Scan web servers cryptographic parameters and vulnerabilities
Project description
____ _ _____ _
| _ \ ___ _ __ | |_ ___ _ __ ___ _ __ |_ _|__ ___ | |___
| |_) / _ \ '_ \| __/ _ \ '__/ _ \ '_ \ | |/ _ \ / _ \| / __|
| __/ __/ | | | || __/ | | __/ |_) | | | (_) | (_) | \__ \
|_| \___|_| |_|\__\___|_| \___| .__/ |_|\___/ \___/|_|___/
|_|
ssltest
A Python script that scans web servers cryptographic parameters and vulnerabilities. All available Vulnerability tests
can be found in the help
output of the script or in the options section.
Main features
Scan or test:
- Supported SSL/TLS protocols
- Detailed information about the certificate
- Detailed information about the cipher suite the connection was made with
- Web server software used by the server
- Chosen vulnerability tests
- Supported cipher suites for all SSL/TLS protocols
Dependencies
Nmap is required for some functions of the script, install on debian-like distros with:
$ sudo apt-get install -y nmap
Installation
$ pip install ssltest
Installation (ptmanager)
$ sudo ptmanager -ut ssltest
Options
-u --url <url> Url to scan, required option
-p --port <port ...> Port or ports (separate with spaces) to scan on (default: 443)
-j --json <file> Change output to json format, if a file name is specified output is written to the given file
-t --test <num ...> Run specified vulnerability tests (numbers) separated with spaces, if unspecified all tests are ran
0 No tests Dont run any tests
1 BREACH Test for https encoding methods
2 CCS Injection Test for Change Cipher Spec injection
3 CRIME Test for ssl/tls encoding methods
4 DROWN Test for rsa key exchange suites with ssl2 support
5 Fallback SCSV Test if fallback Signaling Cipher Suite Value is available
6 Foward Secrecy Test for forward secrecy cipher suites
7 FREAK Test for RSA + EXPORT cipher suites
8 HSTS Test for HTTP Strict Transport Security support
9 Heartbleed Test for Heartbleed vulnerability
10 Renegotiation Test for insecure renegotiation (secure renegotiation extension)
11 LOGJAM Test for DH + EXPORT cipher suites
12 RC4 Support Test for RC4 cipher suites
13 Session Ticket Test for session ticket support
14 SWEET32 Test support for 64-bit key length encryption
-to --timeout <dur> Set a duration for the timeout of connections in seconds
-sc --short-cert Limit alternative names to first 5
-cs --cipher-suites Scan all supported cipher suites by the server
-fc --fix-conf Fix the /etc/ssl/openssl.cnf file to allow the use of older TLS protocols (TLSv1 and TLSv1.1), requires root privileges (see -st and -ss options)
-st --sudo-tty Use the terminal prompt to enter the sudo password
-ss --sudo-stdin Use the stdin of the script to enter the sudo password
-ns --nmap-scan Use nmap to scan the server version
-nd --nmap-discover Use nmap to discover web server ports, requires root privileges, (see -st and -ss options)
-w --worst Create a main connection on the worst available protocol version, otherwise servers preferred protocol version is chosen
-l --logging Enable logging
-d --debug Log debug information
-v --version Show script version and exit
-h --help Show this help message and exit
-fc argument
The -fc
argument may rewrite the file located at /etc/ssl/openssl.cnf
that is why a backup file is created with this
format {old_file}.backup_{unix_time}
in the same folder as the config file
Contributing
- Check the CONTRIBUTING.MD file
- Development board can be see here
Usage examples
$ ./ssltest.py -u https://example.com -t 1 2 -cs
Version History
Licence
Copyright (c) 2020 HACKER Consulting s.r.o.
This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program. If not, see https://www.gnu.org/licenses/.
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.