SSL/TLS

Audit SSL/TLS

SSLscan

# Single Host
sslscan --show-ciphers --no-failed --show-certificate --xml=sslscan_out.xml <HOST>:<PORT>

# Target List
sslscan --show-ciphers --no-failed --show-certificate --xml=sslscan_out.xml --targets=targetlist.txt

One-line command:

# Single Host
domain=domain.com; sslscan --show-ciphers --no-failed --show-certificate --xml="${domain}".sslscan_out.xml "${domain}":<PORT>

TLSled

tlssled <IP> <PORT>

SSLyze

sslyze --http_headers --json_out=File.json <HOST>:<PORT>

One-line command:

domain=domain.com; sslyze --http_headers --regular --json_out="${domain}".json "${domain}":<PORT>

SSLlabs

https://www.ssllabs.com/ssltest/index.html

SSLscan

# Single Host
sslscan --show-ciphers --no-failed --show-certificate --xml=sslscan_out.xml <HOST>:<PORT>

# Target List
sslscan --show-ciphers --no-failed --show-certificate --xml=sslscan_out.xml --targets=targetlist.txt

TLSed

tlssled <IP> <PORT>

SSLyze

sslyze --http_headers --regular --json_out=File.json <HOST>:<PORT>

SSLlabs

https://www.ssllabs.com/ssltest/index.html

HSTS

Nmap

nmap -p 443 --script http-hsts-verify -Pn -v -oA http-hsts-verify <TARGET>

Curl

 curl -s -D- <TARGET> | grep -i strict-transport-security:

cURL should show a header like Strict-Transport-Security: max-age=15552000; preload

POODLE

Nmap

nmap -sV --version-light --script ssl-poodle -p <PORT> <TARGET>

More Info: http://nmap.org/nsedoc/scripts/ssl-poodle.html

SSL DROWN

Nmap

nmap -sV --script=sslv2-drown -p 443 -Pn -v -oA sslv2-drown <TARGET>

HEARTBLEED

Nmap

nmap --script ssl-heartbleed --script-args vulns.showall -oA ssl-heartbleed -Pn -p <PORT> -sV <TARGET>

More Info:

• https://gist.github.com/bonsaiviking/10402038

• http://nmap.org/nsedoc/scripts/ssl-heartbleed.html

Get Certificates

Nmap

nmap -sV -sC -vv -oA certificadosSSL -Pn -p 443 <target>

OpenSSL

Bash

More info: https://nmap.org/nsedoc/scripts/ssl-cert.html

Enum Ciphers

Nmap

nmap --script ssl-enum-ciphers -Pn -p 443 -oA ssl-enum-ciphers <TARGET>

More Info: http://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html

SSLv2

Nmap

nmap -v -sV -sC <TARGET>

SSLyze

More info: https://nmap.org/nsedoc/scripts/sslv2.html

Sweet32

Nmap

nmap --script ssl-enum-ciphers -p <PORT> <TARGET>

YAWAST

sudo docker pull adamcaudill/yawast && sudo docker run --rm adamcaudill/yawast scan https://www.domain.com --tdessessioncount

This is the recommended option, especially if you need to perform the SWEET32 test (--tdessessioncount), due to OpenSSL dropping support for the 3DES cipher suites.

In this case I’m using YAWAST to run a ssl scan, using the --tdessessioncount parameter to instruct YAWAST to perform the SWEET32 test. In this case, you can see that the TLS session was ended after 100 requests (Connection terminated after 100 requests (TLS Reconnected)) – which is a clear indication that the server isn’t vulnerable.

Had the server actually been vulnerable, this message would have been displayed:

[V] TLS Session Request Limit: Connection not terminated after 10,000 requests; possibly vulnerable to SWEET32