Sslscan: Unterschied zwischen den Versionen
K Textersetzung - „== Syntax ==“ durch „== Aufruf ==“ |
|||
(21 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt) | |||
Zeile 2: | Zeile 2: | ||
== Beschreibung == | == Beschreibung == | ||
sslscan | ''sslscan'' fragt SSL/TLS-Dienste (z. B. HTTPS) ab und meldet die verwendeten Protokollversionen, Cipher Suites, Schlüsselaustauschverfahren, Signaturalgorithmen und Zertifikate | ||
; | Dies hilft dem Benutzer zu verstehen, welche Parameter vom Standpunkt der Sicherheit aus gesehen schwach sind | ||
; Terminal Colours | |||
{| class="wikitable options" | {| class="wikitable options" | ||
|- | |- | ||
Zeile 18: | Zeile 20: | ||
|} | |} | ||
sslscan | sslscan kann die Ergebnisse auch in eine XML-Datei ausgeben, damit sie von externen Programmen einfach genutzt werden können | ||
== Installation == | == Installation == | ||
== | <syntaxhighlight lang="bash" highlight="1" line> | ||
sudo apt install sslscan | |||
</syntaxhighlight> | |||
== Anwendung == | |||
Scan a local HTTPS server | |||
sslscan localhost | |||
sslscan 127.0.0.1 | |||
sslscan 127.0.0.1:443 | |||
sslscan [::1] | |||
sslscan [::1]:443 | |||
== Aufruf == | |||
<syntaxhighlight lang="bash" highlight="1" line> | <syntaxhighlight lang="bash" highlight="1" line> | ||
sslscan [options] [host:port | host] | sslscan [options] [host:port | host] | ||
Zeile 27: | Zeile 41: | ||
=== Optionen === | === Optionen === | ||
{| class="wikitable sortable options" | {| class="wikitable sortable options" | ||
|- | |- | ||
Zeile 34: | Zeile 47: | ||
| --help || || || Show summary of options | | --help || || || Show summary of options | ||
|- | |- | ||
| --targets= | | --targets= || || <file>|| A file containing a list of hosts to check. Hosts can be supplied with ports (i.e. host:port). One target per line | ||
|- | |- | ||
| --sni-name= | | --sni-name= || || <name>|| Use a different hostname for SNI | ||
|- | |- | ||
| --ipv4 | | --ipv4 || -4|| || Force IPv4 DNS resolution. Default is to try IPv4, and if that fails then fall back to IPv6 | ||
|- | |- | ||
| --ipv6 | | --ipv6 || -6|| || Force IPv6 DNS resolution. Default is to try IPv4, and if that fails then fall back to IPv6 | ||
|- | |- | ||
| --show-certificate || || || Display certificate information | | --show-certificate || || || Display certificate information | ||
Zeile 74: | Zeile 87: | ||
| --ocsp || || || Display OCSP status | | --ocsp || || || Display OCSP status | ||
|- | |- | ||
| --pk= | | --pk= || || <file>|| A file containing the private key or a PKCS#12 file containing a private key/certificate pair (as produced by MSIE and Netscape) | ||
|- | |- | ||
| --pkpass= | | --pkpass= || || <password>|| The password for the private key or PKCS#12 file | ||
|- | |- | ||
| --certs= | | --certs= || || <file>|| A file containing PEM/ASN1 formatted client certificates | ||
|- | |- | ||
| --no-ciphersuites || || || Do not scan for supported ciphersuites | | --no-ciphersuites || || || Do not scan for supported ciphersuites | ||
Zeile 118: | Zeile 131: | ||
| --bugs || || || Enables workarounds for SSL bugs | | --bugs || || || Enables workarounds for SSL bugs | ||
|- | |- | ||
| --timeout= | | --timeout= || || <sec>|| Set socket timeout. Useful for hosts that fail to respond to ciphers they don't understand. Default is 3s | ||
|- | |- | ||
| --connect-timeout= | | --connect-timeout= || || <sec>|| Set initial connection timeout. Useful for hosts that are slow to respond to the initial connect(). Default is 75s | ||
|- | |- | ||
| --sleep= | | --sleep= || || <msec>|| Pause between connections. Useful on STARTTLS SMTP services, or anything else that's performing rate limiting. Default is disabled | ||
|- | |- | ||
| --xml= | | --xml= || || <file>|| Output results to an XML file. - can be used to mean stdout | ||
|- | |- | ||
| --version || || || Show version of program | | --version || || || Show version of program | ||
Zeile 136: | Zeile 149: | ||
=== Parameter === | === Parameter === | ||
=== | === Umgebung === | ||
=== | === Rückgabewert === | ||
== Konfiguration == | == Konfiguration == | ||
=== Dateien === | === Dateien === | ||
<noinclude> | <noinclude> | ||
== Anhang == | == Anhang == | ||
=== Siehe auch === | === Siehe auch === | ||
{{Special:PrefixIndex/{{BASEPAGENAME}}}} | {{Special:PrefixIndex/{{BASEPAGENAME}}}} | ||
==== Dokumentation ==== | ==== Dokumentation ==== | ||
===== Man-Page ===== | |||
===== Man- | |||
# SSLSCAN(1) | # SSLSCAN(1) | ||
==== Links ==== | ==== Links ==== | ||
===== Projekt ===== | ===== Projekt ===== | ||
===== Weblinks ===== | ===== Weblinks ===== | ||
[[Kategorie:Linux/Befehl]] | |||
[[Kategorie:SSL]] | |||
[[Kategorie:TLS]] | |||
[[Kategorie:IT-Sicherheit/Tools]] | |||
{{DEFAULTSORT:sslscan}} | |||
{{DISPLAYTITLE:sslscan}} | |||
</noinclude> | </noinclude> |
Aktuelle Version vom 12. November 2024, 19:39 Uhr
sslscan - Fast SSL/TLS scanner
Beschreibung
sslscan fragt SSL/TLS-Dienste (z. B. HTTPS) ab und meldet die verwendeten Protokollversionen, Cipher Suites, Schlüsselaustauschverfahren, Signaturalgorithmen und Zertifikate
Dies hilft dem Benutzer zu verstehen, welche Parameter vom Standpunkt der Sicherheit aus gesehen schwach sind
- Terminal Colours
Kennzeichnung | Beschreibung |
---|---|
Red Background | NULL cipher (no encryption) |
Red | Broken cipher (<= 40 bit), broken protocol (SSLv2 or SSLv3) or broken certificate signing algorithm (MD5) |
Yellow | Weak cipher (<= 56 bit or RC4) or weak certificate signing algorithm (SHA-1) |
Purple | Anonymous cipher (ADH or AECDH) |
sslscan kann die Ergebnisse auch in eine XML-Datei ausgeben, damit sie von externen Programmen einfach genutzt werden können
Installation
sudo apt install sslscan
Anwendung
Scan a local HTTPS server
sslscan localhost sslscan 127.0.0.1 sslscan 127.0.0.1:443 sslscan [::1] sslscan [::1]:443
Aufruf
sslscan [options] [host:port | host]
Optionen
GNU | Unix | Parameter | Beschreibung |
---|---|---|---|
--help | Show summary of options | ||
--targets= | <file> | A file containing a list of hosts to check. Hosts can be supplied with ports (i.e. host:port). One target per line | |
--sni-name= | <name> | Use a different hostname for SNI | |
--ipv4 | -4 | Force IPv4 DNS resolution. Default is to try IPv4, and if that fails then fall back to IPv6 | |
--ipv6 | -6 | Force IPv6 DNS resolution. Default is to try IPv4, and if that fails then fall back to IPv6 | |
--show-certificate | Display certificate information | ||
--show-certificates | Display the full certificate chain | ||
--no-check-certificate | Don't flag certificates signed with weak algorithms (MD5 and SHA-1) or short (<2048 bit) RSA keys | ||
--show-client-cas | Show a list of CAs that the server allows for client authentication. Will be blank for IIS/Schannel servers | ||
--show-ciphers | Show a complete list of ciphers supported by sslscan | ||
--show-cipher-ids | Print the hexadecimal cipher IDs | ||
--iana-names | Use IANA/RFC cipher names rather than OpenSSL ones | ||
--show-times | Show the time taken for each handshake in milliseconds. Note that only a single request is made with each cipher, and that the size of the ClientHello is not constant, so this should not be used for proper benchmarking or performance testing. You might want to also use --no-cipher-details to make the output a bit clearer | ||
--ssl2 | Only check if SSLv2 is enabled | ||
--ssl3 | Only check if SSLv3 is enabled | ||
--tls10 | Only check TLS 1.0 ciphers | ||
--tls11 | Only check TLS 1.1 ciphers | ||
--tls12 | Only check TLS 1.2 ciphers | ||
--tls13 | Only check TLS 1.3 ciphers | ||
--tlsall | Only check TLS ciphers (versions 1.0, 1.1, 1.2, and 1.3) | ||
--ocsp | Display OCSP status | ||
--pk= | <file> | A file containing the private key or a PKCS#12 file containing a private key/certificate pair (as produced by MSIE and Netscape) | |
--pkpass= | <password> | The password for the private key or PKCS#12 file | |
--certs= | <file> | A file containing PEM/ASN1 formatted client certificates | |
--no-ciphersuites | Do not scan for supported ciphersuites | ||
--no-fallback | Do not check for TLS Fallback Signaling Cipher Suite Value (fallback) | ||
--no-renegotiation | Do not check for secure TLS renegotiation | ||
--no-compression | Do not check for TLS compression (CRIME) | ||
--no-heartbleed | Do not check for OpenSSL Heartbleed (CVE-2014-0160) | ||
--no-groups | Do not enumerate key exchange groups | ||
--show-sigs | Enumerate signature algorithms | ||
--starttls-ftp | STARTTLS setup for FTP | ||
--starttls-imap | STARTTLS setup for IMAP | ||
--starttls-irc | STARTTLS setup for IRC | ||
--starttls-ldap | STARTTLS setup for LDAP | ||
--starttls-pop3 | STARTTLS setup for POP3 | ||
--starttls-smtp | STARTTLS setup for SMTP | ||
--starttls-mysql | STARTTLS setup for MySQL | ||
--starttls-xmpp | STARTTLS setup for XMPP | ||
--starttls-psql | STARTTLS setup for PostgreSQL | ||
--xmpp-server | Perform a server-to-server XMPP connection. Try this if --starttls-xmpp is failing | ||
--rdp | Send RDP preamble before starting scan | ||
--bugs | Enables workarounds for SSL bugs | ||
--timeout= | <sec> | Set socket timeout. Useful for hosts that fail to respond to ciphers they don't understand. Default is 3s | |
--connect-timeout= | <sec> | Set initial connection timeout. Useful for hosts that are slow to respond to the initial connect(). Default is 75s | |
--sleep= | <msec> | Pause between connections. Useful on STARTTLS SMTP services, or anything else that's performing rate limiting. Default is disabled | |
--xml= | <file> | Output results to an XML file. - can be used to mean stdout | |
--version | Show version of program | ||
--verbose | Display verbose output | ||
--no-cipher-details | Hide NIST EC curve name and EDH/RSA key length | ||
--no-colour | Disable coloured output |
Parameter
Umgebung
Rückgabewert
Konfiguration
Dateien
Anhang
Siehe auch
Dokumentation
Man-Page
- SSLSCAN(1)
Links
Projekt
Weblinks