[Owasp-testing] SSL Testing tool

Jonathan Cran jcran at 0x0e.org
Mon Jan 18 20:06:00 EST 2010


Not to take away from the good work, just an FYI. It appears that SSLScan is
getting overlooked.

SSLScan: http://sourceforge.net/projects/sslscan/
SSLScan Parser: http://search.cpan.org/~jabra/Sslscan-Parser-0.02/

-----
jcran at aldatmak:~/toolkit/nix/attack-net-webserver$ sslscan
                   _
           ___ ___| |___  ___ __ _ _ __
          / __/ __| / __|/ __/ _` | '_ \
          \__ \__ \ \__ \ (_| (_| | | | |
          |___/___/_|___/\___\__,_|_| |_|

                    Version 1.7.1
              http://www.titania.co.uk
     Copyright (C) 2007-2008 Ian Ventura-Whiting

SSLScan is a fast SSL port scanner. SSLScan connects to SSL
ports and determines what  ciphers are supported, which are
the servers  prefered  ciphers,  which  SSL  protocols  are
supported  and   returns  the   SSL   certificate.   Client
certificates /  private key can be configured and output is
to text / XML.

Command:
  sslscan [Options] [host:port | host]

Options:
  --targets=<file>     A file containing a list of hosts to
                       check.  Hosts can  be supplied  with
                       ports (i.e. host:port).
  --no-failed          List only accepted ciphers  (default
                       is to listing all ciphers).
  --ssl2               Only check SSLv2 ciphers.
  --ssl3               Only check SSLv3 ciphers.
  --tls1               Only check TLSv1 ciphers.
  --pk=<file>          A file containing the private key or
                       a PKCS#12  file containing a private
                       key/certificate pair (as produced by
                       MSIE and Netscape).
  --pkpass=<password>  The password for the private  key or
                       PKCS#12 file.
  --certs=<file>       A file containing PEM/ASN1 formatted
                       client certificates.
  --starttls           If a STARTTLS is required to kick an
                       SMTP service into action.
  --xml=<file>         Output results to an XML file.
  --version            Display the program version.
  --help               Display the  help text  you are  now
                       reading.
Example:
  sslscan 127.0.0.1



jcran




On Mon, Jan 18, 2010 at 3:47 PM, Kurt Grutzmacher <grutz at jingojango.net>wrote:

> Indeed, I was just coming up with a plan to write my own open-source one
> due to the inadequacies of current tools (Windows only, not complete,
> multiple tools required to be comprehensive, etc).  Excellent work.
>
> --
> Kurt Grutzmacher -=- grutz at jingojango.net
>
>
>
> On Mon, Jan 18, 2010 at 8:05 AM, Brad Causey <bradcausey at gmail.com> wrote:
>
>> Thank you!!!! Finally!!!
>> A SSL testing too that runs native on linux!
>>
>>
>>
>> -Brad Causey
>> CISSP, MCSE, C|EH, CIFI, CGSP
>>
>> http://www.owasp.org
>> --
>> Never underestimate the time, expense, and effort an opponent will expend
>> to break a code. (Robert Morris)
>> --
>>
>>
>> On Mon, Jan 18, 2010 at 6:03 AM, Michael Boman <
>> michael.boman at omegapoint.se> wrote:
>>
>>>  Hello,
>>>
>>>
>>>
>>> Last weekend I hacked together a piece of software that checks what SSL
>>> protocols and ciphers a web server supports, which is available for download
>>> at http://code.google.com     /p/sslaudit/<http://code.google.com/p/sslaudit/>
>>> .
>>>
>>>
>>>
>>> From the above mentioned website:
>>>
>>>
>>>
>>> --8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<-
>>>
>>> SSLAudit is a tool that verifies SSL certificate and supported
>>> protocols/ciphers of a SSL-enabled webserver. The result is graded according
>>> to SSLLabs SSL Server Rating Guide<https://www.ssllabs.com/projects/rating-guide/index.html>
>>> .
>>>
>>> The tool is similar in function to SSLDigger from Foundstone<http://www.foundstone.com/us/resources/proddesc/ssldigger.htm>
>>>  and THCSSLCheck from The Hacker Choice<http://freeworld.thc.org/root/tools/>
>>>  but is different that it is open source and is easily modified to
>>> support new protocols and ciphers as they become available and the result is
>>> graded.
>>>
>>> This project is sponsored by Omegapoint AB <http://www.omegapoint.se> and
>>> was created to assist security assessments done according to OWASP
>>> Testing Guide<http://www.owasp.org/index.php/Category:OWASP_Testing_Project>
>>> .
>>>
>>> --8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<-
>>>
>>> It currently performs the following tests:
>>>
>>> ·         SSL Protocol support detection
>>>
>>> ·         SSL Cipher support detection
>>>
>>> ·         Public cert PEM extraction
>>>
>>> ·         Certificate timeframe validation (and warns if it is 30 days
>>> or less until the certificate expires)
>>>
>>> ·         Grading of result according to SSLLabs SSL Server Rating Guide
>>>
>>>
>>>
>>> Your feedback is much appreciated.
>>>
>>>
>>>
>>> Best regards
>>>
>>> Michael Boman
>>>
>>>
>>>
>>> --
>>>
>>> Michael Boman, CISSP® | IT Security Consultant
>>>
>>> michael.boman at omegapoint.se | www.omegapoint.se
>>>
>>> cellphone +46 709 15 88 30 | office +46 8 545 106 90
>>>
>>> Visiting address: Mäster Samuelsgatan 42, Stockholm, SWEDEN
>>>
>>> Mailing address: Box 3106, 10362 Stockholm, SWEDEN
>>>
>>> _______________________________________________
>>> Owasp-testing mailing list
>>> Owasp-testing at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>>>
>>>
>>
>> _______________________________________________
>> Owasp-testing mailing list
>> Owasp-testing at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>>
>>
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>
>


-- 
Jonathan Cran
jcran at 0x0e.org
515.890.0070
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-testing/attachments/20100118/03bbf5dd/attachment-0001.html 


More information about the Owasp-testing mailing list