When you troubleshoot TLS connection issues in an ePO environment, it's often necessary to determine which protocols and cipher suites are offered by a service or process. A common tool used for this is the open-source tool
nmap, which this article describes. The
nmap tool is capable of much more than just TLS scanning and so is often not permitted. In such cases, you can use the open-source tool
sslscan, which only scans for TLS details and nothing else. For details, see
KB96632 - How to use the 'sslscan' tool to determine which protocols and cipher suites are in use in an ePolicy Orchestrator environment.
NOTE: The examples below are given for when
nmap is run on a Windows system. It's also available for other operating systems and the command line is the same.
- Obtain and install the latest version of nmap at the Nmap website. The nmap tool doesn't have to be installed on the same system as the port that you want to query. But, it must be installed on a system that can connect to the target system.
Example: If you're troubleshooting connections between an ePO Server and SQL Server, you don't have to install nmap on the SQL Server itself.
WARNING:
- It's not recommended that you install the full version of nmap on the ePO server or the SQL Server. The full installation using the executable installer includes the npcap packet capture library. The full install creates a new network adaptor, which is used by the ePO server or SQL Server. It can cause disruption with services connecting to those servers. For this reason, we recommend that you install the full version of nmap on a separate system that can access the target that you want to scan.
- If it's not possible to use a separate system, and you must use the ePO server, we recommend that you install the command-line version. The command-line version doesn't install the npcap library automatically. You must install the Visual C++ 2013 Redistributable package from Microsoft.
- On the system where you've installed nmap, open a command window as an administrator:
- Press Windows+R.
- In the Run box, type cmd, and then press Ctrl+Shift+Enter.
- If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
- Navigate to the folder where nmap is installed.
NOTE: The command used by nmap requires the following pieces of information:
- The host name or IP address of the system that's hosting the service that you want to query.
- The port to connect to, which is the port that the service is listening on.
- Run the following command:
nmap -sV --script ssl-enum-ciphers -p [port] [host_name]
Here:
- [port] is the port to scan.
- [host_name] is the name or IP address of the target system.
Example: If you want to scan an SQL Server on a system called
SQLServer that's listening on port 1433, the command would be as follows:
nmap -sV --script ssl-enum-ciphers -p 1433 SQLServer
The above command scans the relevant port and outputs the results to the command window.
When you want to save the results to a file, you can perform either of the actions below:
- Cut and paste from the command window.
- Run the command again and redirect the output to a file.
For example:
nmap -sV --script ssl-enum-ciphers -p 1433 SQLServer > C:\Ciphers.txt
The above command saves the results to
C:\Ciphers.txt.