昨日介紹使用 SSLScan檢測網站的 SSL 加密,今天再介紹另一款工具:tlssled,其實 tlssled 算是 SSLScan 的封裝型工具, tlssled 執行時會呼叫 SSLScan。 tlssled 是用 BASH 寫成的,底下以 Kali Linux 預裝的 tlssled 為例說明:
語法說明:tlssled {HOSTNAME | IP} PORT
執行範例:tlssled tw.yahoo.com 443
執行結果:
一、說明測試的對像及結果資訊的輸出目錄:
[*] Analyzing SSL/TLS on tw.yahoo.com:443 ...
[.] Output directory: TLSSLed_1.3_tw.yahoo.com_443_20141206-101744 ...
二、檢查指定的網站是否使用 SSL,如果不支援SSL就不會進行後續的測試:
[*] Checking if the target service speaks SSL/TLS...
[.] The target service tw.yahoo.com:443 seems to speak SSL/TLS...
[.] Using SSL/TLS protocol version:
(empty means I'm using the default openssl protocol version(s))
三、測試網站支援的SSL 版本及使用的加密方式:
[*] Running sslscan on tw.yahoo.com:443 ...
[-] Testing for SSLv2 ...
[-] Testing for the NULL cipher ...
[-] Testing for weak ciphers (based on key length - 40 or 56 bits) ...
[+] Testing for strong ciphers (based on AES) ...
Accepted SSLv3 256 bits ECDHE-RSA-AES256-SHA
Accepted SSLv3 256 bits AES256-SHA
Accepted SSLv3 128 bits ECDHE-RSA-AES128-SHA
Accepted SSLv3 128 bits AES128-SHA
Accepted TLSv1 256 bits ECDHE-RSA-AES256-SHA
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 128 bits ECDHE-RSA-AES128-SHA
Accepted TLSv1 128 bits AES128-SHA
[-] Testing for MD5 signed certificate ...
[.] Testing for the certificate public key length ...
RSA Public Key: (2048 bit)
[.] Testing for the certificate subject ...
Subject: /C=US/ST=California/L=Sunnyvale/O=Yahoo Inc./OU=Information Technology/CN=www.yahoo.com
[.] Testing for the certificate CA issuer ...
Issuer: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
[.] Testing for the certificate validity period ...
Today: Sat Dec 6 02:18:16 UTC 2014
Not valid before: Sep 24 00:00:00 2014 GMT
Not valid after: Sep 25 23:59:59 2015 GMT
[.] Checking preferred server ciphers ...
SSLv3 128 bits ECDHE-RSA-RC4-SHA
TLSv1 128 bits ECDHE-RSA-RC4-SHA
四、測試網站是否支援再協商機制:
[*] Testing for SSL/TLS renegotiation MitM vuln. (CVE-2009-3555) ...
[+] Testing for secure renegotiation support (RFC 5746) ...
Secure Renegotiation IS supported
[*] Testing for SSL/TLS renegotiation DoS vuln. (CVE-2011-1473) ...
[.] Testing for client initiated (CI) SSL/TLS renegotiation (secure)...
(CI) SSL/TLS renegotiation IS NOT enabled (ssl handshake failure)
[.] Testing for client initiated (CI) SSL/TLS renegotiation (insecure)...
(CI) SSL/TLS renegotiation IS NOT enabled (ssl handshake failure)
五、測試是否支援Client 認證機制(SET):
[*] Testing for client authentication using digital certificates ...
SSL/TLS client certificate authentication IS NOT required
六、測試是否可能存在 SSL3 及 TLS1.0 的弱點:
[*] Testing for TLS v1.1 and v1.2 (CVE-2011-3389 vuln. aka BEAST) ...
[-] Testing for SSLv3 and TLSv1 support ...
Accepted SSLv3 256 bits ECDHE-RSA-AES256-SHA
Accepted SSLv3 256 bits AES256-SHA
Accepted SSLv3 168 bits DES-CBC3-SHA
Accepted SSLv3 128 bits ECDHE-RSA-AES128-SHA
Accepted SSLv3 128 bits AES128-SHA
Accepted SSLv3 128 bits ECDHE-RSA-RC4-SHA
Accepted SSLv3 128 bits RC4-SHA
Accepted SSLv3 128 bits RC4-MD5
Accepted TLSv1 256 bits ECDHE-RSA-AES256-SHA
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA
Accepted TLSv1 128 bits ECDHE-RSA-AES128-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 128 bits ECDHE-RSA-RC4-SHA
Accepted TLSv1 128 bits RC4-SHA
Accepted TLSv1 128 bits RC4-MD5
[+] Testing for RC4 in the prefered cipher(s) list ...
SSLv3 128 bits ECDHE-RSA-RC4-SHA
TLSv1 128 bits ECDHE-RSA-RC4-SHA
[.] Testing for TLS v1.1 support ...
TLS v1.1 IS supported
[.] Testing for TLS v1.2 support ...
TLS v1.2 IS supported
七、測試支援的 HTTP 協定版本:
[*] Testing for HTTPS (SSL/TLS) security headers using HTTP/1.0 ...
[+] Testing for HTTP Strict-Transport-Security (HSTS) header ...
[+] Testing for cookies with the secure flag ...
[-] Testing for cookies without the secure flag ...
[*] Testing for HTTPS (SSL/TLS) security headers using HTTP/1.1 & Host ...
[+] Testing for HTTP Strict-Transport-Security (HSTS) header ...
[+] Testing for cookies with the secure flag ...
[-] Testing for cookies without the secure flag ...
八、測試的日誌檔資訊:
[*] New files created:
[.] Output directory: TLSSLed_1.3_tw.yahoo.com_443_20141206-101744 ...
openssl_HEAD_1.0_tw.yahoo.com_443_20141206-101744.err
openssl_HEAD_1.0_tw.yahoo.com_443_20141206-101744.log
openssl_HEAD_tw.yahoo.com_443_20141206-101744.err
openssl_HEAD_tw.yahoo.com_443_20141206-101744.log
openssl_RENEG_LEGACY_tw.yahoo.com_443_20141206-101744.err
openssl_RENEG_LEGACY_tw.yahoo.com_443_20141206-101744.log
openssl_RENEG_tw.yahoo.com_443_20141206-101744.err
openssl_RENEG_tw.yahoo.com_443_20141206-101744.log
sslscan_tw.yahoo.com_443_20141206-101744.log
[*] done
tlssled的使用方式比SSLScan 簡潔,輸出的資訊也比較有條理,不過 tlssled一次只能檢測一個網站。
代碼: 選擇全部
wget http://www.taddong.com/tools/TLSSLed_v1.3.sh
chmod +x TLSSLed_v1.3.sh
sudo apt-get install sslscan
./TLSSLed_v1.3.sh www.google.com 443