CIPHERSCAN

Image

CipherScan:- Discovers the SSL ciphersuites supported by the target.

 

Features

  • Tests the ordering of SSL/TLS ciphers.
  • Extracts information on

               Certificates

               TLS options

               OCSP stapling

 

Supported Operating System

  • Unix
  • Linux
  • Darwin

 

Demo

Lock image

 

Usage

./cipherscan

 

Options

-a | --allciphers                                  Test all known ciphers individually at the end

-b | --benchmark                              Activate benchmark mode.

--capath                                              Use cas from directory (must be in openssl cadir format)

--saveca                                               Save intermediate certificates in CA directory

-d | --delay                                         Pause for n seconds between connections

-D | --debug                                       Output ALL the information.

-h | --help                                           Shows this help text.

-j | --json                                             Output results in JSON format.

-o | --openssl                                     Path/to/your/openssl binary you want to use.

--savecrt                                              Path where to save untrusted and leaf certificates

--[no-]curves                                      Test ECC curves supported by server (req. OpenSSL 1.0.2)

--sigalg                                               Test signature algorithms used in TLSv1.2 ephemeral ciphers (req. OpenSSL 1.0.2)

--[no-]tolerance                                Test TLS tolerance

--no-sni                                               Don't use Server Name Indication

--colors                                                Force use of colors (autodetect by default)

--no-colors                                          Don't use terminal colors

-v | --verbose                                     Increase verbosity

 

OpenSSL Options

-starttls [smtp|imap|pop3|ftp|xmpp]

Enable support and testing of the protocols that require turning TLS after initial protocol specific.

-servername name                         

Request SNI support for connections

-proxy proxyhost:port                   

Connect to the scan target via specified proxy     (req. OpenSSL 1.1.0 or bundled OpenSSL)

-verify_hostname name               

Request host name verification in connection      (req. OpenSSL 1.0.2)

-verify_ip ip      

Request host name verification for an IP address, usually not specified in certificates (req. OpenSSL 1.0.2)

 

Analysing Configurations

The motivation behind CipherScan is to help operators configure good TLS on their endpoints. To help this further, the script analyze.py compares the results of a CipherScan with the TLS guidelines and output a level and recommendations.

 

Usages

  • ./analyze.py -t

 

Positional Arguments

  infile                                   CipherScan json results

  outfile                                json formatted analysis

 

Optional Arguments

  -h, --help                             Show this help message and exit

  -d                                         Debug output

  -l LEVEL                              Target configuration level [old, intermediate, modern]

  -t TARGET                           Analyze a , invokes cipherscan

  -o OPENSSL                       Path to openssl binary, if you don't like the default

  -j                                          Output results in json format

  --ops OPERATOR         Optional name of the operator's team added into the JSON output (for database insertion)

  --nagios                            Use nagios-conformant exit codes