[Owasp-testing] SSL Testing tool

Pavol Luptak pavol.luptak at nethemba.com
Wed Jan 20 18:08:08 EST 2010


Or you can still use online SSL checking (which mostly does the same job as
these tools):

https://www.ssllabs.com/ssldb/analyze.html

On Mon, Jan 18, 2010 at 08:06:00PM -0500, Jonathan Cran wrote:
>    Not to take away from the good work, just an FYI. It appears that SSLScan
>    is getting overlooked.
> 
>    SSLScan: http://sourceforge.net/projects/sslscan/
>    SSLScan Parser: http://search.cpan.org/~jabra/Sslscan-Parser-0.02/
> 
>    -----
>    jcran at aldatmak:~/toolkit/nix/attack-net-webserver$ sslscan
>                       _
>               ___ ___| |___  ___ __ _ _ __
>              / __/ __| / __|/ __/ _` | '_ \
>              \__ \__ \ \__ \ (_| (_| | | | |
>              |___/___/_|___/\___\__,_|_| |_|
> 
>                        Version 1.7.1
>                  http://www.titania.co.uk
>         Copyright (C) 2007-2008 Ian Ventura-Whiting
> 
>    SSLScan is a fast SSL port scanner. SSLScan connects to SSL
>    ports and determines what  ciphers are supported, which are
>    the servers  prefered  ciphers,  which  SSL  protocols  are
>    supported  and   returns  the   SSL   certificate.   Client
>    certificates /  private key can be configured and output is
>    to text / XML.
> 
>    Command:
>      sslscan [Options] [host:port | host]
> 
>    Options:
>      --targets=<file>     A file containing a list of hosts to
>                           check.  Hosts can  be supplied  with
>                           ports (i.e. host:port).
>      --no-failed          List only accepted ciphers  (default
>                           is to listing all ciphers).
>      --ssl2               Only check SSLv2 ciphers.
>      --ssl3               Only check SSLv3 ciphers.
>      --tls1               Only check TLSv1 ciphers.
>      --pk=<file>          A file containing the private key or
>                           a PKCS#12  file containing a private
>                           key/certificate pair (as produced by
>                           MSIE and Netscape).
>      --pkpass=<password>  The password for the private  key or
>                           PKCS#12 file.
>      --certs=<file>       A file containing PEM/ASN1 formatted
>                           client certificates.
>      --starttls           If a STARTTLS is required to kick an
>                           SMTP service into action.
>      --xml=<file>         Output results to an XML file.
>      --version            Display the program version.
>      --help               Display the  help text  you are  now
>                           reading.
>    Example:
>      sslscan 127.0.0.1
> 
>    jcran
> 
>    On Mon, Jan 18, 2010 at 3:47 PM, Kurt Grutzmacher <grutz at jingojango.net>
>    wrote:
> 
>      Indeed, I was just coming up with a plan to write my own open-source one
>      due to the inadequacies of current tools (Windows only, not complete,
>      multiple tools required to be comprehensive, etc).  Excellent work.
>      --
>      Kurt Grutzmacher -=- grutz at jingojango.net
> 
>      On Mon, Jan 18, 2010 at 8:05 AM, Brad Causey <bradcausey at gmail.com>
>      wrote:
> 
>        Thank you!!!! Finally!!! 
>        A SSL testing too that runs native on linux!
>        -Brad Causey
>        CISSP, MCSE, C|EH, CIFI, CGSP
> 
>        http://www.owasp.org
>        --
>        Never underestimate the time, expense, and effort an opponent will
>        expend to break a code. (Robert Morris)
>        --
> 
>        On Mon, Jan 18, 2010 at 6:03 AM, Michael Boman
>        <michael.boman at omegapoint.se> wrote:
> 
>          Hello,
> 
>           
> 
>          Last weekend I hacked together a piece of software that checks what
>          SSL protocols and ciphers a web server supports, which is available
>          for download at http://code.google.com     /p/sslaudit/.
> 
>           
> 
>          From the above mentioned website:
> 
>           
> 
>          --8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<-
> 
>          SSLAudit is a tool that verifies SSL certificate and supported
>          protocols/ciphers of a SSL-enabled webserver. The result is graded
>          according to SSLLabs SSL Server Rating Guide.
> 
>          The tool is similar in function to SSLDigger from
>          Foundstone and THCSSLCheck from The Hacker Choice but is different
>          that it is open source and is easily modified to support new
>          protocols and ciphers as they become available and the result is
>          graded.
> 
>          This project is sponsored by Omegapoint AB and was created to assist
>          security assessments done according to OWASP Testing Guide.
> 
>          --8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<-
> 
>          It currently performs the following tests:
> 
>          .         SSL Protocol support detection
> 
>          .         SSL Cipher support detection
> 
>          .         Public cert PEM extraction
> 
>          .         Certificate timeframe validation (and warns if it is 30
>          days or less until the certificate expires)
> 
>          .         Grading of result according to SSLLabs SSL Server Rating
>          Guide
> 
>           
> 
>          Your feedback is much appreciated.
> 
>           
> 
>          Best regards
> 
>          Michael Boman
> 
>           
> 
>          --
> 
>          Michael Boman, CISSP(R) | IT Security Consultant
> 
>          michael.boman at omegapoint.se | www.omegapoint.se
> 
>          cellphone +46 709 15 88 30 | office +46 8 545 106 90
> 
>          Visiting address: Ma:ster Samuelsgatan 42, Stockholm, SWEDEN
> 
>          Mailing address: Box 3106, 10362 Stockholm, SWEDEN
> 
>          _______________________________________________
>          Owasp-testing mailing list
>          Owasp-testing at lists.owasp.org
>          https://lists.owasp.org/mailman/listinfo/owasp-testing
> 
>        _______________________________________________
>        Owasp-testing mailing list
>        Owasp-testing at lists.owasp.org
>        https://lists.owasp.org/mailman/listinfo/owasp-testing
> 
>      _______________________________________________
>      Owasp-testing mailing list
>      Owasp-testing at lists.owasp.org
>      https://lists.owasp.org/mailman/listinfo/owasp-testing
> 
>    --
>    Jonathan Cran
>    jcran at 0x0e.org
>    515.890.0070

> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing


-- 
______________________________________________________________________________
[Pavol Luptak, Nethemba s.r.o.] [http://www.nethemba.com] [tel: +421905400542]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3611 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-testing/attachments/20100121/d801c882/attachment.bin 


More information about the Owasp-testing mailing list