2014年12月6日 星期六

SSL 檢測工具的另一選擇--tlssled

昨日介紹使用 SSLScan檢測網站的 SSL 加密,今天再介紹另一款工具:tlssled,其實 tlssled 算是 SSLScan 的封裝型工具, tlssled 執行時會呼叫 SSLScan。 tlssled 是用 BASH 寫成的,底下以 Kali Linux 預裝的 tlssled 為例說明:
語法說明:tlssled {HOSTNAME |  IP} PORT
執行範例:tlssled tw.yahoo.com 443
執行結果:
一、說明測試的對像及結果資訊的輸出目錄:
[*] Analyzing SSL/TLS on tw.yahoo.com:443 ...
    [.] Output directory: TLSSLed_1.3_tw.yahoo.com_443_20141206-101744 ...

二、檢查指定的網站是否使用 SSL,如果不支援SSL就不會進行後續的測試:
[*] Checking if the target service speaks SSL/TLS...
    [.] The target service tw.yahoo.com:443 seems to speak SSL/TLS...

    [.] Using SSL/TLS protocol version: 
        (empty means I'm using the default openssl protocol version(s))

三、測試網站支援的SSL 版本及使用的加密方式:
[*] Running sslscan on tw.yahoo.com:443 ...

    [-] Testing for SSLv2 ...

    [-] Testing for the NULL cipher ...

    [-] Testing for weak ciphers (based on key length - 40 or 56 bits) ...

    [+] Testing for strong ciphers (based on AES) ...
    Accepted  SSLv3  256 bits  ECDHE-RSA-AES256-SHA
    Accepted  SSLv3  256 bits  AES256-SHA
    Accepted  SSLv3  128 bits  ECDHE-RSA-AES128-SHA
    Accepted  SSLv3  128 bits  AES128-SHA
    Accepted  TLSv1  256 bits  ECDHE-RSA-AES256-SHA
    Accepted  TLSv1  256 bits  AES256-SHA
    Accepted  TLSv1  128 bits  ECDHE-RSA-AES128-SHA
    Accepted  TLSv1  128 bits  AES128-SHA

    [-] Testing for MD5 signed certificate ...

    [.] Testing for the certificate public key length ...
    RSA Public Key: (2048 bit)

    [.] Testing for the certificate subject ...
    Subject: /C=US/ST=California/L=Sunnyvale/O=Yahoo Inc./OU=Information Technology/CN=www.yahoo.com

    [.] Testing for the certificate CA issuer ...
    Issuer: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at 
            https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3

    [.] Testing for the certificate validity period ...
    Today: Sat Dec  6 02:18:16 UTC 2014
    Not valid before: Sep 24 00:00:00 2014 GMT
    Not valid after: Sep 25 23:59:59 2015 GMT

    [.] Checking preferred server ciphers ...
    SSLv3  128 bits  ECDHE-RSA-RC4-SHA
    TLSv1  128 bits  ECDHE-RSA-RC4-SHA

四、測試網站是否支援再協商機制:
[*] Testing for SSL/TLS renegotiation MitM vuln. (CVE-2009-3555) ...

    [+] Testing for secure renegotiation support (RFC 5746) ...
    Secure Renegotiation IS supported

[*] Testing for SSL/TLS renegotiation DoS vuln. (CVE-2011-1473) ...

    [.] Testing for client initiated (CI) SSL/TLS renegotiation (secure)...
    (CI) SSL/TLS renegotiation IS NOT enabled (ssl handshake failure)

    [.] Testing for client initiated (CI) SSL/TLS renegotiation (insecure)...
    (CI) SSL/TLS renegotiation IS NOT enabled (ssl handshake failure)

五、測試是否支援Client 認證機制(SET):
[*] Testing for client authentication using digital certificates ...

    SSL/TLS client certificate authentication IS NOT required

六、測試是否可能存在 SSL3 及 TLS1.0 的弱點:
[*] Testing for TLS v1.1 and v1.2 (CVE-2011-3389 vuln. aka BEAST) ...

    [-] Testing for SSLv3 and TLSv1 support ...
    Accepted  SSLv3  256 bits  ECDHE-RSA-AES256-SHA
    Accepted  SSLv3  256 bits  AES256-SHA
    Accepted  SSLv3  168 bits  DES-CBC3-SHA
    Accepted  SSLv3  128 bits  ECDHE-RSA-AES128-SHA
    Accepted  SSLv3  128 bits  AES128-SHA
    Accepted  SSLv3  128 bits  ECDHE-RSA-RC4-SHA
    Accepted  SSLv3  128 bits  RC4-SHA
    Accepted  SSLv3  128 bits  RC4-MD5
    Accepted  TLSv1  256 bits  ECDHE-RSA-AES256-SHA
    Accepted  TLSv1  256 bits  AES256-SHA
    Accepted  TLSv1  168 bits  DES-CBC3-SHA
    Accepted  TLSv1  128 bits  ECDHE-RSA-AES128-SHA
    Accepted  TLSv1  128 bits  AES128-SHA
    Accepted  TLSv1  128 bits  ECDHE-RSA-RC4-SHA
    Accepted  TLSv1  128 bits  RC4-SHA
    Accepted  TLSv1  128 bits  RC4-MD5

    [+] Testing for RC4 in the prefered cipher(s) list ...
    SSLv3  128 bits  ECDHE-RSA-RC4-SHA
    TLSv1  128 bits  ECDHE-RSA-RC4-SHA

    [.] Testing for TLS v1.1 support ...
    TLS v1.1 IS supported

    [.] Testing for TLS v1.2 support ...
    TLS v1.2 IS supported

七、測試支援的 HTTP 協定版本:
[*] Testing for HTTPS (SSL/TLS) security headers using HTTP/1.0 ...

    [+] Testing for HTTP Strict-Transport-Security (HSTS) header ...

    [+] Testing for cookies with the secure flag ...

    [-] Testing for cookies without the secure flag ...

[*] Testing for HTTPS (SSL/TLS) security headers using HTTP/1.1 & Host ...

    [+] Testing for HTTP Strict-Transport-Security (HSTS) header ...

    [+] Testing for cookies with the secure flag ...

    [-] Testing for cookies without the secure flag ...

八、測試的日誌檔資訊:
[*] New files created:
    [.] Output directory: TLSSLed_1.3_tw.yahoo.com_443_20141206-101744 ...

openssl_HEAD_1.0_tw.yahoo.com_443_20141206-101744.err
openssl_HEAD_1.0_tw.yahoo.com_443_20141206-101744.log
openssl_HEAD_tw.yahoo.com_443_20141206-101744.err
openssl_HEAD_tw.yahoo.com_443_20141206-101744.log
openssl_RENEG_LEGACY_tw.yahoo.com_443_20141206-101744.err
openssl_RENEG_LEGACY_tw.yahoo.com_443_20141206-101744.log
openssl_RENEG_tw.yahoo.com_443_20141206-101744.err
openssl_RENEG_tw.yahoo.com_443_20141206-101744.log
sslscan_tw.yahoo.com_443_20141206-101744.log

[*] done
tlssled的使用方式比SSLScan 簡潔,輸出的資訊也比較有條理,不過 tlssled一次只能檢測一個網站。
標籤: ,

1 則留言:

訂閱: 張貼留言 (Atom)