Rappel :

Attention dans cet article l'outils est utilisé pour la recherche et l'apprentissage. Ce type d'outils ne doit pas être utilisé vers un serveur qui ne vous appartient pas, ceci peut être puni par la loi (voir les articles 323-XX).

Environnement de test :

Pour cela nous allons utiliser une VM tournant sur la distribution Kali. SSLyze est installé de base sur Kali.

Utilisation :

La commande et ses options

  1 root@kali:~# sslyze -h
  2 Usage: sslyze.py [options] target1.com target2.com:443 etc...
  3 
  4 Options:
  5   --version             show program's version number and exit
  6   -h, --help            show this help message and exit
  7   --xml_out=XML_FILE    Writes the scan results as an XML document to the file
  8                         XML_FILE. If XML_FILE is set to "-", the XML output
  9                         will instead be printed to stdout.
 10   --targets_in=TARGETS_IN
 11                         Reads the list of targets to scan from the file
 12                         TARGETS_IN. It should contain one host:port per line.
 13   --timeout=TIMEOUT     Sets the timeout value in seconds used for every
 14                         socket connection made to the target server(s).
 15                         Default is 5s.
 16   --nb_retries=NB_RETRIES
 17                         Sets the number retry attempts for all network
 18                         connections initiated throughout the scan. Increase
 19                         this value if you are getting a lot of
 20                         timeout/connection errors when scanning a specific
 21                         server. Decrease this value to increase the speed of
 22                         the scans; results may however return connection
 23                         errors. Default is 4 connection attempts.
 24   --https_tunnel=HTTPS_TUNNEL
 25                         Tunnels all traffic to the target server(s) through an
 26                         HTTP CONNECT proxy. HTTP_TUNNEL should be the proxy's
 27                         URL: 'http://USER:PW@HOST:PORT/'. For proxies
 28                         requiring authentication, only Basic Authentication is
 29                         supported.
 30   --starttls=STARTTLS   Performs StartTLS handshakes when connecting to the
 31                         target server(s). STARTTLS should be one of: ['smtp',
 32                         'xmpp', 'xmpp_server', 'pop3', 'ftp', 'imap', 'ldap',
 33                         'rdp', 'postgres', 'auto']. The 'auto' option will
 34                         cause SSLyze to deduce the protocol (ftp, imap, etc.)
 35                         from the supplied port number, for each target
 36                         servers.
 37   --xmpp_to=XMPP_TO     Optional setting for STARTTLS XMPP.  XMPP_TO should be
 38                         the hostname to be put in the 'to' attribute of the
 39                         XMPP stream. Default is the server's hostname.
 40   --sni=SNI             Use Server Name Indication to specify the hostname to
 41                         connect to. Will only affect TLS 1.0+ connections.
 42   --quiet               Hide script standard outputs. Will only affect script
 43                         output if --xml_out is set.
 44   --regular             Regular HTTPS scan; shortcut for --sslv2 --sslv3
 45                         --tlsv1 --tlsv1_1 --tlsv1_2 --reneg --resum
 46                         --certinfo=basic --http_get --hide_rejected_ciphers
 47                         --compression --heartbleed
 48 
 49   Client certificate support:
 50     --cert=CERT         Client certificate chain filename. The certificates
 51                         must be in PEM format and must be sorted starting with
 52                         the subject's client certificate, followed by
 53                         intermediate CA certificates if applicable.
 54     --key=KEY           Client private key filename.
 55     --keyform=KEYFORM   Client private key format. DER or PEM (default).
 56     --pass=KEYPASS      Client private key passphrase.
 57 
 58   PluginSessionResumption:
 59     Analyzes the target server's SSL session resumption capabilities.
 60 
 61     --resum             Tests the server(s) for session resumption support
 62                         using session IDs and TLS session tickets (RFC 5077).
 63     --resum_rate        Performs 100 session resumptions with the server(s),
 64                         in order to estimate the session resumption rate.
 65 
 66   PluginCompression:
 67     --compression       Tests the server(s) for Zlib compression support.
 68 
 69   PluginCertInfo:
 70     --certinfo=CERTINFO
 71                         Verifies the validity of the server(s) certificate(s)
 72                         against various trust stores, checks for support for
 73                         OCSP stapling, and prints relevant fields of the
 74                         certificate. CERTINFO should be 'basic' or 'full'.
 75     --ca_file=CA_FILE   Local Certificate Authority file (in PEM format), to
 76                         verify the validity of the server(s) certificate(s)
 77                         against.
 78 
 79   PluginHeartbleed:
 80     --heartbleed        Tests the server(s) for the OpenSSL Heartbleed
 81                         vulnerability (experimental).
 82 
 83   PluginSessionRenegotiation:
 84     --reneg             Tests the server(s) for client-initiated renegotiation
 85                         and secure renegotiation support.
 86 
 87   PluginHSTS:
 88     --hsts              Checks support for HTTP Strict Transport Security
 89                         (HSTS) by collecting any Strict-Transport-Security
 90                         field present in the HTTP response sent back by the
 91                         server(s).
 92 
 93   PluginChromeSha1Deprecation:
 94     --chrome_sha1       Determines if the server will be affected by Google
 95                         Chrome's SHA-1 deprecation plans. See
 96                         http://googleonlinesecurity.blogspot.com/2014/09
 97                         /gradually-sunsetting-sha-1.html for more information
 98 
 99   PluginOpenSSLCipherSuites:
100     Scans the server(s) for supported OpenSSL cipher suites.
101 
102     --sslv2             Lists the SSL 2.0 OpenSSL cipher suites supported by
103                         the server(s).
104     --sslv3             Lists the SSL 3.0 OpenSSL cipher suites supported by
105                         the server(s).
106     --tlsv1             Lists the TLS 1.0 OpenSSL cipher suites supported by
107                         the server(s).
108     --tlsv1_1           Lists the TLS 1.1 OpenSSL cipher suites supported by
109                         the server(s).
110     --tlsv1_2           Lists the TLS 1.2 OpenSSL cipher suites supported by
111                         the server(s).
112     --http_get          Option - For each cipher suite, sends an HTTP GET
113                         request after completing the SSL handshake and returns
114                         the HTTP status code.
115     --hide_rejected_ciphers
116                         Option - Hides the (usually long) list of cipher
117                         suites that were rejected by the server(s).

La commande de base

  1 root@kali:~# sslyze --regular mail.google.com
  2 
  3 
  4 
  5  AVAILABLE PLUGINS
  6  -----------------
  7 
  8   PluginCertInfo
  9   PluginSessionRenegotiation
 10   PluginSessionResumption
 11   PluginCompression
 12   PluginChromeSha1Deprecation
 13   PluginOpenSSLCipherSuites
 14   PluginHSTS
 15   PluginHeartbleed
 16 
 17 
 18 
 19  CHECKING HOST(S) AVAILABILITY
 20  -----------------------------
 21 
 22    mail.google.com:443                 => 216.58.211.69:443
 23 
 24 
 25 
 26  SCAN RESULTS FOR MAIL.GOOGLE.COM:443 - 216.58.211.69:443
 27  --------------------------------------------------------
 28 
 29   * Deflate Compression:
 30       OK - Compression disabled          
 31 
 32   * Session Renegotiation:
 33       Client-initiated Renegotiations:   OK - Rejected
 34       Secure Renegotiation:              OK - Supported
 35 
 36   * Certificate - Content:
 37       SHA1 Fingerprint:                  412fd978da82f03122d39560da50bf2058f1e019
 38       Common Name:                       mail.google.com
 39       Issuer:                            Google Internet Authority G2
 40       Serial Number:                     305ABFF387D0D80A
 41       Not Before:                        Jul 13 13:28:41 2016 GMT
 42       Not After:                         Oct  5 13:17:00 2016 GMT
 43       Signature Algorithm:               sha256WithRSAEncryption
 44       Public Key Algorithm:              rsaEncryption
 45       Key Size:                          2048 bit
 46       Exponent:                          65537 (0x10001)
 47       X509v3 Subject Alternative Name:   {'DNS': ['mail.google.com', 'inbox.google.com']}
 48 
 49   * Certificate - Trust:
 50       Hostname Validation:               OK - Subject Alternative Name matches
 51       Google CA Store (09/2015):         OK - Certificate is trusted
 52       Java 6 CA Store (Update 65):       OK - Certificate is trusted
 53       Microsoft CA Store (09/2015):      OK - Certificate is trusted
 54       Mozilla NSS CA Store (09/2015):    OK - Certificate is trusted
 55       Apple CA Store (OS X 10.10.5):     OK - Certificate is trusted
 56       Certificate Chain Received:        ['mail.google.com', 'Google Internet Authority G2', 'GeoTrust Global CA']
 57 
 58   * Certificate - OCSP Stapling:
 59       NOT SUPPORTED - Server did not send back an OCSP response.
 60 
 61   * OpenSSL Heartbleed:
 62       OK - Not vulnerable to Heartbleed  
 63 
 64   * Session Resumption:
 65       With Session IDs:                  OK - Supported (5 successful, 0 failed, 0 errors, 5 total attempts).
 66       With TLS Session Tickets:          OK - Supported
 67 
 68   * SSLV2 Cipher Suites:
 69       Server rejected all cipher suites.
 70 
 71   * TLSV1_2 Cipher Suites:
 72       Preferred:                       
 73                  ECDHE-RSA-AES128-GCM-SHA256   ECDH-256 bits  128 bits      HTTP 301 Moved Permanently - /mail/
 74       Accepted:                        
 75                  ECDHE-RSA-AES256-SHA384       ECDH-256 bits  256 bits      HTTP 301 Moved Permanently - /mail/
 76                  ECDHE-RSA-AES256-SHA          ECDH-256 bits  256 bits      HTTP 301 Moved Permanently - /mail/
 77                  ECDHE-RSA-AES256-GCM-SHA384   ECDH-256 bits  256 bits      HTTP 301 Moved Permanently - /mail/
 78                  AES256-SHA256                 -              256 bits      HTTP 301 Moved Permanently - /mail/
 79                  AES256-SHA                    -              256 bits      HTTP 301 Moved Permanently - /mail/
 80                  AES256-GCM-SHA384             -              256 bits      HTTP 301 Moved Permanently - /mail/
 81                  ECDHE-RSA-AES128-SHA256       ECDH-256 bits  128 bits      HTTP 301 Moved Permanently - /mail/
 82                  ECDHE-RSA-AES128-SHA          ECDH-256 bits  128 bits      HTTP 301 Moved Permanently - /mail/
 83                  ECDHE-RSA-AES128-GCM-SHA256   ECDH-256 bits  128 bits      HTTP 301 Moved Permanently - /mail/
 84                  AES128-SHA256                 -              128 bits      HTTP 301 Moved Permanently - /mail/
 85                  AES128-SHA                    -              128 bits      HTTP 301 Moved Permanently - /mail/
 86                  AES128-GCM-SHA256             -              128 bits      HTTP 301 Moved Permanently - /mail/
 87                  DES-CBC3-SHA                  -              112 bits      HTTP 301 Moved Permanently - /mail/
 88 
 89   * TLSV1_1 Cipher Suites:
 90       Preferred:                       
 91                  ECDHE-RSA-AES128-SHA          ECDH-256 bits  128 bits      HTTP 301 Moved Permanently - /mail/
 92       Accepted:                        
 93                  ECDHE-RSA-AES256-SHA          ECDH-256 bits  256 bits      HTTP 301 Moved Permanently - /mail/
 94                  AES256-SHA                    -              256 bits      HTTP 301 Moved Permanently - /mail/
 95                  ECDHE-RSA-AES128-SHA          ECDH-256 bits  128 bits      HTTP 301 Moved Permanently - /mail/
 96                  AES128-SHA                    -              128 bits      HTTP 301 Moved Permanently - /mail/
 97                  DES-CBC3-SHA                  -              112 bits      HTTP 301 Moved Permanently - /mail/
 98 
 99   * SSLV3 Cipher Suites:
100       Server rejected all cipher suites.
101 
102   * TLSV1 Cipher Suites:
103       Preferred:                       
104                  ECDHE-RSA-AES128-SHA          ECDH-256 bits  128 bits      HTTP 301 Moved Permanently - /mail/
105       Accepted:                        
106                  ECDHE-RSA-AES256-SHA          ECDH-256 bits  256 bits      HTTP 301 Moved Permanently - /mail/
107                  AES256-SHA                    -              256 bits      HTTP 301 Moved Permanently - /mail/
108                  ECDHE-RSA-AES128-SHA          ECDH-256 bits  128 bits      HTTP 301 Moved Permanently - /mail/
109                  AES128-SHA                    -              128 bits      HTTP 301 Moved Permanently - /mail/
110                  DES-CBC3-SHA                  -              112 bits      HTTP 301 Moved Permanently - /mail/
111 
112 
113 
114  SCAN COMPLETED IN 8.77 S
115  ------------------------