Nytro Posted December 21, 2011 Report Posted December 21, 2011 [h=1]SSLyze: A Fast and Full-Featured SSL Scanner![/h]by Mayuresh on December 21, 2011When we wrote the “list of SSL scanners for penetration testers” post, in August this year, little did we know that we would have to update it this soon. We have since updated the list with SSLyze, a fast and full featured SSL scanner. It is brought to us by the iSEC Partners.SSLyze is a stand-alone Python application that looks for classic SSL mis-configurations, while providing the advanced user with the opportunity to customize the application via a simple plugin interface. This open source, cross-platform tool will help you with analyzing the configuration of SSL servers and for identifying mis-configurations such as the use of outdated protocol versions, weak hash algorithms in trust chains, insecure renegotiation, and session resumption settings. [h=2]Features of SSLyze:[/h] Insecure renegotiation testingScanning for weak strength ciphersChecking for SSLv2, SSLv3 and TLSv1 versionsServer certificate information dump and basic validationSession resumption capabilities and actual resumption rate measurementSupport for client certificate authenticationSimultaneous scanning of multiple servers, versions and ciphers For example, SSLyze can help user’s identify server configurations vulnerable to THC’s recently released SSL DOS attack, by checking the server’s support for client-initiated re-negotiations. As we have already mentioned, it is cross-platform. It supports 64-bit and 32-bit Windows and Linux operating systems. All it needs is the following sets of packages:Windows: Python 2.6 or 2.7 and OpenSSL 1.0.0cLinux: Python 2.6 or 2.7 and OpenSSL 0.9.8+ [h=3]Install SSLyze:[/h]# yum install python26 openssl# wget http://sslyze.googlecode.com/files/sslyze-0.3_src.zip# unzip sslyze-0.3_src.zip# cd sslyze-0.3_src[h=3]SSLyze usage:[/h]$ python sslyze.py [options] www.target1.com www.target2.com:443It supports the following options to provide a granular control:Regular Scan “–regular“: Performs a regular scan. It’s a shortcut for –sslv2 –sslv3 –tlsv1 –reneg –resum –certinfo=basic.OpenSSL Cipher Suites “–sslv2“, “–sslv3“, “–tlsv1“: Lists the SSL 2.0 / SSL 3.0 / TLS 1.0 OpenSSL cipher suites supported by the server.Session Renegotiation “–reneg“: Checks whether the server is vulnerable to insecure renegotiation.Session Resumption “–resum“: Tests the server for session resumption support, using both session IDs and TLS session tickets (RFC 5077).Session Resumption Rate “–resum_rate“: Estimates the average rate of successful session resumptions by performing 100 session resumptions.Server Certificate “–certinfo=basic“: Verifies the server’s certificate validity against Mozilla’s trusted root store, and prints relevant fields of the certificate.Additional options providing client certificate support and connection timeout variables are also available.[h=3]Download SSLyze:[/h] SSLyze v0.3 – sslyze-0.3_src.zip – Downloads - sslyze - Fast and Full-Featured SSL Scanner - Google Project HostingSursa: SSLyze: A Fast and Full-Featured SSL Scanner! — PenTestIT Quote
Versus71 Posted January 10, 2014 Report Posted January 10, 2014 SSLyze changed hosting.Key features include:Multi-processed and multi-threaded scanning (it's fast)SSL 2.0/3.0 and TLS 1.0/1.1/1.2 compatibilityPerformance testing: session resumption and TLS tickets supportSecurity testing: weak cipher suites, insecure renegotiation, CRIME and moreServer certificate validation and revocation checking through OCSP staplingSupport for StartTLS handshakes on SMTP, XMPP, LDAP, POP, IMAP, RDP and FTPSupport for client certificates when scanning servers that perform mutual authenticationXML output to further process the scan resultsNew link:https://github.com/iSECPartners/sslyzehttps://github.com/iSECPartners/sslyze/archive/master.zip Quote
