SSL Audit Understanding and Tools

Posted on by 5nyp73r

Overview

Over time now i’ve been reading articles of different encryption mechanisms SSL/TLS etc. I am going to cut short the chase since there are many articles available online to make u understand the basics .
I was browsing over then net when i came across this informative guide Wikipedia rocks doesn’t it.
and also a guy named Jake Rocheleau shows step wise installation of how to install the SSL on your own server : Here

Security

SSL’s are used to provide secure connections between the client and server in order to help protect against sniffing of vital data. Though SSL’s provide security there have been cases where the encryption has been broken / cracked . SSL security is constantly changing over time .
Here is how SSL Works:

SSL Diagram

 

Tools

There are quite a few open Source Tools Available for Audit of SSL .

  • SSL Analyzer (Windows)
  • sslaudit.pl
  • SSL test ( Online Scanner )
  • SSL Scan

These are a few of ones which i have used till date and pretty happy with the results .

SSL Analyser

SSL Analyzer is a windows platform based tool ,

SSL Vulnarability Analyzer

The SSL Vulnerabilities Analyzer is designed for website owners and security testers. The tool takes a domain and/or IP address, tests the encryptions and algorithms supported by them and analyzes the results in a graphic form, reporting problematic encryption methods. The better part is that these people even have a Hardening Guide.

SSLAudit.pl

One of the best thing about this script is that it has a rating system . It rates your SSL analyses. They even provide a rating guide: Here

Currently SSLAudit performs the following checks:

  • SSL Protocol support detection
  • SSL Cipher support detection
  • Public cert PEM extraction
  • Certificate timeframe validation (and warns if it is 30 days or less until the certificate expires)

SSlaudit screenshot

 

SSL Test Online Scanner

Qualys Scanner

 

SSLScan

SSLScan queries SSL services, such as HTTPS, in order to determine the ciphers that are supported. SSLScan is designed to be easy, lean and fast. The output includes prefered ciphers of the SSL service, the certificate and is in Text and XML formats.

SSLscan py

Tutorials for the same are available here is one Written by Michael Boman

Basic usage

You can run SSLScan with either one-off by specifying host (and optionally the port number) on the command line or feed SSLScan a textfile that contains a host (and optionally a port number) per line (using the --targets=targets.txt option).
If you are not interested in what protocols and ciphers the remote host does not support you can use the --no-failed option to hide those results (highly recommended). If you are testing a HTTP-server you can also supply the --http option which will send a HTTP-request to the newly created connection to see what status code your request supports (useful if server supports less secure protocols/ciphers but redirects to a page which tells the user to update their browser).
If you are testing SMTP/STARTTLS servers then you need to supply the --starttls option instead.

Advanced usage

Specifying protocol versions to test

In case you want to test a particular protocol version (SSLv2, SSLv3 and TLSv1 are currently supported) instead of all the protocols you can use the --ssl2, --ssl3 or --tls1 option respectively.

Using client certificates

Some servers does not want to talk with the connecting client unless it can identify itself using a client certificate. Use the --pk=cert.p12 option to specify where to load the client certificate. If the certificate is protected by a password (which it should be) you can specify that using the --pkpass=p12password option. Please note that the password will be visible to anyone on the same system due to the presence in command parameters.

Verifying server certificates

Using the --certs=certs.pem option you can specify which root CA’s you trust and want to verify the target server against. This option is still under development and only exists in the Google Code repository.

SSL implementation bugs

Not all SSL/TLS implementations are written correctly, so you might need to enable bug-workaround code using the  --bugs option.

Output formats

By default SSLScan output its test result directly to the screen using a human-friendly format. This is not always what you want/need. Human-readable format is not that good for software to parse. There is two machine-readable formats that you can use:
--xml=file.xml option writes the findings to a file in the XML-format. If you use the filename “stdout” the program will output the results to the terminal screen instead of a file. This can be very useful, especially with the –quiet option, if you call SSLScan from some other program and then want to parse the XML-file, which will be provided on stdout instead of a temporary file.
--pout is a undocumented and soon to be retired feature that outputs the collected results in a more grep-friendly format, which is inspired by nMap’s greppable format.

Other options

--version tells you which version of SSLScan you are running.
--quiet just runts the test without outputting anything on the screen. Can be a useful flag when combined with --xml=stdout.
--help provides you with a help-message which basically tells you what options SSLScan supports.

5nyp73r

More Posts Twitter Facebook LinkedIn