Sslscan: Unterschied zwischen den Versionen

Aus Foxwiki
Versionsgeschichte interaktiv durchsuchen
VisuellWikitext
(Die Seite wurde neu angelegt: „== NAME == sslscan - Fast SSL/TLS scanner == SYNOPSIS == sslscan [options] [host:port | host] == DESCRIPTION == sslscan queries SSL/TLS services (such as HTTPS) and reports the protocol versions, cipher suites, key exchanges, signature algorithms, and certificates in use. This helps the user understand which parameters are weak from a security standpoint Terminal output is thus colour-coded as follows: Red Background NULL cipher (no encryption) Red…“)
 
 
(32 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt)
Zeile 1: Zeile 1:
== NAME ==
'''sslscan''' - Fast SSL/TLS scanner
sslscan - Fast SSL/TLS scanner


== SYNOPSIS ==
== Beschreibung ==
sslscan [options] [host:port | host]
''sslscan'' fragt SSL/TLS-Dienste (z. B. HTTPS) ab und meldet die verwendeten Protokollversionen, Cipher Suites, Schlüsselaustauschverfahren, Signaturalgorithmen und Zertifikate


== DESCRIPTION ==
Dies hilft dem Benutzer zu verstehen, welche Parameter vom Standpunkt der Sicherheit aus gesehen schwach sind
sslscan queries SSL/TLS services (such as HTTPS) and reports the protocol versions, cipher suites, key exchanges, signature algorithms, and certificates in use. This helps the user understand which parameters are weak from a security standpoint


Terminal output is thus colour-coded as follows:
; Terminal Colours
{| class="wikitable options"
|-
! Kennzeichnung !! Beschreibung
|-
| Red Background || NULL cipher (no encryption)
|-
| Red ||Broken cipher (<= 40 bit), broken protocol (SSLv2 or SSLv3) or broken certificate signing algorithm (MD5)
|-
| Yellow || Weak cipher (<= 56 bit or RC4) or weak certificate signing algorithm (SHA-1)
|-
| Purple || Anonymous cipher (ADH or AECDH)
|}


Red Background NULL cipher (no encryption)
sslscan kann die Ergebnisse auch in eine XML-Datei ausgeben, damit sie von externen Programmen einfach genutzt werden können
Red        Broken cipher (<= 40 bit), broken protocol (SSLv2 or SSLv3) or broken certificate signing algorithm (MD5)
 
Yellow    Weak cipher (<= 56 bit or RC4) or weak certificate signing algorithm (SHA-1)
== Installation ==
  Purple    Anonymous cipher (ADH or AECDH)
<syntaxhighlight lang="bash" highlight="1" line>
sudo apt install sslscan
</syntaxhighlight>
 
== Anwendung ==
Scan a local HTTPS server
sslscan localhost
sslscan 127.0.0.1
sslscan 127.0.0.1:443
sslscan [::1]
  sslscan [::1]:443


sslscan can also output results into an XML file for easy consumption by external programs
== Syntax ==
<syntaxhighlight lang="bash" highlight="1" line>
sslscan [options] [host:port | host]
</syntaxhighlight>


== OPTIONS ==
=== Optionen ===
{| class="wikitable sortable options"
{| class="wikitable sortable options"
|-
|-
! Unix !! GNU !! Parameter ||Beschreibung
! GNU !! Unix !! Parameter ||Beschreibung
|-
|-
| --help || || || Show summary of options
| --help || || || Show summary of options
|-
|-
| --targets=<file> || || || A file containing a list of hosts to check. Hosts can be supplied with ports (i.e. host:port). One target per line
| --targets= || || <file>|| A file containing a list of hosts to check. Hosts can be supplied with ports (i.e. host:port). One target per line
|-
|-
| --sni-name=<name> || || || Use a different hostname for SNI
| --sni-name= || || <name>|| Use a different hostname for SNI
|-
|-
| --ipv4, -4 || || || Force IPv4 DNS resolution. Default is to try IPv4, and if that fails then fall back to IPv6
| --ipv4 || -4|| || Force IPv4 DNS resolution. Default is to try IPv4, and if that fails then fall back to IPv6
|-
|-
| --ipv6, -6 || || || Force IPv6 DNS resolution. Default is to try IPv4, and if that fails then fall back to IPv6
| --ipv6 || -6|| || Force IPv6 DNS resolution. Default is to try IPv4, and if that fails then fall back to IPv6
|-
|-
| --show-certificate || || || Display certificate information
| --show-certificate || || || Display certificate information
Zeile 64: Zeile 87:
| --ocsp || || || Display OCSP status
| --ocsp || || || Display OCSP status
|-
|-
| --pk=<file> || || || A file containing the private key or a PKCS#12 file containing a private key/certificate pair (as produced by MSIE and Netscape)
| --pk= || || <file>|| A file containing the private key or a PKCS#12 file containing a private key/certificate pair (as produced by MSIE and Netscape)
|-
|-
| --pkpass=<password> || || || The password for the private key or PKCS#12 file
| --pkpass= || || <password>|| The password for the private key or PKCS#12 file
|-
|-
| --certs=<file> || || || A file containing PEM/ASN1 formatted client certificates
| --certs= || || <file>|| A file containing PEM/ASN1 formatted client certificates
|-
|-
| --no-ciphersuites || || || Do not scan for supported ciphersuites
| --no-ciphersuites || || || Do not scan for supported ciphersuites
Zeile 108: Zeile 131:
| --bugs || || || Enables workarounds for SSL bugs
| --bugs || || || Enables workarounds for SSL bugs
|-
|-
| --timeout=<sec> || || || Set socket timeout. Useful for hosts that fail to respond to ciphers they don't understand. Default is 3s
| --timeout= || || <sec>|| Set socket timeout. Useful for hosts that fail to respond to ciphers they don't understand. Default is 3s
|-
|-
| --connect-timeout=<sec> || || || Set initial connection timeout. Useful for hosts that are slow to respond to the initial connect(). Default is 75s
| --connect-timeout= || || <sec>|| Set initial connection timeout. Useful for hosts that are slow to respond to the initial connect(). Default is 75s
|-
|-
| --sleep=<msec> || || || Pause between connections. Useful on STARTTLS SMTP services, or anything else that's performing rate limiting. Default is disabled
| --sleep= || || <msec>|| Pause between connections. Useful on STARTTLS SMTP services, or anything else that's performing rate limiting. Default is disabled
|-
|-
| --xml=<file> || || || Output results to an XML file. - can be used to mean stdout
| --xml= || || <file>|| Output results to an XML file. - can be used to mean stdout
|-
|-
| --version || || || Show version of program
| --version || || || Show version of program
Zeile 125: Zeile 148:
|}
|}


== EXAMPLES ==
=== Parameter ===
Scan a local HTTPS server
=== Umgebungsvariablen ===
sslscan localhost
=== Exit-Status ===
sslscan 127.0.0.1
 
sslscan 127.0.0.1:443
== Konfiguration ==
sslscan [::1]
=== Dateien ===
sslscan [::1]:443
<noinclude>


== Anhang ==
=== Siehe auch ===
{{Special:PrefixIndex/{{BASEPAGENAME}}}}
==== Dokumentation ====
===== Man-Pages =====
# SSLSCAN(1)
# SSLSCAN(1)
==== Links ====
===== Projekt =====
===== Weblinks =====
[[Kategorie:Linux/Befehl]]
[[Kategorie:SSL]]
[[Kategorie:TLS]]
[[Kategorie:IT-Sicherheit/Tools]]
{{DEFAULTSORT:sslscan}}
{{DISPLAYTITLE:sslscan}}
</noinclude>

Aktuelle Version vom 29. Juni 2024, 11:42 Uhr

sslscan - Fast SSL/TLS scanner

Beschreibung[Bearbeiten | Quelltext bearbeiten]

sslscan fragt SSL/TLS-Dienste (z. B. HTTPS) ab und meldet die verwendeten Protokollversionen, Cipher Suites, Schlüsselaustauschverfahren, Signaturalgorithmen und Zertifikate

Dies hilft dem Benutzer zu verstehen, welche Parameter vom Standpunkt der Sicherheit aus gesehen schwach sind

Terminal Colours
Kennzeichnung Beschreibung
Red Background NULL cipher (no encryption)
Red Broken cipher (<= 40 bit), broken protocol (SSLv2 or SSLv3) or broken certificate signing algorithm (MD5)
Yellow Weak cipher (<= 56 bit or RC4) or weak certificate signing algorithm (SHA-1)
Purple Anonymous cipher (ADH or AECDH)

sslscan kann die Ergebnisse auch in eine XML-Datei ausgeben, damit sie von externen Programmen einfach genutzt werden können

Installation[Bearbeiten | Quelltext bearbeiten]

sudo apt install sslscan

Anwendung[Bearbeiten | Quelltext bearbeiten]

Scan a local HTTPS server 

sslscan localhost
sslscan 127.0.0.1
sslscan 127.0.0.1:443
sslscan [::1]
sslscan [::1]:443

Syntax[Bearbeiten | Quelltext bearbeiten]

sslscan [options] [host:port | host]

Optionen[Bearbeiten | Quelltext bearbeiten]

GNU Unix Parameter Beschreibung
--help Show summary of options
--targets= <file> A file containing a list of hosts to check. Hosts can be supplied with ports (i.e. host:port). One target per line
--sni-name= <name> Use a different hostname for SNI
--ipv4 -4 Force IPv4 DNS resolution. Default is to try IPv4, and if that fails then fall back to IPv6
--ipv6 -6 Force IPv6 DNS resolution. Default is to try IPv4, and if that fails then fall back to IPv6
--show-certificate Display certificate information
--show-certificates Display the full certificate chain
--no-check-certificate Don't flag certificates signed with weak algorithms (MD5 and SHA-1) or short (<2048 bit) RSA keys
--show-client-cas Show a list of CAs that the server allows for client authentication. Will be blank for IIS/Schannel servers
--show-ciphers Show a complete list of ciphers supported by sslscan
--show-cipher-ids Print the hexadecimal cipher IDs
--iana-names Use IANA/RFC cipher names rather than OpenSSL ones
--show-times Show the time taken for each handshake in milliseconds. Note that only a single request is made with each cipher, and that the size of the ClientHello is not constant, so this should not be used for proper benchmarking or performance testing. You might want to also use --no-cipher-details to make the output a bit clearer
--ssl2 Only check if SSLv2 is enabled
--ssl3 Only check if SSLv3 is enabled
--tls10 Only check TLS 1.0 ciphers
--tls11 Only check TLS 1.1 ciphers
--tls12 Only check TLS 1.2 ciphers
--tls13 Only check TLS 1.3 ciphers
--tlsall Only check TLS ciphers (versions 1.0, 1.1, 1.2, and 1.3)
--ocsp Display OCSP status
--pk= <file> A file containing the private key or a PKCS#12 file containing a private key/certificate pair (as produced by MSIE and Netscape)
--pkpass= <password> The password for the private key or PKCS#12 file
--certs= <file> A file containing PEM/ASN1 formatted client certificates
--no-ciphersuites Do not scan for supported ciphersuites
--no-fallback Do not check for TLS Fallback Signaling Cipher Suite Value (fallback)
--no-renegotiation Do not check for secure TLS renegotiation
--no-compression Do not check for TLS compression (CRIME)
--no-heartbleed Do not check for OpenSSL Heartbleed (CVE-2014-0160)
--no-groups Do not enumerate key exchange groups
--show-sigs Enumerate signature algorithms
--starttls-ftp STARTTLS setup for FTP
--starttls-imap STARTTLS setup for IMAP
--starttls-irc STARTTLS setup for IRC
--starttls-ldap STARTTLS setup for LDAP
--starttls-pop3 STARTTLS setup for POP3
--starttls-smtp STARTTLS setup for SMTP
--starttls-mysql STARTTLS setup for MySQL
--starttls-xmpp STARTTLS setup for XMPP
--starttls-psql STARTTLS setup for PostgreSQL
--xmpp-server Perform a server-to-server XMPP connection. Try this if --starttls-xmpp is failing
--rdp Send RDP preamble before starting scan
--bugs Enables workarounds for SSL bugs
--timeout= <sec> Set socket timeout. Useful for hosts that fail to respond to ciphers they don't understand. Default is 3s
--connect-timeout= <sec> Set initial connection timeout. Useful for hosts that are slow to respond to the initial connect(). Default is 75s
--sleep= <msec> Pause between connections. Useful on STARTTLS SMTP services, or anything else that's performing rate limiting. Default is disabled
--xml= <file> Output results to an XML file. - can be used to mean stdout
--version Show version of program
--verbose Display verbose output
--no-cipher-details Hide NIST EC curve name and EDH/RSA key length
--no-colour Disable coloured output

Parameter[Bearbeiten | Quelltext bearbeiten]

Umgebungsvariablen[Bearbeiten | Quelltext bearbeiten]

Exit-Status[Bearbeiten | Quelltext bearbeiten]

Konfiguration[Bearbeiten | Quelltext bearbeiten]

Dateien[Bearbeiten | Quelltext bearbeiten]

Anhang[Bearbeiten | Quelltext bearbeiten]

Siehe auch[Bearbeiten | Quelltext bearbeiten]

Dokumentation[Bearbeiten | Quelltext bearbeiten]

Man-Pages[Bearbeiten | Quelltext bearbeiten]
  1. SSLSCAN(1)

Links[Bearbeiten | Quelltext bearbeiten]

Projekt[Bearbeiten | Quelltext bearbeiten]
Weblinks[Bearbeiten | Quelltext bearbeiten]



Abgerufen von „https://wiki.foxtom.de/index.php?title=Sslscan&oldid=102751