Fast and flexible cryptographic protocol analyzer
Project description
Summary
CryptoLyzer is a fast and flexible server cryptographic settings analyzer library for Python with an easy-to-use command line interface with both human-readable (Markdown) and machine-readable (JSON) output. It works with multiple cryptographic protocols (SSL/ TLS, opportunistic TLS, SSH) and analyzes additional security mechanisms (web security related HTTP response header fields, JA3 tag) or HASSH tag).
What is it and what is it not?
The main purpose of creating this application is the fact, that cryptography protocol analysis differs in many aspect from establishing a connection using a cryptographic protocol. Analysis is mostly testing where we trigger special and corner cases of the protocol and we also trying to establish connection with hardly supported, experimental, obsoleted or even deprecated mechanisms or algorithms which are may or may not supported by the latest or any version of an implementation of the cryptographic protocol.
As follows, it is neither a comprehensive nor a secure client/server implementation of any cryptographic protocol. On the one hand analyzer implements only the absolutely necessary parts of the protocol to interact with servers. On the other it may use completely insecure algorithms and mechanisms. It is not designed and contraindicated to use these client/server implementations establishing secure connections. If you are searching for proper cryptographic protocol implementations, there are several existing wrappers and native implementations for Python (eg: M2Crypto, pyOpenSSL, Paramiko, ...).
Quick start
CryptoLyzer can be installed directly via pip
pip install cryptolyzer
cryptolyze tls all www.example.com
cryptolyze tls1_2 ciphers www.example.com
cryptolyze ssh2 ciphers www.example.com
cryptolyze http headers www.example.com
or can be used via Docker
docker run --rm coroner/cryptolyzer tls all www.example.com
docker run --rm coroner/cryptolyzer tls1_2 ciphers www.example.com
docker run --rm coroner/cryptolyzer ssh2 ciphers www.example.com
docker run --rm coroner/cryptolyzer http headers www.example.com
docker run -ti --rm -p 127.0.0.1:4433:4433 coroner/cryptolyzer ja3 generate 127.0.0.1:4433
openssl s_client -connect 127.0.0.1:4433
docker run -ti --rm -p 127.0.0.1:2121:2121 coroner/cryptolyzer ja3 generate ftp://127.0.0.1:2121
openssl s_client -starttls ftp -connect 127.0.0.1:2121
docker run -ti --rm -p 127.0.0.1:2222:4433 coroner/cryptolyzer hassh generate 127.0.0.1:2222
openssl s_client -connect 127.0.0.1:2222
or via APT on Debian based systems
apt update && apt install -y gnupg2 curl
echo 'deb https://download.opensuse.org/repositories/home:/pfeiffersz:/cryptolyzer:/dev/Debian_10/ /' >/etc/apt/sources.list.d/cryptolyzer.list
curl -s https://download.opensuse.org/repositories/home:/pfeiffersz:/cryptolyzer:/dev/Debian_10/Release.key | apt-key add -
apt update && apt install -y python3-pkg-resources python3-cryptoparser python3-cryptolyzer
cryptolyze tls all www.example.com
cryptolyze tls1_2 ciphers www.example.com
cryptolyze ssh2 ciphers www.example.com
cryptolyze http headers www.example.com
or via DNF on Fedora based systems
dnf install 'dnf-command(config-manager)'
dnf config-manager --add-repo https://download.opensuse.org/repositories/home:/pfeiffersz:/cryptolyzer:/dev/Fedora_31/
rpm --import http://download.opensuse.org/repositories/home:/pfeiffersz:/cryptolyzer:/dev/Fedora_31/repodata/repomd.xml.key
dnf install python3-urllib3 python3-cryptography cryptoparser cryptolyzer
Development environment
If you want to setup a development environment, you are in need of pipenv.
git clone https://gitlab.com/coroner/cryptolyzer
cd cryptolyzer
pipenv install --dev
pipenv run python setup.py develop
pipenv shell
cryptolyze -h
Features
SSH
Differentiators
- checks supported Diffie-Hellman (group exchange) key sizes
- analyzes server protocol version string to identify application server vendor and version
Protocols
Analyzers
Supported analyzers by cryptographic protocol versions
Analyzers | SSH 2.0 |
---|---|
Cipher Suites (ciphers ) |
✓ |
Diffie-Hellman parameters (dhparams ) |
✓ |
Host Keys/Certificates (pubkeys ) |
✓ |
SSL/TLS
Differentiators
- checks 10+ application layer protocols with opportunistic TLS capability
- checks TLS 1.3 draft versions, not just finnal version
- checks each cipher suites discussed on ciphersuite.info, not just supported by GnuTls, LibreSSL, OpenSSL, or wolfSSL
- checks GOST (national standards of the Russian Federation and CIS countries) cipher suites
- checks whether Diffie-Hellman
- public parameter is a safe prime
- public parameter is defined in an RFC (e.g., FFDHE, MODP) or used by an application server as a builtin parameter
- key exchange supports RFC 7919 (FFDHE)
- key is reused
Analyzers
Supported analyzers by cryptographic protocol versions
Analyzers | SSL 2.0 |
SSL 3.0 |
TLS 1.0 |
TLS 1.1 |
TLS 1.2 |
TLS 1.3 |
---|---|---|---|---|---|---|
Cipher Suites (ciphers ) |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
X.509 Public Keys (pubkeys ) |
✓ | ✓ | ✓ | ✓ | ✓ | ✗ |
X.509 Public Key Request (pubkeyreq ) |
n/a | ✓ | ✓ | ✓ | ✓ | ✗ |
Elliptic Curves (curves ) |
n/a | n/a | ✓ | ✓ | ✓ | ✓ |
Diffie-Hellman parameters (dhparams ) |
n/a | n/a | ✓ | ✓ | ✓ | ✓ |
Signature Algorithms (sigalgos ) |
n/a | n/a | n/a | ✓ | ✓ | ✓ |
Extensions (extensions ) |
n/a | n/a | n/a | n/a | ✓ | ✓ |
Vulnerabilities (vulns ) |
n/a | n/a | n/a | n/a | n/a | n/a |
Protocols
Transport Layer
- Secure Socket Layer (SSL)
- Transport Layer Security (TLS)
Application Layer
Opportunistic TLS or STARTTLS) is an extension of an application layer protocol, whichs offer a way to upgrade a plain text connection to an encrypted ione without using a separate port.
Extensions
- application-layer protocol negotiation
- encrypt-then-MAC
- extended master secret
- next protocols negotiation
- renegotiation indication
- session ticket
- inetrnal clock accuracy
Vulnerabilities
- DHEat attack
- DROWN attack
- FREAK attack
- Logjam attack
- Lucky Thirteen attack
- RC4 ciphers
- Sweet32 attack
- anonymous Diffie-Hellman ciphers
- early TLS versions
- export grade ciphers
- non-forward-secret ciphers
- null encryption ciphers
Fingerprinting
- generates JA3 tag of any connecting TLS client independently from its type (graphical/cli, browser/email client/...)
- decodes existing JA3 tags by showing human-readable format of the TLS parameters represented by the tag
- generates HASSH tag) of SSH clients
Hypertext Transfer Protocol (HTTP)
Analyzers
Headers (headers
)
- generic headers
- caching headers
- security headers
Support
Python implementation
- CPython (2.7, >=3.3)
- PyPy (2.7, 3.5)
Operating systems
- Linux
- macOS
- Windows
Social Media
Credits
Icons made by Freepik from Flaticon.
License
The code is available under the terms of Mozilla Public License Version 2.0 (MPL 2.0).
A non-comprehensive, but straightforward description of MPL 2 can be found at Choose an open source license website.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for CryptoLyzer-0.8.4-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | d1cc85e2b5379e9df3d9d8079f6db7292fea92f30b02114f0b0e81d6e01c165e |
|
MD5 | fdc636b19085f1336682eb65ea1ff9a3 |
|
BLAKE2b-256 | 3af5c4c5f68e67f1a7ad9585dc6e8c1910591b4169dce14a57ba256364d9691a |