Introduce
Nmap (“Network Mapper”) is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).
Script
ssl-cert
$ nmap --script ssl-cert -p 443 <host>
Example:
$ nmap --script ssl-cert -p 443 github.com
Starting Nmap 6.47 ( http://nmap.org ) at 2016-11-28 23:44 CST
Nmap scan report for github.com (192.30.253.113)
Host is up (0.66s latency).
Other addresses for github.com (not scanned): 192.30.253.112
PORT STATE SERVICE
443/tcp open https
| ssl-cert: Subject: commonName=github.com/organizationName=GitHub, Inc./stateOrProvinceName=California/countryName=US
| Issuer: commonName=DigiCert SHA2 Extended Validation Server CA/organizationName=DigiCert Inc/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Not valid before: 2016-03-10T00:00:00+00:00
| Not valid after: 2018-05-17T12:00:00+00:00
| MD5: b890 fabe 8bb6 3625 899e 1e00 4981 4797
|_SHA-1: d79f 0761 10b3 9293 e349 ac89 845b 0380 c19e 2f8b
Nmap done: 1 IP address (1 host up) scanned in 7.95 seconds
ssl-enum-ciphers
$ nmap --script ssl-enum-ciphers -p 443 <host>
Sample:
$ nmap --script ssl-enum-ciphers -p 443 github.com
Starting Nmap 6.47 ( http://nmap.org ) at 2016-11-26 14:40 CST
Nmap scan report for github.com (192.30.253.113)
Host is up (0.51s latency).
Other addresses for github.com (not scanned): 192.30.253.112
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| SSLv3: No supported ciphers found
| TLSv1.0:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.1:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
| compressors:
| NULL
|_ least strength: strong
Nmap done: 1 IP address (1 host up) scanned in 23.34 seconds