SSLscan

From aldeid
Jump to navigation Jump to search
VoirAussi.png
You might also see: Watobo, SSL checker plugin

Description

SSLScan is a fast SSL port scanner. It connects to SSL ports and determines what ciphers are supported, which are the servers preferred ciphers, which SSL protocols are supported and returns the SSL certificate. Client certificates / private key can be configured and output is to text / XML.

Installation

$ sudo apt-get install sslscan

Usage

Basic syntax

$ sslscan [Options] [host:port | host]

Options

--targets=<file>
A file containing a list of hosts to check. Hosts can be supplied with ports (i.e. host:port).
--no-failed
List only accepted ciphers (default is to listing all ciphers).
--ssl2
Only check SSLv2 ciphers.
--ssl3
Only check SSLv3 ciphers.
--tls1
Only check TLSv1 ciphers.
--pk=<file>
A file containing the private key or a PKCS#12 file containing a private key/certificate pair (as produced by MSIE and Netscape).
--pkpass=<password>
The password for the private key or PKCS#12 file.
--certs=<file>
A file containing PEM/ASN1 formatted client certificates.
--starttls
If a STARTTLS is required to kick an SMTP service into action.
--http
Test a HTTP connection.
--bugs
Enable SSL implementation bug workarounds.
--xml=<file>
Output results to an XML file.
--version
Display the program version.
--help
Display the help text you are now reading.

Example

$ sslscan 209.85.146.17
                   _
           ___ ___| |___  ___ __ _ _ __                                                              
          / __/ __| / __|/ __/ _` | '_ \                                                             
          \__ \__ \ \__ \ (_| (_| | | | |                                                            
          |___/___/_|___/\___\__,_|_| |_|                                                            
                                                                                                     
                  Version 1.8.2                                                                      
             http://www.titania.co.uk                                                                
        Copyright Ian Ventura-Whiting 2009                                                           
                                                                                                     
Testing SSL server 209.85.146.17 on port 443

  Supported Server Cipher(s):
    Rejected  SSLv2  168 bits  DES-CBC3-MD5
    Rejected  SSLv2  56 bits   DES-CBC-MD5
    Rejected  SSLv2  40 bits   EXP-RC2-CBC-MD5
    Rejected  SSLv2  128 bits  RC2-CBC-MD5
    Rejected  SSLv2  40 bits   EXP-RC4-MD5
    Rejected  SSLv2  128 bits  RC4-MD5
    Rejected  SSLv3  256 bits  ADH-AES256-SHA
    Rejected  SSLv3  256 bits  DHE-RSA-AES256-SHA
    Rejected  SSLv3  256 bits  DHE-DSS-AES256-SHA
    Accepted  SSLv3  256 bits  AES256-SHA
    Rejected  SSLv3  128 bits  ADH-AES128-SHA
    Rejected  SSLv3  128 bits  DHE-RSA-AES128-SHA
    Rejected  SSLv3  128 bits  DHE-DSS-AES128-SHA
    Accepted  SSLv3  128 bits  AES128-SHA
    Rejected  SSLv3  168 bits  ADH-DES-CBC3-SHA
    Rejected  SSLv3  56 bits   ADH-DES-CBC-SHA
    Rejected  SSLv3  40 bits   EXP-ADH-DES-CBC-SHA
    Rejected  SSLv3  128 bits  ADH-RC4-MD5
    Rejected  SSLv3  40 bits   EXP-ADH-RC4-MD5
    Rejected  SSLv3  168 bits  EDH-RSA-DES-CBC3-SHA
    Rejected  SSLv3  56 bits   EDH-RSA-DES-CBC-SHA
    Rejected  SSLv3  40 bits   EXP-EDH-RSA-DES-CBC-SHA
    Rejected  SSLv3  168 bits  EDH-DSS-DES-CBC3-SHA
    Rejected  SSLv3  56 bits   EDH-DSS-DES-CBC-SHA
    Rejected  SSLv3  40 bits   EXP-EDH-DSS-DES-CBC-SHA
    Accepted  SSLv3  168 bits  DES-CBC3-SHA
    Rejected  SSLv3  56 bits   DES-CBC-SHA
    Rejected  SSLv3  40 bits   EXP-DES-CBC-SHA
    Rejected  SSLv3  40 bits   EXP-RC2-CBC-MD5
    Accepted  SSLv3  128 bits  RC4-SHA
    Accepted  SSLv3  128 bits  RC4-MD5
    Rejected  SSLv3  40 bits   EXP-RC4-MD5
    Rejected  SSLv3  0 bits    NULL-SHA
    Rejected  SSLv3  0 bits    NULL-MD5
    Rejected  TLSv1  256 bits  ADH-AES256-SHA
    Rejected  TLSv1  256 bits  DHE-RSA-AES256-SHA
    Rejected  TLSv1  256 bits  DHE-DSS-AES256-SHA
    Accepted  TLSv1  256 bits  AES256-SHA
    Rejected  TLSv1  128 bits  ADH-AES128-SHA
    Rejected  TLSv1  128 bits  DHE-RSA-AES128-SHA
    Rejected  TLSv1  128 bits  DHE-DSS-AES128-SHA
    Accepted  TLSv1  128 bits  AES128-SHA
    Rejected  TLSv1  168 bits  ADH-DES-CBC3-SHA
    Rejected  TLSv1  56 bits   ADH-DES-CBC-SHA
    Rejected  TLSv1  40 bits   EXP-ADH-DES-CBC-SHA
    Rejected  TLSv1  128 bits  ADH-RC4-MD5
    Rejected  TLSv1  40 bits   EXP-ADH-RC4-MD5
    Rejected  TLSv1  168 bits  EDH-RSA-DES-CBC3-SHA
    Rejected  TLSv1  56 bits   EDH-RSA-DES-CBC-SHA
    Rejected  TLSv1  40 bits   EXP-EDH-RSA-DES-CBC-SHA
    Rejected  TLSv1  168 bits  EDH-DSS-DES-CBC3-SHA
    Rejected  TLSv1  56 bits   EDH-DSS-DES-CBC-SHA
    Rejected  TLSv1  40 bits   EXP-EDH-DSS-DES-CBC-SHA
    Accepted  TLSv1  168 bits  DES-CBC3-SHA
    Rejected  TLSv1  56 bits   DES-CBC-SHA
    Rejected  TLSv1  40 bits   EXP-DES-CBC-SHA
    Rejected  TLSv1  40 bits   EXP-RC2-CBC-MD5
    Accepted  TLSv1  128 bits  RC4-SHA
    Accepted  TLSv1  128 bits  RC4-MD5
    Rejected  TLSv1  40 bits   EXP-RC4-MD5
    Rejected  TLSv1  0 bits    NULL-SHA
    Rejected  TLSv1  0 bits    NULL-MD5

  Prefered Server Cipher(s):
    SSLv3  128 bits  RC4-SHA
    TLSv1  128 bits  RC4-SHA

  SSL Certificate:
    Version: 2
    Serial Number: -4294967295
    Signature Algorithm: sha1WithRSAEncryption
    Issuer: /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
    Not valid before: Dec 18 00:00:00 2009 GMT
    Not valid after: Dec 18 23:59:59 2011 GMT
    Subject: /C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (1024 bit)
      Modulus (1024 bit):
          00:d9:27:c8:11:f2:7b:e4:45:c9:46:b6:63:75:83:
          b1:77:7e:17:41:89:80:38:f1:45:27:a0:3c:d9:e8:
          a8:00:4b:d9:07:d0:ba:de:ed:f4:2c:a6:ac:dc:27:
          13:ec:0c:c1:a6:99:17:42:e6:8d:27:d2:81:14:b0:
          4b:82:fa:b2:c5:d0:bb:20:59:62:28:a3:96:b5:61:
          f6:76:c1:6d:46:d2:fd:ba:c6:0f:3d:d1:c9:77:9a:
          58:33:f6:06:76:32:ad:51:5f:29:5f:6e:f8:12:8b:
          ad:e6:c5:08:39:b3:43:43:a9:5b:91:1d:d7:e3:cf:
          51:df:75:59:8e:8d:80:ab:53
      Exponent: 65537 (0x10001)
    X509v3 Extensions:
      X509v3 Basic Constraints: critical
        CA:FALSE
      X509v3 CRL Distribution Points: 
        URI:http://crl.thawte.com/ThawteSGCCA.crl

      X509v3 Extended Key Usage: 
        TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto
      Authority Information Access: 
        OCSP - URI:http://ocsp.thawte.com
        CA Issuers - URI:http://www.thawte.com/repository/Thawte_SGC_CA.crt

  Verify Certificate:
    unable to get local issuer certificate

Comments