[Owasp-testing] SSL Testing tool

Michael Boman michael.boman at omegapoint.se
Tue Jan 19 00:41:03 EST 2010

It only shows one thing, we need to update the testing guide with more tool examples so these tools get more coverage.

In my opinion the openssl command line tool nor Nessus does a detailed enough job to fully cover OWASP-CM-001.

Best regards
Michael Boman

From: owasp-testing-bounces at lists.owasp.org [mailto:owasp-testing-bounces at lists.owasp.org] On Behalf Of Jonathan Cran
Sent: den 19 januari 2010 02:06
To: Kurt Grutzmacher
Cc: owasp-testing at lists.owasp.org
Subject: Re: [Owasp-testing] SSL Testing tool

Not to take away from the good work, just an FYI. It appears that SSLScan is getting overlooked.

SSLScan: http://sourceforge.net/projects/sslscan/
SSLScan Parser: http://search.cpan.org/~jabra/Sslscan-Parser-0.02/

jcran at aldatmak:~/toolkit/nix/attack-net-webserver$ sslscan
           ___ ___| |___  ___ __ _ _ __
          / __/ __| / __|/ __/ _` | '_ \
          \__ \__ \ \__ \ (_| (_| | | | |
          |___/___/_|___/\___\__,_|_| |_|

                    Version 1.7.1
     Copyright (C) 2007-2008 Ian Ventura-Whiting

SSLScan is a fast SSL port scanner. SSLScan connects to SSL
ports and determines what  ciphers are supported, which are
the servers  prefered  ciphers,  which  SSL  protocols  are
supported  and   returns  the   SSL   certificate.   Client
certificates /  private key can be configured and output is
to text / XML.

  sslscan [Options] [host:port | host]

  --targets=<file>     A file containing a list of hosts to
                       check.  Hosts can  be supplied  with
                       ports (i.e. host:port).
  --no-failed          List only accepted ciphers  (default
                       is to listing all ciphers).
  --ssl2               Only check SSLv2 ciphers.
  --ssl3               Only check SSLv3 ciphers.
  --tls1               Only check TLSv1 ciphers.
  --pk=<file>          A file containing the private key or
                       a PKCS#12  file containing a private
                       key/certificate pair (as produced by
                       MSIE and Netscape).
  --pkpass=<password>  The password for the private  key or
                       PKCS#12 file.
  --certs=<file>       A file containing PEM/ASN1 formatted
                       client certificates.
  --starttls           If a STARTTLS is required to kick an
                       SMTP service into action.
  --xml=<file>         Output results to an XML file.
  --version            Display the program version.
  --help               Display the  help text  you are  now


On Mon, Jan 18, 2010 at 3:47 PM, Kurt Grutzmacher <grutz at jingojango.net<mailto:grutz at jingojango.net>> wrote:
Indeed, I was just coming up with a plan to write my own open-source one due to the inadequacies of current tools (Windows only, not complete, multiple tools required to be comprehensive, etc).  Excellent work.

Kurt Grutzmacher -=- grutz at jingojango.net<mailto:grutz at jingojango.net>

On Mon, Jan 18, 2010 at 8:05 AM, Brad Causey <bradcausey at gmail.com<mailto:bradcausey at gmail.com>> wrote:
Thank you!!!! Finally!!!
A SSL testing too that runs native on linux!

-Brad Causey

Never underestimate the time, expense, and effort an opponent will expend to break a code. (Robert Morris)

On Mon, Jan 18, 2010 at 6:03 AM, Michael Boman <michael.boman at omegapoint.se<mailto:michael.boman at omegapoint.se>> wrote:

Last weekend I hacked together a piece of software that checks what SSL protocols and ciphers a web server supports, which is available for download at http://code.google.com     /p/sslaudit/<http://code.google.com/p/sslaudit/>.

>From the above mentioned website:

SSLAudit is a tool that verifies SSL certificate and supported protocols/ciphers of a SSL-enabled webserver. The result is graded according to SSLLabs SSL Server Rating Guide<https://www.ssllabs.com/projects/rating-guide/index.html>.

The tool is similar in function to SSLDigger from Foundstone<http://www.foundstone.com/us/resources/proddesc/ssldigger.htm> and THCSSLCheck from The Hacker Choice<http://freeworld.thc.org/root/tools/> but is different that it is open source and is easily modified to support new protocols and ciphers as they become available and the result is graded.

This project is sponsored by Omegapoint AB<http://www.omegapoint.se> and was created to assist security assessments done according to OWASP Testing Guide<http://www.owasp.org/index.php/Category:OWASP_Testing_Project>.

It currently performs the following tests:

*         SSL Protocol support detection

*         SSL Cipher support detection

*         Public cert PEM extraction

*         Certificate timeframe validation (and warns if it is 30 days or less until the certificate expires)

*         Grading of result according to SSLLabs SSL Server Rating Guide

Your feedback is much appreciated.

Best regards
Michael Boman

Michael Boman, CISSP® | IT Security Consultant
michael.boman at omegapoint.se<mailto:michael.boman at omegapoint.se> | www.omegapoint.se<http://www.omegapoint.se>
cellphone +46 709 15 88 30 | office +46 8 545 106 90
Visiting address: Mäster Samuelsgatan 42, Stockholm, SWEDEN
Mailing address: Box 3106, 10362 Stockholm, SWEDEN

Owasp-testing mailing list
Owasp-testing at lists.owasp.org<mailto:Owasp-testing at lists.owasp.org>

Owasp-testing mailing list
Owasp-testing at lists.owasp.org<mailto:Owasp-testing at lists.owasp.org>

Owasp-testing mailing list
Owasp-testing at lists.owasp.org<mailto:Owasp-testing at lists.owasp.org>

Jonathan Cran
jcran at 0x0e.org<mailto:jcran at 0x0e.org>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-testing/attachments/20100119/f004d8a0/attachment.html 

More information about the Owasp-testing mailing list