TLSSLed v1.3

[Nytro]

[h=1]TLSSLed v1.3[/h]by Mayuresh on February 6, 2013

We included TLSSLed in our list of List of SSL Scanners for Penetration Testers! A few days ago, an update was released – TLSSLed version 1.3! This version is the result of testing lots of HTTPS (SSL/TLS) implementations during real-world pen-tests, so it is full of minor improvements and extra checks to identify different behaviors we have found in the wild. Additionally, the tool output has been changed for easy reading and to provide quick information for each finding: negative [-], positive [+], or informational [.] (as well as grouping tests

[*] and highlight warning and error messages [!]).

“TLSSLed is a Linux shell script whose purpose is to evaluate the security of a target SSL/TLS (HTTPS) web server implementation. It is based on sslscan, a thorough SSL/TLS scanner that is based on the openssl library, and on the “openssl s_client” command line tool. The current tests include checking if the target supports the SSLv2 protocol, the NULL cipher, weak ciphers based on their key length (40 or 56 bits), the availability of strong ciphers (like AES), if the digital certificate is MD5 signed, and the current SSL/TLS renegotiation capabilities.”

[h=2]This is the official change log for TLSSLed v1.3:[/h]

• All file output goes to a single directory (same file names as in previous versions) instead of to the working local directory.
  
• Change in the date format used for log files: From: 2011-12-30_105055 – To: 20111230-105055
  
• Test if SSL/TLS renegotiation is enabled (NEW check) and if the target service supports secure renegotiation (already in previous versions). If secure renegotiation is not supported, we must check renegotiation by using legacy renegotiation (two new log files are used).
  
• New test to check for legacy renegotiation even when secure renegotiation is supported, just in case the target service supports both.
  
• Test if client certificate authentication is required by the target service. If so, identify the number of CAs accepted and save the list of CAs to a file.
  
• New test to check for HTTP headers using HTTP/1.0 (previous versions) as well as HTTP/1.1 and a valid Host header. New log files created for this.
  
• New error handling code for the initial SSL/TLS verification.
  
• Optimizations in the openssl delays (sleep timers).
  
• New DELAY variable to control sleep timers (by default 3 seconds it was 5 before).
  
• New output indentation.
  
• New output code set for findings: – (negative), + (positive), . (info), * (group of checks) or ! (error/warning).
  
• LOGFILE changed to SSLSCANLOGFILE & ERRFILE changed to SSLSCANERRFILE.
  
• RENEGLEGACY???FILE(s) included in the final listing and removal process.
  
• Several changes to the output messages for the different findings.
  
• Duplication of “Preferred Server Cipher” output message removed.
  
• New check to test for RC4 in the preferred cipher(s) regarding BEAST.
  
• Use of openssl “-prexit” option for some weird target scenarios (CSA).
  
• Added the date and time at the beginning of the output.
  

This version has been tested on updated versions of Samurai WTF 2.0 (running openssl 1.0.1 and sslscan 1.8.2), Backtrack5 R3 (running openssl 0.9.8k and sslscan 1.8.2), and Mac OS X Mountain Lion 10.8.x (running openssl 0.9.8r and sslscan 1.8.2). Samurai WTF 2.0 is the only one of these three that includes openssl v1.0.x by default, providing support for the TLS v1.1 and v1.2 protocol tests.

Download TLSSLed:

TLSSLed v1.3 – TLSSLed_v1.3.sh

Sursa: TLSSLed v1.3! — PenTestIT

[smecherasu98]

bravo