It is a Python library and a CLI tool that can analyze the SSL configuration of a server by connecting to it.

SSLyze a Fast and powerful SSL/TLS Scanner

It's only fair to share...Digg thisShare on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInFlattr the authorShare on TumblrShare on VKShare on YummlyShare on RedditShare on StumbleUpon

SSLyze a Fast and powerful SSL/TLS Scanner

 

Description

SSLyze a Fast and powerful SSL/TLS Scanner. It is a Python library and a CLI tool that can analyze the SSL configuration of a server by connecting to it. It is designed to be fast and comprehensive, and should help organizations and testers identify mis-configurations affecting their SSL/TLS servers.

Python is a widely used high-level programming language for general-purpose programming, created by Guido van Rossum and first released in 1991. An interpreted language, Python has a design philosophy that emphasizes code readability (notably using whitespace indentation to delimit code blocks rather than curly brackets or keywords), and a syntax that allows programmers to express concepts in fewer lines of code than might be used in languages such as C++ or Java. The language provides constructs intended to enable writing clear programs on both a small and large scale.

Python features a dynamic type system and automatic memory management and supports multiple programming paradigms, including object-oriented, imperative, functional programming, and procedural styles. It has a large and comprehensive standard library.

Key features include:

  • Fully documented Python API, in order to run scans and process the results directly from Python.
  • Scans are automatically dispatched among multiple processes, making them very fast.
  • Performance testing: session resumption and TLS tickets support.
  • Security testing: weak cipher suites, insecure renegotiation, CRIME, Heartbleed and more.
  • Server certificate validation and revocation checking through OCSP stapling.
  • Support for StartTLS handshakes on SMTP, XMPP, LDAP, POP, IMAP, RDP, PostGres and FTP.
  • Support for client certificates when scanning servers that perform mutual authentication.
  • Scan results can be written to an XML or JSON file for further processing.
  • And much more!
ALSO READ  Penetration Testing from the Cloud

Getting started

SSLyze can be installed directly via pip:

pip install --upgrade setuptools
pip install sslyze
sslyze --regular www.yahoo.com:443 www.google.com "[2607:f8b0:400a:807::2004]:443"

It is also easy to directly clone the repository and the fetch the requirements:

git clone https://github.com/nabla-c0d3/sslyze.git
cd sslyze
pip install -r requirements.txt --target ./lib
python -m sslyze --regular www.yahoo.com:443 www.google.com "[2607:f8b0:400a:807::2004]:443"

On Linux, the python-dev package needs to be installed first so that the nassl C extension can be compiled:

sudo apt-get install python-dev

SSLyze has been tested on the following platforms: Windows 7 (32 and 64 bits), Debian 7 (32 and 64 bits), macOS Sierra

Usage as a library

SSLyze can be used as a Python module in order to run scans and process the results directly in Python. Full documentation is available here. SSLyze a Fast and powerful SSL/TLS Scanner.

A simple example follows:

# Setup the server to scan and ensure it is online/reachable
hostname = u'smtp.gmail.com'
try:
    server_info = ServerConnectivityInfo(hostname=hostname, port=587,
                                         tls_wrapped_protocol=TlsWrappedProtocolEnum.STARTTLS_SMTP)
    server_info.test_connectivity_to_server()
except ServerConnectivityError as e:
    # Could not establish an SSL connection to the server
    raise RuntimeError(u'Error when connecting to {}: {}'.format(hostname, e.error_msg))

# Run one scan command synchronously to list the server's TLS 1.0 cipher suites
print(u'\nRunning one scan command synchronously...')
synchronous_scanner = SynchronousScanner()
command = Tlsv10ScanCommand()
scan_result = synchronous_scanner.run_scan_command(server_info, command)
for cipher in scan_result.accepted_cipher_list:
    print(u'    {}'.format(cipher.name))

More advanced examples (such as running scan commands concurrently) are available in theapi_sample.py file and in the SSLyze documentation.

Windows executable

A pre-compiled Windows executable is available in the Releases tab. The package can also be generated by running the following command:

python.exe setup_py2exe.py py2exe

How does it work ?

SSLyze is all Python code but it uses an OpenSSL wrapper written in C called nassl, which was specifically developed for allowing SSLyze to access the low-level OpenSSL APIs needed to perform deep SSL testing. SSLyze a Fast and powerful SSL/TLS Scanner.

ALSO READ  Create a Virtual Hacking Lab For Pentesting With Kali Linux 2017

Where do the trust stores come from?

The Mozilla, Microsoft, Apple and Java trust stores are downloaded using the following tool:https://github.com/nabla-c0d3/catt/blob/master/sslyze.md .

 

It's only fair to share...Digg thisShare on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInFlattr the authorShare on TumblrShare on VKShare on YummlyShare on RedditShare on StumbleUpon