powerpipe control run net_insights.control.ssl_avoid_using_cbc_cipher_suite
powerpipe login
powerpipe control run net_insights.control.ssl_avoid_using_cbc_cipher_suite --share
with domain_list as (
select domain, concat(domain, ':443') as address from jsonb_array_elements_text(to_jsonb($1::text[])) as domain
),
See AlsoKali Linux Intrusion and Exploitation CookbookSecurity Advisory 2868725: Recommendation to disable RC4Weak SSH Algorithms Discovered | ThreatMonA few tools I use to work with TLS on Windowscheck_cbc_cipher as (
select
address,
count(*)
from
net_tls_connection
where
address in (select address from domain_list)
and version in ('TLS v1.2', 'TLS v1.1', 'TLS v1.0')
and cipher_suite_name in ('TLS_RSA_WITH_AES_128_CBC_SHA', 'TLS_RSA_WITH_AES_256_CBC_SHA', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA', 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA', 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA', 'TLS_RSA_WITH_3DES_EDE_CBC_SHA', 'TLS_RSA_WITH_AES_128_CBC_SHA256', 'TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256')
and handshake_completed
group by address
)
select
d.domain as resource,
case
when i.address is null or i.count < 1 then 'ok'
else 'alarm'
end as status,
case
when i.address is null or i.count < 1 then d.domain || ' does not use CBC cipher suites.'
else d.domain || ' uses CBC cipher suites.'
end as reason
from
domain_list as d
left join check_cbc_cipher as i on d.address = i.address;