다음 명령을 사용하여 제공된 비밀번호를 확인하려고 합니다 nmap.
$ nmap -Pn --script ssl-enum-ciphers host1.example.org -p 443
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-13 14:52 CET
Nmap scan report for host1.example.org (129.132.65.51)
Host is up (0.0070s latency).
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.3:
| ciphers:
| TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
| TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
| TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
| TLS_AKE_WITH_AES_128_CCM_SHA256 (ecdh_x25519) - A
| cipher preference: server
|_ least strength: A
Nmap done: 1 IP address (1 host up) scanned in 1.39 seconds
잘 작동하지만 단일 경우에는 다음과 같습니다.
- macOS의 Fedora 35(host1.example.org)
$ nmap -Pn --script ssl-enum-ciphers host1.example.org -p 443
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-13 14:52 CET
Nmap scan report for host1.example.org (129.132.65.51)
Host is up (0.0070s latency).
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.3:
| ciphers:
| TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
| TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
| TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
| TLS_AKE_WITH_AES_128_CCM_SHA256 (ecdh_x25519) - A
| cipher preference: server
|_ least strength: A
Nmap done: 1 IP address (1 host up) scanned in 1.39 seconds
- Fedora 35(host2.example.org)의 Fedora 35(host1.example.org)
$ nmap -Pn --script ssl-enum-ciphers host1.example.org -p 443
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-13 14:55 CET
Nmap scan report for host1.example.org (129.132.65.51)
Host is up (0.013s latency).
PORT STATE SERVICE
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 0.35 seconds
- 동일한 방향을 가진 다른 기계. Fedora 35(host1.example.org)의 Fedora 35(host2.example.org)
$ nmap -Pn --script ssl-enum-ciphers host2.example.org -p 443
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-13 14:56 CET
Nmap scan report for host2.example.org (138.201.94.172)
Host is up (0.013s latency).
Other addresses for host2.example.org (not scanned): 2a01:4f8:c17:cbd8::2
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
| compressors:
| NULL
| cipher preference: client
|_ least strength: A
Nmap done: 1 IP address (1 host up) scanned in 0.65 seconds
host1.example.org두 Fedora 시스템이 macOS에서 결과를 제공하지만 스캔할 때는 결과를 제공하지 않는 이유를 정말로 이해하지 못합니다. host2.example.org둘 다 동일한 방식으로 구성되어야 합니다.
문제를 어떻게 디버그하나요?
답변1
host1TLS 1.3만 제공됩니다. 저는 nmap7.91(TLS 1.3을 지원하지 않음)과 7.92(TLS 1.3을 지원함)의 두 가지 버전을 사용하고 있습니다.