Powerpipe Hub (2024)

powerpipe control run net_insights.control.ssl_avoid_using_cbc_cipher_suite

powerpipe login
powerpipe control run net_insights.control.ssl_avoid_using_cbc_cipher_suite --share

with domain_list as (
 select domain, concat(domain, ':443') as address from jsonb_array_elements_text(to_jsonb($1::text[])) as domain
),
See Also
Kali Linux Intrusion and Exploitation CookbookSecurity Advisory 2868725: Recommendation to disable RC4Weak SSH Algorithms Discovered | ThreatMonA few tools I use to work with TLS on Windows
check_cbc_cipher as (
 select
 address,
 count(*)
 from
 net_tls_connection
 where
 address in (select address from domain_list)
See Also
SSH Weak Key Exchange Algorithms Enabled (Linux) Vulnerability | Defense.com Help Centre
 and version in ('TLS v1.2', 'TLS v1.1', 'TLS v1.0')
 and cipher_suite_name in ('TLS_RSA_WITH_AES_128_CBC_SHA', 'TLS_RSA_WITH_AES_256_CBC_SHA', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA', 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA', 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA', 'TLS_RSA_WITH_3DES_EDE_CBC_SHA', 'TLS_RSA_WITH_AES_128_CBC_SHA256', 'TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256')
 and handshake_completed
 group by address
)
select
 d.domain as resource,
 case
 when i.address is null or i.count < 1 then 'ok'
 else 'alarm'
 end as status,
 case
 when i.address is null or i.count < 1 then d.domain || ' does not use CBC cipher suites.'
 else d.domain || ' uses CBC cipher suites.'
 end as reason
from
 domain_list as d
 left join check_cbc_cipher as i on d.address = i.address;