When we wrote the “list of SSL scanners for penetration testers” post, in August this year, little did we know that we would have to update it this soon. We have since updated the list with SSLyze, a fast and full featured SSL scanner. It is brought to us by the iSEC Partners.
SSLyze is a stand-alone Python application that looks for classic SSL mis-configurations, while providing the advanced user with the opportunity to customize the application via a simple plugin interface. This open source, cross-platform tool will help you with analyzing the configuration of SSL servers and for identifying mis-configurations such as the use of outdated protocol versions, weak hash algorithms in trust chains, insecure renegotiation, and session resumption settings.
Features of SSLyze:
- Insecure renegotiation testing
- Scanning for weak strength ciphers
- Checking for SSLv2, SSLv3 and TLSv1 versions
- Server certificate information dump and basic validation
- Session resumption capabilities and actual resumption rate measurement
- Support for client certificate authentication
- Simultaneous scanning of multiple servers, versions and ciphers
For example, SSLyze can help user’s identify server configurations vulnerable to THC’s recently released SSL DOS attack, by checking the server’s support for client-initiated re-negotiations.
As we have already mentioned, it is cross-platform. It supports 64-bit and 32-bit Windows and Linux operating systems. All it needs is the following sets of packages:
Windows: Python 2.6 or 2.7 and OpenSSL 1.0.0c
Linux: Python 2.6 or 2.7 and OpenSSL 0.9.8+
Install SSLyze:
# yum install python26 openssl # wget http://sslyze.googlecode.com/files/sslyze-0.3_src.zip # unzip sslyze-0.3_src.zip # cd sslyze-0.3_src
SSLyze usage:
$ python sslyze.py [options] www.target1.com www.target2.com:443
It supports the following options to provide a granular control:
- Regular Scan “–regular“: Performs a regular scan. It’s a shortcut for –sslv2 –sslv3 –tlsv1 –reneg –resum –certinfo=basic.
- OpenSSL Cipher Suites “–sslv2“, “–sslv3“, “–tlsv1“: Lists the SSL 2.0 / SSL 3.0 / TLS 1.0 OpenSSL cipher suites supported by the server.
- Session Renegotiation “–reneg“: Checks whether the server is vulnerable to insecure renegotiation.
- Session Resumption “–resum“: Tests the server for session resumption support, using both session IDs and TLS session tickets (RFC 5077).
- Session Resumption Rate “–resum_rate“: Estimates the average rate of successful session resumptions by performing 100 session resumptions.
- Server Certificate “–certinfo=basic“: Verifies the server’s certificate validity against Mozilla’s trusted root store, and prints relevant fields of the certificate.
- Additional options providing client certificate support and connection timeout variables are also available.
Download SSLyze:
SSLyze v0.3 – sslyze-0.3_src.zip – http://code.google.com/p/sslyze/downloads/list
{ 4 comments… read them below or add one }
hello,
i tried to install paython from paython,org i try to run it on windows 7 it’s give me invalid syntex.
so what the problem ?
thanks.
I need some more information – version of Python being installed, PATH variables correctly installed? Please also post the exact error message.
hello,
thanks for ur respoending
i have installaed paython 3.2 on windows 7.
i am a new in pentest sso could please let me know more about path var’s
thanks.
This should get you started – http://docs.python.org/using/windows.html