Tools - SSLScan

Rappel :

Attention dans cet article l’outils est utilisé pour la recherche et l’apprentissage. Ce type d’outils ne doit pas être utilisé vers un serveur qui ne vous appartient pas, ceci peut être puni par la loi (voir les articles 323-XX).

Environnement de test :

Pour cela nous allons utiliser une VM tournant sur la distribution Kali. SSLScan est installé de base sur Kali.

Utilisation :

La commande et ses options

root@kali:~# sslscan -h
                   _
           ___ ___| |___  ___ __ _ _ __
          / __/ __| / __|/ __/ _` | '_ \
          \__ \__ \ \__ \ (_| (_| | | | |
          |___/___/_|___/\___\__,_|_| |_|


		1.11.5-static
		OpenSSL 1.0.2h-dev  xx XXX xxxx
Command:
  sslscan [Options] [host:port | host]

Options:
  --targets=<file>     A file containing a list of hosts to check.
                       Hosts can  be supplied  with ports (host:port)
  --ipv4               Only use IPv4
  --ipv6               Only use IPv6
  --show-certificate   Show full certificate information
  --no-check-certificate  Don't warn about weak certificate algorithm or keys
  --show-client-cas    Show trusted CAs for TLS client auth
  --show-ciphers       Show supported client ciphers
  --show-cipher-ids    Show cipher ids
  --show-times         Show handhake times in milliseconds
  --ssl2               Only check SSLv2 ciphers
  --ssl3               Only check SSLv3 ciphers
  --tls10              Only check TLSv1.0 ciphers
  --tls11              Only check TLSv1.1 ciphers
  --tls12              Only check TLSv1.2 ciphers
  --tlsall             Only check TLS ciphers (all versions)
  --ocsp               Request OCSP response from server
  --pk=<file>          A file containing the private key or a PKCS#12 file
                       containing a private key/certificate pair
  --pkpass=<password>  The password for the private  key or PKCS#12 file
  --certs=<file>       A file containing PEM/ASN1 formatted client certificates
  --no-ciphersuites    Do not check for supported ciphersuites
  --no-renegotiation   Do not check for TLS renegotiation
  --no-compression     Do not check for TLS compression (CRIME)
  --no-heartbleed      Do not check for OpenSSL Heartbleed (CVE-2014-0160)
  --starttls-ftp       STARTTLS setup for FTP
  --starttls-imap      STARTTLS setup for IMAP
  --starttls-irc       STARTTLS setup for IRC
  --starttls-pop3      STARTTLS setup for POP3
  --starttls-smtp      STARTTLS setup for SMTP
  --starttls-xmpp      STARTTLS setup for XMPP
  --starttls-psql      STARTTLS setup for PostgreSQL
  --xmpp-server        Use a server-to-server XMPP handshake
  --http               Test a HTTP connection
  --rdp                Send RDP preamble before starting scan
  --bugs               Enable SSL implementation bug work-arounds
  --timeout=<sec>      Set socket timeout. Default is 3s
  --sleep=<msec>       Pause between connection request. Default is disabled
  --xml=<file>         Output results to an XML file
  --version            Display the program version
  --verbose            Display verbose output
  --no-cipher-details  Disable EC curve names and EDH/RSA key lengths output
  --no-colour          Disable coloured output
  --help               Display the  help text  you are  now reading

Example:
  sslscan 127.0.0.1
  sslscan [::1]

La commande de base

root@kali:~# sslscan mail.google.com
Version: 1.11.5-static
OpenSSL 1.0.2h-dev  xx XXX xxxx

Testing SSL server mail.google.com on port 443

  TLS renegotiation:
Secure session renegotiation supported

  TLS Compression:
Compression disabled

  Heartbleed:
TLS 1.2 not vulnerable to heartbleed
TLS 1.1 not vulnerable to heartbleed
TLS 1.0 not vulnerable to heartbleed

  Supported Server Cipher(s):
Preferred TLSv1.2  128 bits  ECDHE-RSA-AES128-GCM-SHA256   Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA          Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  AES128-GCM-SHA256            
Accepted  TLSv1.2  128 bits  AES128-SHA                   
Accepted  TLSv1.2  128 bits  AES128-SHA256                
Accepted  TLSv1.2  112 bits  DES-CBC3-SHA                 
Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-GCM-SHA384   Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA256       Curve P-256 DHE 256
Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-SHA          Curve P-256 DHE 256
Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-SHA384       Curve P-256 DHE 256
Accepted  TLSv1.2  256 bits  AES256-GCM-SHA384            
Accepted  TLSv1.2  256 bits  AES256-SHA                   
Accepted  TLSv1.2  256 bits  AES256-SHA256                
Preferred TLSv1.1  128 bits  ECDHE-RSA-AES128-SHA          Curve P-256 DHE 256
Accepted  TLSv1.1  128 bits  AES128-SHA                   
Accepted  TLSv1.1  112 bits  DES-CBC3-SHA                 
Accepted  TLSv1.1  256 bits  ECDHE-RSA-AES256-SHA          Curve P-256 DHE 256
Accepted  TLSv1.1  256 bits  AES256-SHA                   
Preferred TLSv1.0  128 bits  ECDHE-RSA-AES128-SHA          Curve P-256 DHE 256
Accepted  TLSv1.0  128 bits  AES128-SHA                   
Accepted  TLSv1.0  112 bits  DES-CBC3-SHA                 
Accepted  TLSv1.0  256 bits  ECDHE-RSA-AES256-SHA          Curve P-256 DHE 256
Accepted  TLSv1.0  256 bits  AES256-SHA                   

  SSL Certificate:
Signature Algorithm: sha256WithRSAEncryption
RSA Key Strength:    2048

Subject:  mail.google.com
Altnames: DNS:mail.google.com, DNS:inbox.google.com
Issuer:   Google Internet Authority G2

Not valid before: Jul 20 10:25:50 2016 GMT
Not valid after:  Oct 12 09:58:00 2016 GMT