Tools - SSLyze
Alasta 26 Juillet 2016 tools bash collecte tools Linux Open Source Security shell kali ssl
Description : Nous allons utiliser SSLyze pour découvrir les ciphers supportés par un service SSL/TLS.
Rappel :
Attention dans cet article l’outils est utilisé pour la recherche et l’apprentissage. Ce type d’outils ne doit pas être utilisé vers un serveur qui ne vous appartient pas, ceci peut être puni par la loi (voir les articles 323-XX).
Environnement de test :
Pour cela nous allons utiliser une VM tournant sur la distribution Kali. SSLyze est installé de base sur Kali.
Utilisation :
La commande et ses options
root@kali:~# sslyze -h
Usage: sslyze.py [options] target1.com target2.com:443 etc...
Options:
--version show program's version number and exit
-h, --help show this help message and exit
--xml_out=XML_FILE Writes the scan results as an XML document to the file
XML_FILE. If XML_FILE is set to "-", the XML output
will instead be printed to stdout.
--targets_in=TARGETS_IN
Reads the list of targets to scan from the file
TARGETS_IN. It should contain one host:port per line.
--timeout=TIMEOUT Sets the timeout value in seconds used for every
socket connection made to the target server(s).
Default is 5s.
--nb_retries=NB_RETRIES
Sets the number retry attempts for all network
connections initiated throughout the scan. Increase
this value if you are getting a lot of
timeout/connection errors when scanning a specific
server. Decrease this value to increase the speed of
the scans; results may however return connection
errors. Default is 4 connection attempts.
--https_tunnel=HTTPS_TUNNEL
Tunnels all traffic to the target server(s) through an
HTTP CONNECT proxy. HTTP_TUNNEL should be the proxy's
URL: 'http://USER:PW@HOST:PORT/'. For proxies
requiring authentication, only Basic Authentication is
supported.
--starttls=STARTTLS Performs StartTLS handshakes when connecting to the
target server(s). STARTTLS should be one of: ['smtp',
'xmpp', 'xmpp_server', 'pop3', 'ftp', 'imap', 'ldap',
'rdp', 'postgres', 'auto']. The 'auto' option will
cause SSLyze to deduce the protocol (ftp, imap, etc.)
from the supplied port number, for each target
servers.
--xmpp_to=XMPP_TO Optional setting for STARTTLS XMPP. XMPP_TO should be
the hostname to be put in the 'to' attribute of the
XMPP stream. Default is the server's hostname.
--sni=SNI Use Server Name Indication to specify the hostname to
connect to. Will only affect TLS 1.0+ connections.
--quiet Hide script standard outputs. Will only affect script
output if --xml_out is set.
--regular Regular HTTPS scan; shortcut for --sslv2 --sslv3
--tlsv1 --tlsv1_1 --tlsv1_2 --reneg --resum
--certinfo=basic --http_get --hide_rejected_ciphers
--compression --heartbleed
Client certificate support:
--cert=CERT Client certificate chain filename. The certificates
must be in PEM format and must be sorted starting with
the subject's client certificate, followed by
intermediate CA certificates if applicable.
--key=KEY Client private key filename.
--keyform=KEYFORM Client private key format. DER or PEM (default).
--pass=KEYPASS Client private key passphrase.
PluginSessionResumption:
Analyzes the target server's SSL session resumption capabilities.
--resum Tests the server(s) for session resumption support
using session IDs and TLS session tickets (RFC 5077).
--resum_rate Performs 100 session resumptions with the server(s),
in order to estimate the session resumption rate.
PluginCompression:
--compression Tests the server(s) for Zlib compression support.
PluginCertInfo:
--certinfo=CERTINFO
Verifies the validity of the server(s) certificate(s)
against various trust stores, checks for support for
OCSP stapling, and prints relevant fields of the
certificate. CERTINFO should be 'basic' or 'full'.
--ca_file=CA_FILE Local Certificate Authority file (in PEM format), to
verify the validity of the server(s) certificate(s)
against.
PluginHeartbleed:
--heartbleed Tests the server(s) for the OpenSSL Heartbleed
vulnerability (experimental).
PluginSessionRenegotiation:
--reneg Tests the server(s) for client-initiated renegotiation
and secure renegotiation support.
PluginHSTS:
--hsts Checks support for HTTP Strict Transport Security
(HSTS) by collecting any Strict-Transport-Security
field present in the HTTP response sent back by the
server(s).
PluginChromeSha1Deprecation:
--chrome_sha1 Determines if the server will be affected by Google
Chrome's SHA-1 deprecation plans. See
http://googleonlinesecurity.blogspot.com/2014/09
/gradually-sunsetting-sha-1.html for more information
PluginOpenSSLCipherSuites:
Scans the server(s) for supported OpenSSL cipher suites.
--sslv2 Lists the SSL 2.0 OpenSSL cipher suites supported by
the server(s).
--sslv3 Lists the SSL 3.0 OpenSSL cipher suites supported by
the server(s).
--tlsv1 Lists the TLS 1.0 OpenSSL cipher suites supported by
the server(s).
--tlsv1_1 Lists the TLS 1.1 OpenSSL cipher suites supported by
the server(s).
--tlsv1_2 Lists the TLS 1.2 OpenSSL cipher suites supported by
the server(s).
--http_get Option - For each cipher suite, sends an HTTP GET
request after completing the SSL handshake and returns
the HTTP status code.
--hide_rejected_ciphers
Option - Hides the (usually long) list of cipher
suites that were rejected by the server(s).La commande de base
root@kali:~# sslyze --regular mail.google.com
AVAILABLE PLUGINS
-----------------
PluginCertInfo
PluginSessionRenegotiation
PluginSessionResumption
PluginCompression
PluginChromeSha1Deprecation
PluginOpenSSLCipherSuites
PluginHSTS
PluginHeartbleed
CHECKING HOST(S) AVAILABILITY
-----------------------------
mail.google.com:443 => 216.58.211.69:443
SCAN RESULTS FOR MAIL.GOOGLE.COM:443 - 216.58.211.69:443
--------------------------------------------------------
* Deflate Compression:
OK - Compression disabled
* Session Renegotiation:
Client-initiated Renegotiations: OK - Rejected
Secure Renegotiation: OK - Supported
* Certificate - Content:
SHA1 Fingerprint: 412fd978da82f03122d39560da50bf2058f1e019
Common Name: mail.google.com
Issuer: Google Internet Authority G2
Serial Number: 305ABFF387D0D80A
Not Before: Jul 13 13:28:41 2016 GMT
Not After: Oct 5 13:17:00 2016 GMT
Signature Algorithm: sha256WithRSAEncryption
Public Key Algorithm: rsaEncryption
Key Size: 2048 bit
Exponent: 65537 (0x10001)
X509v3 Subject Alternative Name: {'DNS': ['mail.google.com', 'inbox.google.com']}
* Certificate - Trust:
Hostname Validation: OK - Subject Alternative Name matches
Google CA Store (09/2015): OK - Certificate is trusted
Java 6 CA Store (Update 65): OK - Certificate is trusted
Microsoft CA Store (09/2015): OK - Certificate is trusted
Mozilla NSS CA Store (09/2015): OK - Certificate is trusted
Apple CA Store (OS X 10.10.5): OK - Certificate is trusted
Certificate Chain Received: ['mail.google.com', 'Google Internet Authority G2', 'GeoTrust Global CA']
* Certificate - OCSP Stapling:
NOT SUPPORTED - Server did not send back an OCSP response.
* OpenSSL Heartbleed:
OK - Not vulnerable to Heartbleed
* Session Resumption:
With Session IDs: OK - Supported (5 successful, 0 failed, 0 errors, 5 total attempts).
With TLS Session Tickets: OK - Supported
* SSLV2 Cipher Suites:
Server rejected all cipher suites.
* TLSV1_2 Cipher Suites:
Preferred:
ECDHE-RSA-AES128-GCM-SHA256 ECDH-256 bits 128 bits HTTP 301 Moved Permanently - /mail/
Accepted:
ECDHE-RSA-AES256-SHA384 ECDH-256 bits 256 bits HTTP 301 Moved Permanently - /mail/
ECDHE-RSA-AES256-SHA ECDH-256 bits 256 bits HTTP 301 Moved Permanently - /mail/
ECDHE-RSA-AES256-GCM-SHA384 ECDH-256 bits 256 bits HTTP 301 Moved Permanently - /mail/
AES256-SHA256 - 256 bits HTTP 301 Moved Permanently - /mail/
AES256-SHA - 256 bits HTTP 301 Moved Permanently - /mail/
AES256-GCM-SHA384 - 256 bits HTTP 301 Moved Permanently - /mail/
ECDHE-RSA-AES128-SHA256 ECDH-256 bits 128 bits HTTP 301 Moved Permanently - /mail/
ECDHE-RSA-AES128-SHA ECDH-256 bits 128 bits HTTP 301 Moved Permanently - /mail/
ECDHE-RSA-AES128-GCM-SHA256 ECDH-256 bits 128 bits HTTP 301 Moved Permanently - /mail/
AES128-SHA256 - 128 bits HTTP 301 Moved Permanently - /mail/
AES128-SHA - 128 bits HTTP 301 Moved Permanently - /mail/
AES128-GCM-SHA256 - 128 bits HTTP 301 Moved Permanently - /mail/
DES-CBC3-SHA - 112 bits HTTP 301 Moved Permanently - /mail/
* TLSV1_1 Cipher Suites:
Preferred:
ECDHE-RSA-AES128-SHA ECDH-256 bits 128 bits HTTP 301 Moved Permanently - /mail/
Accepted:
ECDHE-RSA-AES256-SHA ECDH-256 bits 256 bits HTTP 301 Moved Permanently - /mail/
AES256-SHA - 256 bits HTTP 301 Moved Permanently - /mail/
ECDHE-RSA-AES128-SHA ECDH-256 bits 128 bits HTTP 301 Moved Permanently - /mail/
AES128-SHA - 128 bits HTTP 301 Moved Permanently - /mail/
DES-CBC3-SHA - 112 bits HTTP 301 Moved Permanently - /mail/
* SSLV3 Cipher Suites:
Server rejected all cipher suites.
* TLSV1 Cipher Suites:
Preferred:
ECDHE-RSA-AES128-SHA ECDH-256 bits 128 bits HTTP 301 Moved Permanently - /mail/
Accepted:
ECDHE-RSA-AES256-SHA ECDH-256 bits 256 bits HTTP 301 Moved Permanently - /mail/
AES256-SHA - 256 bits HTTP 301 Moved Permanently - /mail/
ECDHE-RSA-AES128-SHA ECDH-256 bits 128 bits HTTP 301 Moved Permanently - /mail/
AES128-SHA - 128 bits HTTP 301 Moved Permanently - /mail/
DES-CBC3-SHA - 112 bits HTTP 301 Moved Permanently - /mail/
SCAN COMPLETED IN 8.77 S
------------------------