connection was refused/) || e.message.match(/timed out/)
512: print_error("\tPort closed or timeout occured.")
513: return 'Port closed or timeout occured.'
514: end
515: print_error("\tException encountered: #{e}")
516: ensure
517: disconnect
518: end
519: end
520: end
Go back to menu.
Related Pull Requests
References
- https://security.googleblog.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
- CVE-2014-3566
- https://www.openssl.org/~bodo/ssl-poodle.pdf
- https://datatracker.ietf.org/doc/rfc8996/
- https://datatracker.ietf.org/doc/html/rfc6176
- https://datatracker.ietf.org/doc/html/rfc7568
- https://www.win.tue.nl/hashclash/rogue-ca/
- CWE-328
- https://drownattack.com/
- CVE-2016-0800
- CVE-2011-3389
- http://www.isg.rhul.ac.uk/tls/
- CVE-2013-2566
- CVE-2015-4000
- CVE-2022-3358
- CWE-319
- CWE-298
- CWE-327
- CWE-326
See Also
Check also the following modules related to this module:
- auxiliary/scanner/http/ssl_version
- auxiliary/scanner/ssl/bleichenbacher_oracle
- auxiliary/scanner/ssl/openssl_ccs
- auxiliary/scanner/ssl/openssl_heartbleed
- exploit/windows/backupexec/ssl_uaf
- auxiliary/dos/ssl/dtls_changecipherspec
- auxiliary/dos/ssl/dtls_fragment_overflow
- auxiliary/dos/ssl/openssl_aesni
- exploit/windows/ssl/ms04_011_pct
- auxiliary/dos/http/sonicwall_ssl_format
- auxiliary/gather/fortios_vpnssl_traversal_creds_leak
- auxiliary/gather/impersonate_ssl
- auxiliary/gather/ssllabs_scan
- auxiliary/scanner/http/cisco_ssl_vpn
- auxiliary/scanner/http/cisco_ssl_vpn_priv_esc
- auxiliary/scanner/http/fortinet_ssl_vpn
- auxiliary/scanner/http/ssl
- auxiliary/scanner/sap/sap_mgmt_con_getprocesslist
- auxiliary/server/openssl_altchainsforgery_mitm_proxy
- auxiliary/server/openssl_heartbeat_client_memory
Authors
- todb
- et
- Chris John Riley
- Veit Hailperin <hailperv[at]gmail.com>
- h00die
Version
This page has been produced using Metasploit Framework version 6.2.29-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.