2021年6月3日 星期四

[研究] Windows Port 3389 遠端桌面的 64-bit block cipher 3DES vulnerable to SWEET32 attack 弱點之解決

[研究] Windows Port 3389 遠端桌面的 64-bit block cipher 3DES vulnerable to SWEET32 attack 弱點之解決 

2021-06-03

受測端:Windows Server 2019 + 遠端桌面

測試端:Windows 10 + nmap 7.91

********************************************************************************

前言,其實用 IIS Crypto 關閉不安全的 Ciphers ,很多台電腦我之前已經做過,但是最近又被掃瞄出沒設定,又變回來了,不知是否因為 Windows Update 或其他某種緣故 ( 每次 Windows Update 都會復原預設值?或只有某些會?),但是查了5台,只有2台變回原樣,也不是每台都這樣。

********************************************************************************

Windows Server 2019標準版開啟遠端桌面




********************************************************************************
Windows 10 上用 nmap 7.91 掃描 Windows Server 2019



也可以用命令提示字元模式,並把結果輸出到一個 txt 黨中
nmap --script ssl-cert,ssl-enum-ciphers -p 3389  -o C:\Temp\3389-1.txt



掃描結果文字內容


# Nmap 7.91 scan initiated Thu Jun 03 10:55:51 2021 as: nmap --script ssl-cert,ssl-enum-ciphers -p 3389 -o C:\\Temp\\3389-1.txt 192.168.128.132
Nmap scan report for 192.168.128.132
Host is up (0.014s latency).

PORT     STATE SERVICE
3389/tcp open  ms-wbt-server
| ssl-cert: Subject: commonName=WIN2019
| Issuer: commonName=WIN2019
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-06-02T02:51:17
| Not valid after:  2021-12-02T02:51:17
| MD5:   e710 4198 ebcb 5e97 c634 e792 4485 09a3
|_SHA-1: 2366 f64c 1859 57d5 98f3 fef7 37a2 e97d 7ebe 9ce3
| ssl-enum-ciphers: 
|   TLSv1.0: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp384r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|     compressors: 
|       NULL
|     cipher preference: server
|     warnings: 
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|   TLSv1.1: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp384r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|     compressors: 
|       NULL
|     cipher preference: server
|     warnings: 
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp384r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp384r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp384r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|     compressors: 
|       NULL
|     cipher preference: server
|     warnings: 
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|_  least strength: C
MAC Address: 00:0C:29:86:4E:8D (VMware)

# Nmap done at Thu Jun 03 10:55:52 2021 -- 1 IP address (1 host up) scanned in 1.05 seconds


********************************************************************************

解決方法

用工具進行設定 ( or 手動用 regedit.exe 改 登錄資訊)
IIS Crypto 3.2 Build 16 - Released April 11, 2020



(下圖) 按下 Best Practices 按鈕




********************************************************************************

(下圖) 再次測試,沒有64-bit block cipher 3DES vulnerable to SWEET32 attack 弱點




# Nmap 7.91 scan initiated Thu Jun 03 11:02:47 2021 as: nmap --script ssl-cert,ssl-enum-ciphers -p 3389 -o C:\\Temp\\3389-2.txt 192.168.128.132
Nmap scan report for 192.168.128.132
Host is up (0.00s latency).

PORT     STATE SERVICE
3389/tcp open  ms-wbt-server
| ssl-cert: Subject: commonName=WIN2019
| Issuer: commonName=WIN2019
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-06-02T02:51:17
| Not valid after:  2021-12-02T02:51:17
| MD5:   e710 4198 ebcb 5e97 c634 e792 4485 09a3
|_SHA-1: 2366 f64c 1859 57d5 98f3 fef7 37a2 e97d 7ebe 9ce3
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp384r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp384r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: server
|_  least strength: A
MAC Address: 00:0C:29:86:4E:8D (VMware)

# Nmap done at Thu Jun 03 11:02:48 2021 -- 1 IP address (1 host up) scanned in 0.78 seconds


(下圖) 遠端桌面連一下,成功

********************************************************************************

(完)

張貼者:
標籤:

沒有留言:

張貼留言

訂閱: 張貼留言 (Atom)