SSLScan : détection de cipher SSL
Bonjour à tous !
Deux mots en vitesse sur un outil assez pratique ma foi, et qui permet en 2 temps 3 mouvements de détecter les chiffrements possibles, non acceptés et préférés d'un serveur en HTTPS : SSLScan.
Cet outil est un exécutable issu d'un code C, disponible à la fois pour les Linux, mais également pour les Windows. L'utilisation est intuitive et en ligne de commande.
Installation éclair
Actuellement, la version est la 1.8.2. L'installation se fait dans les règles et très succinctement.$ cd /usr/local/src && wget http://downloads.sourceforge.net/project/sslscan/sslscan/sslscan-1.8.2.tgz $ tar zxvf sslscan-1.8.2.tgz sslscan-1.8.2/ sslscan-1.8.2/Makefile sslscan-1.8.2/LICENSE sslscan-1.8.2/sslscan.1 sslscan-1.8.2/sslscan.c sslscan-1.8.2/INSTALL sslscan-1.8.2/Changelog $ make gcc -g -Wall -lssl -o sslscan sslscan.c $ make install cp sslscan /usr/bin/ cp sslscan.1 /usr/share/man/man1Le moins que l'on puisse dire, c'est que ce n'est pas trop dur comme installation !
Jouons un peu !
$ sslscan _ ___ ___| |___ ___ __ _ _ __ / __/ __| / __|/ __/ _` | '_ \\ \\__ \\__ \\ \\__ \\ (_| (_| | | | | |___/___/_|___/\\___\\__,_|_| |_| Version 1.8.2 http://www.titania.co.uk Copyright Ian Ventura-Whiting 2009 SSLScan is a fast SSL port scanner. SSLScan connects to SSL ports and determines what ciphers are supported, which are the servers prefered ciphers, which SSL protocols are supported and returns the SSL certificate. Client certificates / private key can be configured and output is to text / XML. Command: sslscan [Options] [host:port | host] Options: --targets=<file> A file containing a list of hosts to check. Hosts can be supplied with ports (i.e. host:port). --no-failed List only accepted ciphers (default is to listing all ciphers). --ssl2 Only check SSLv2 ciphers. --ssl3 Only check SSLv3 ciphers. --tls1 Only check TLSv1 ciphers. --pk=<file> A file containing the private key or a PKCS#12 file containing a private key/certificate pair (as produced by MSIE and Netscape). --pkpass=<password> The password for the private key or PKCS#12 file. --certs=<file> A file containing PEM/ASN1 formatted client certificates. --starttls If a STARTTLS is required to kick an SMTP service into action. --http Test a HTTP connection. --bugs Enable SSL implementation bug work- arounds. --xml=<file> Output results to an XML file. --version Display the program version. --help Display the help text you are now reading. Example: sslscan 127.0.0.1
$ sslscan httpstest __ __ ___| | ___ ___ _ __ / __/ __| / __|/ __/ _` | ' _ \\ \\__ \\__ \\ \\__ \\ (_| (_| | | | | |___/___/_|___/\\___\\__,_|_| |_| Version 1.8.2 http://www.titania.co.uk Copyright Ian Ventura-Whiting 2009 Testing SSL server httpstest on port 443 Supported Server Cipher(s): Rejected SSLv2 168 bits DES-CBC3-MD5 Rejected SSLv2 56 bits DES-CBC-MD5 Rejected SSLv2 40 bits EXP-RC2-CBC-MD5 Rejected SSLv2 128 bits RC2-CBC-MD5 Rejected SSLv2 40 bits EXP-RC4-MD5 Rejected SSLv2 128 bits RC4-MD5 Rejected SSLv3 256 bits ADH-CAMELLIA256-SHA Rejected SSLv3 256 bits DHE-RSA-CAMELLIA256-SHA Rejected SSLv3 256 bits DHE-DSS-CAMELLIA256-SHA Rejected SSLv3 256 bits CAMELLIA256-SHA Rejected SSLv3 128 bits ADH-CAMELLIA128-SHA Rejected SSLv3 128 bits DHE-RSA-CAMELLIA128-SHA Rejected SSLv3 128 bits DHE-DSS-CAMELLIA128-SHA Rejected SSLv3 128 bits CAMELLIA128-SHA Rejected SSLv3 256 bits ADH-AES256-SHA Accepted SSLv3 256 bits DHE-RSA-AES256-SHA Rejected SSLv3 256 bits DHE-DSS-AES256-SHA Accepted SSLv3 256 bits AES256-SHA Rejected SSLv3 128 bits ADH-AES128-SHA Accepted SSLv3 128 bits DHE-RSA-AES128-SHA Rejected SSLv3 128 bits DHE-DSS-AES128-SHA Accepted SSLv3 128 bits AES128-SHA Rejected SSLv3 168 bits ADH-DES-CBC3-SHA Rejected SSLv3 56 bits ADH-DES-CBC-SHA Rejected SSLv3 40 bits EXP-ADH-DES-CBC-SHA Rejected SSLv3 128 bits ADH-RC4-MD5 Rejected SSLv3 40 bits EXP-ADH-RC4-MD5 Accepted SSLv3 168 bits EDH-RSA-DES-CBC3-SHA Accepted SSLv3 56 bits EDH-RSA-DES-CBC-SHA Rejected SSLv3 40 bits EXP-EDH-RSA-DES-CBC-SHA Rejected SSLv3 168 bits EDH-DSS-DES-CBC3-SHA Rejected SSLv3 56 bits EDH-DSS-DES-CBC-SHA Rejected SSLv3 40 bits EXP-EDH-DSS-DES-CBC-SHA Accepted SSLv3 168 bits DES-CBC3-SHA Accepted SSLv3 56 bits DES-CBC-SHA Rejected SSLv3 40 bits EXP-DES-CBC-SHA Rejected SSLv3 40 bits EXP-RC2-CBC-MD5 Accepted SSLv3 128 bits RC4-SHA Accepted SSLv3 128 bits RC4-MD5 Rejected SSLv3 40 bits EXP-RC4-MD5 Rejected SSLv3 0 bits NULL-SHA Rejected SSLv3 0 bits NULL-MD5 Rejected TLSv1 256 bits ADH-CAMELLIA256-SHA Rejected TLSv1 256 bits DHE-RSA-CAMELLIA256-SHA Rejected TLSv1 256 bits DHE-DSS-CAMELLIA256-SHA Rejected TLSv1 256 bits CAMELLIA256-SHA Rejected TLSv1 128 bits ADH-CAMELLIA128-SHA Rejected TLSv1 128 bits DHE-RSA-CAMELLIA128-SHA Rejected TLSv1 128 bits DHE-DSS-CAMELLIA128-SHA Rejected TLSv1 128 bits CAMELLIA128-SHA Rejected TLSv1 256 bits ADH-AES256-SHA Accepted TLSv1 256 bits DHE-RSA-AES256-SHA Rejected TLSv1 256 bits DHE-DSS-AES256-SHA Accepted TLSv1 256 bits AES256-SHA Rejected TLSv1 128 bits ADH-AES128-SHA Accepted TLSv1 128 bits DHE-RSA-AES128-SHA Rejected TLSv1 128 bits DHE-DSS-AES128-SHA Accepted TLSv1 128 bits AES128-SHA Rejected TLSv1 168 bits ADH-DES-CBC3-SHA Rejected TLSv1 56 bits ADH-DES-CBC-SHA Rejected TLSv1 40 bits EXP-ADH-DES-CBC-SHA Rejected TLSv1 128 bits ADH-RC4-MD5 Rejected TLSv1 40 bits EXP-ADH-RC4-MD5 Accepted TLSv1 168 bits EDH-RSA-DES-CBC3-SHA Accepted TLSv1 56 bits EDH-RSA-DES-CBC-SHA Rejected TLSv1 40 bits EXP-EDH-RSA-DES-CBC-SHA Rejected TLSv1 168 bits EDH-DSS-DES-CBC3-SHA Rejected TLSv1 56 bits EDH-DSS-DES-CBC-SHA Rejected TLSv1 40 bits EXP-EDH-DSS-DES-CBC-SHA Accepted TLSv1 168 bits DES-CBC3-SHA Accepted TLSv1 56 bits DES-CBC-SHA Rejected TLSv1 40 bits EXP-DES-CBC-SHA Rejected TLSv1 40 bits EXP-RC2-CBC-MD5 Accepted TLSv1 128 bits RC4-SHA Accepted TLSv1 128 bits RC4-MD5 Rejected TLSv1 40 bits EXP-RC4-MD5 Rejected TLSv1 0 bits NULL-SHA Rejected TLSv1 0 bits NULL-MD5 Prefered Server Cipher(s): SSLv3 256 bits DHE-RSA-AES256-SHA TLSv1 256 bits DHE-RSA-AES256-SHA SSL Certificate: Version: 2 Serial Number: 676 Signature Algorithm: sha1WithRSAEncryption Issuer: /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=httpstest/emailAddress=ktux@httpstest Not valid before: Apr 15 09:21:44 2009 GMT Not valid after: Apr 15 09:21:44 2010 GMT Subject: /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=httpstest/emailAddress=ktux@httpstest Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:[...]:3d Exponent: 65537 (0x10001) X509v3 Extensions: X509v3 Subject Key Identifier: A8:[...]:2C X509v3 Authority Key Identifier: keyid:A8:[...]:2C DirName:/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=httpstest/emailAddress=ktux@httpstest serial:02:A4 X509v3 Basic Constraints: CA:TRUE Verify Certificate: self signed certificateEt voilà. En un claquement de doigt, on a sous la main les infos que l'on cherchait. Après tout, n'est-ce pas l'objectif principal d'un outil que de vous simplifier la vie ?