Tools - SSLyze
Alasta 26 Juillet 2016 tools bash collecte tools Linux Open Source Security shell kali ssl
Description : Nous allons utiliser SSLyze pour découvrir les ciphers supportés par un service SSL/TLS.
Rappel :
Attention dans cet article l'outils est utilisé pour la recherche et l'apprentissage. Ce type d'outils ne doit pas être utilisé vers un serveur qui ne vous appartient pas, ceci peut être puni par la loi (voir les articles 323-XX).
Environnement de test :
Pour cela nous allons utiliser une VM tournant sur la distribution Kali. SSLyze est installé de base sur Kali.
Utilisation :
La commande et ses options
1 root@kali:~# sslyze -h
2 Usage: sslyze.py [options] target1.com target2.com:443 etc...
3
4 Options:
5 --version show program's version number and exit
6 -h, --help show this help message and exit
7 --xml_out=XML_FILE Writes the scan results as an XML document to the file
8 XML_FILE. If XML_FILE is set to "-", the XML output
9 will instead be printed to stdout.
10 --targets_in=TARGETS_IN
11 Reads the list of targets to scan from the file
12 TARGETS_IN. It should contain one host:port per line.
13 --timeout=TIMEOUT Sets the timeout value in seconds used for every
14 socket connection made to the target server(s).
15 Default is 5s.
16 --nb_retries=NB_RETRIES
17 Sets the number retry attempts for all network
18 connections initiated throughout the scan. Increase
19 this value if you are getting a lot of
20 timeout/connection errors when scanning a specific
21 server. Decrease this value to increase the speed of
22 the scans; results may however return connection
23 errors. Default is 4 connection attempts.
24 --https_tunnel=HTTPS_TUNNEL
25 Tunnels all traffic to the target server(s) through an
26 HTTP CONNECT proxy. HTTP_TUNNEL should be the proxy's
27 URL: 'http://USER:PW@HOST:PORT/'. For proxies
28 requiring authentication, only Basic Authentication is
29 supported.
30 --starttls=STARTTLS Performs StartTLS handshakes when connecting to the
31 target server(s). STARTTLS should be one of: ['smtp',
32 'xmpp', 'xmpp_server', 'pop3', 'ftp', 'imap', 'ldap',
33 'rdp', 'postgres', 'auto']. The 'auto' option will
34 cause SSLyze to deduce the protocol (ftp, imap, etc.)
35 from the supplied port number, for each target
36 servers.
37 --xmpp_to=XMPP_TO Optional setting for STARTTLS XMPP. XMPP_TO should be
38 the hostname to be put in the 'to' attribute of the
39 XMPP stream. Default is the server's hostname.
40 --sni=SNI Use Server Name Indication to specify the hostname to
41 connect to. Will only affect TLS 1.0+ connections.
42 --quiet Hide script standard outputs. Will only affect script
43 output if --xml_out is set.
44 --regular Regular HTTPS scan; shortcut for --sslv2 --sslv3
45 --tlsv1 --tlsv1_1 --tlsv1_2 --reneg --resum
46 --certinfo=basic --http_get --hide_rejected_ciphers
47 --compression --heartbleed
48
49 Client certificate support:
50 --cert=CERT Client certificate chain filename. The certificates
51 must be in PEM format and must be sorted starting with
52 the subject's client certificate, followed by
53 intermediate CA certificates if applicable.
54 --key=KEY Client private key filename.
55 --keyform=KEYFORM Client private key format. DER or PEM (default).
56 --pass=KEYPASS Client private key passphrase.
57
58 PluginSessionResumption:
59 Analyzes the target server's SSL session resumption capabilities.
60
61 --resum Tests the server(s) for session resumption support
62 using session IDs and TLS session tickets (RFC 5077).
63 --resum_rate Performs 100 session resumptions with the server(s),
64 in order to estimate the session resumption rate.
65
66 PluginCompression:
67 --compression Tests the server(s) for Zlib compression support.
68
69 PluginCertInfo:
70 --certinfo=CERTINFO
71 Verifies the validity of the server(s) certificate(s)
72 against various trust stores, checks for support for
73 OCSP stapling, and prints relevant fields of the
74 certificate. CERTINFO should be 'basic' or 'full'.
75 --ca_file=CA_FILE Local Certificate Authority file (in PEM format), to
76 verify the validity of the server(s) certificate(s)
77 against.
78
79 PluginHeartbleed:
80 --heartbleed Tests the server(s) for the OpenSSL Heartbleed
81 vulnerability (experimental).
82
83 PluginSessionRenegotiation:
84 --reneg Tests the server(s) for client-initiated renegotiation
85 and secure renegotiation support.
86
87 PluginHSTS:
88 --hsts Checks support for HTTP Strict Transport Security
89 (HSTS) by collecting any Strict-Transport-Security
90 field present in the HTTP response sent back by the
91 server(s).
92
93 PluginChromeSha1Deprecation:
94 --chrome_sha1 Determines if the server will be affected by Google
95 Chrome's SHA-1 deprecation plans. See
96 http://googleonlinesecurity.blogspot.com/2014/09
97 /gradually-sunsetting-sha-1.html for more information
98
99 PluginOpenSSLCipherSuites:
100 Scans the server(s) for supported OpenSSL cipher suites.
101
102 --sslv2 Lists the SSL 2.0 OpenSSL cipher suites supported by
103 the server(s).
104 --sslv3 Lists the SSL 3.0 OpenSSL cipher suites supported by
105 the server(s).
106 --tlsv1 Lists the TLS 1.0 OpenSSL cipher suites supported by
107 the server(s).
108 --tlsv1_1 Lists the TLS 1.1 OpenSSL cipher suites supported by
109 the server(s).
110 --tlsv1_2 Lists the TLS 1.2 OpenSSL cipher suites supported by
111 the server(s).
112 --http_get Option - For each cipher suite, sends an HTTP GET
113 request after completing the SSL handshake and returns
114 the HTTP status code.
115 --hide_rejected_ciphers
116 Option - Hides the (usually long) list of cipher
117 suites that were rejected by the server(s).
La commande de base
1 root@kali:~# sslyze --regular mail.google.com
2
3
4
5 AVAILABLE PLUGINS
6 -----------------
7
8 PluginCertInfo
9 PluginSessionRenegotiation
10 PluginSessionResumption
11 PluginCompression
12 PluginChromeSha1Deprecation
13 PluginOpenSSLCipherSuites
14 PluginHSTS
15 PluginHeartbleed
16
17
18
19 CHECKING HOST(S) AVAILABILITY
20 -----------------------------
21
22 mail.google.com:443 => 216.58.211.69:443
23
24
25
26 SCAN RESULTS FOR MAIL.GOOGLE.COM:443 - 216.58.211.69:443
27 --------------------------------------------------------
28
29 Deflate Compression:
30 OK - Compression disabled
31
32 Session Renegotiation:
33 Client-initiated Renegotiations: OK - Rejected
34 Secure Renegotiation: OK - Supported
35
36 Certificate - Content:
37 SHA1 Fingerprint: 412fd978da82f03122d39560da50bf2058f1e019
38 Common Name: mail.google.com
39 Issuer: Google Internet Authority G2
40 Serial Number: 305ABFF387D0D80A
41 Not Before: Jul 13 13:28:41 2016 GMT
42 Not After: Oct 5 13:17:00 2016 GMT
43 Signature Algorithm: sha256WithRSAEncryption
44 Public Key Algorithm: rsaEncryption
45 Key Size: 2048 bit
46 Exponent: 65537 (0x10001)
47 X509v3 Subject Alternative Name: {'DNS': ['mail.google.com', 'inbox.google.com']}
48
49 Certificate - Trust:
50 Hostname Validation: OK - Subject Alternative Name matches
51 Google CA Store (09/2015): OK - Certificate is trusted
52 Java 6 CA Store (Update 65): OK - Certificate is trusted
53 Microsoft CA Store (09/2015): OK - Certificate is trusted
54 Mozilla NSS CA Store (09/2015): OK - Certificate is trusted
55 Apple CA Store (OS X 10.10.5): OK - Certificate is trusted
56 Certificate Chain Received: ['mail.google.com', 'Google Internet Authority G2', 'GeoTrust Global CA']
57
58 Certificate - OCSP Stapling:
59 NOT SUPPORTED - Server did not send back an OCSP response.
60
61 OpenSSL Heartbleed:
62 OK - Not vulnerable to Heartbleed
63
64 Session Resumption:
65 With Session IDs: OK - Supported (5 successful, 0 failed, 0 errors, 5 total attempts).
66 With TLS Session Tickets: OK - Supported
67
68 SSLV2 Cipher Suites:
69 Server rejected all cipher suites.
70
71 TLSV1_2 Cipher Suites:
72 Preferred:
73 ECDHE-RSA-AES128-GCM-SHA256 ECDH-256 bits 128 bits HTTP 301 Moved Permanently - /mail/
74 Accepted:
75 ECDHE-RSA-AES256-SHA384 ECDH-256 bits 256 bits HTTP 301 Moved Permanently - /mail/
76 ECDHE-RSA-AES256-SHA ECDH-256 bits 256 bits HTTP 301 Moved Permanently - /mail/
77 ECDHE-RSA-AES256-GCM-SHA384 ECDH-256 bits 256 bits HTTP 301 Moved Permanently - /mail/
78 AES256-SHA256 - 256 bits HTTP 301 Moved Permanently - /mail/
79 AES256-SHA - 256 bits HTTP 301 Moved Permanently - /mail/
80 AES256-GCM-SHA384 - 256 bits HTTP 301 Moved Permanently - /mail/
81 ECDHE-RSA-AES128-SHA256 ECDH-256 bits 128 bits HTTP 301 Moved Permanently - /mail/
82 ECDHE-RSA-AES128-SHA ECDH-256 bits 128 bits HTTP 301 Moved Permanently - /mail/
83 ECDHE-RSA-AES128-GCM-SHA256 ECDH-256 bits 128 bits HTTP 301 Moved Permanently - /mail/
84 AES128-SHA256 - 128 bits HTTP 301 Moved Permanently - /mail/
85 AES128-SHA - 128 bits HTTP 301 Moved Permanently - /mail/
86 AES128-GCM-SHA256 - 128 bits HTTP 301 Moved Permanently - /mail/
87 DES-CBC3-SHA - 112 bits HTTP 301 Moved Permanently - /mail/
88
89 TLSV1_1 Cipher Suites:
90 Preferred:
91 ECDHE-RSA-AES128-SHA ECDH-256 bits 128 bits HTTP 301 Moved Permanently - /mail/
92 Accepted:
93 ECDHE-RSA-AES256-SHA ECDH-256 bits 256 bits HTTP 301 Moved Permanently - /mail/
94 AES256-SHA - 256 bits HTTP 301 Moved Permanently - /mail/
95 ECDHE-RSA-AES128-SHA ECDH-256 bits 128 bits HTTP 301 Moved Permanently - /mail/
96 AES128-SHA - 128 bits HTTP 301 Moved Permanently - /mail/
97 DES-CBC3-SHA - 112 bits HTTP 301 Moved Permanently - /mail/
98
99 SSLV3 Cipher Suites:
100 Server rejected all cipher suites.
101
102 TLSV1 Cipher Suites:
103 Preferred:
104 ECDHE-RSA-AES128-SHA ECDH-256 bits 128 bits HTTP 301 Moved Permanently - /mail/
105 Accepted:
106 ECDHE-RSA-AES256-SHA ECDH-256 bits 256 bits HTTP 301 Moved Permanently - /mail/
107 AES256-SHA - 256 bits HTTP 301 Moved Permanently - /mail/
108 ECDHE-RSA-AES128-SHA ECDH-256 bits 128 bits HTTP 301 Moved Permanently - /mail/
109 AES128-SHA - 128 bits HTTP 301 Moved Permanently - /mail/
110 DES-CBC3-SHA - 112 bits HTTP 301 Moved Permanently - /mail/
111
112
113
114 SCAN COMPLETED IN 8.77 S
115 ------------------------