Skip to content

iphelix/sslmap

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
 
 
 
 
 
 

Repository files navigation

                 _
                | |  version 0.2.0
         ___ ___| |_ __ ___   __ _ _ __
        / __/ __| | '_ ` _ \ / _` | '_ \
        \__ \__ \ | | | | | | (_| | |_) |
        |___/___/_|_| |_| |_|\__,_| .__/
                                  | |
                                  |_|
        D O C U M E N T A T I O N

The latest version of this document can be obtained from http://thesprawl.org/projects/sslmap/

SSLMap is a lightweight TLS/SSL cipher suite scanner. The tool was designed to meet the need of a simple but reliable way to detect weak ciphers suites enabled on SSL endpoints. SSLMap uses a custom SSL engine to avoid unnecessary limitations imposed by existing libraries, as a result it is capable of detecting uncommon cipher suites (e.g. GOST).

Sample Session
==============

Let's run a sample scan against *thesprawl.org*:

    $ python sslmap.py --host thesprawl.org

	             _                       
	            | |  version 0.2.0             
	     ___ ___| |_ __ ___   __ _ _ __  
	    / __/ __| | '_ ` _ \ / _` | '_ \ 
	    \__ \__ \ | | | | | | (_| | |_) |
	    |___/___/_|_| |_| |_|\__,_| .__/ 
	                              | |    
	      [email protected]   |_|   

    [*] Scanning thesprawl.org:443 for 229 known cipher suites.
    [+] TLS_RSA_WITH_AES_128_CBC_SHA (0x00002F)
    [+] TLS_DHE_RSA_WITH_DES_CBC_SHA (0x000015)
    [+] TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x000014)
    [+] TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x000016)
    [+] TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x000039)
    [+] TLS_RSA_WITH_AES_256_CBC_SHA (0x000035)
    [+] TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x000033)
    [+] TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x00000A)
    [+] TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x000006)
    [+] TLS_RSA_WITH_RC4_128_MD5 (0x000004)
    [+] TLS_RSA_WITH_RC4_128_SHA (0x000005)
    [+] TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x000003)
    [+] TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x000008)
    [+] TLS_RSA_WITH_DES_CBC_SHA (0x000009)
    [+] SSL2_DES_64_CBC_WITH_MD5 (0x060040)
    [+] SSL2_RC2_CBC_128_CBC_WITH_MD5 (0x040080)
    [+] SSL2_RC4_128_WITH_MD5 (0x010080)
    [+] SSL2_RC2_CBC_128_CBC_WITH_MD5 (0x030080)
    [+] SSL2_DES_192_EDE3_CBC_WITH_MD5 (0x0700C0)
    [+] SSL2_RC4_128_EXPORT40_WITH_MD5 (0x020080)

    ==================== Scan Results ====================
    The following cipher suites were rated as HIGH:
    TLS_RSA_WITH_AES_128_CBC_SHA
    TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA
    TLS_RSA_WITH_AES_256_CBC_SHA
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA
    TLS_RSA_WITH_3DES_EDE_CBC_SHA

    The following cipher suites were rated as MEDIUM:
    TLS_RSA_WITH_RC4_128_MD5
    TLS_RSA_WITH_RC4_128_SHA

    The following cipher suites were rated as EXPORT:
    TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
    TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
    TLS_RSA_EXPORT_WITH_RC4_40_MD5
    TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
    SSL2_RC4_128_EXPORT40_WITH_MD5

    The following cipher suites were rated as LOW:
    TLS_DHE_RSA_WITH_DES_CBC_SHA
    TLS_RSA_WITH_DES_CBC_SHA
    SSL2_DES_64_CBC_WITH_MD5
    SSL2_RC2_CBC_128_CBC_WITH_MD5
    SSL2_RC4_128_WITH_MD5
    SSL2_RC2_CBC_128_CBC_WITH_MD5
    SSL2_DES_192_EDE3_CBC_WITH_MD5

From the above output, you can tell that the server has several weak ciphers rated as EXPORT and LOW. In the ideal situation these ciphers should be removed from a production site. See the [TLS and SSL Cipher Suites](/research/tls-and-ssl-cipher-suites/) article on how to interpret the results.

If you would like to make your own decision on whether a particular cipher is weak or strong, you can repeat the scan with the *--verbose* flag enabled thus allowing you to see individual components of the cipher suite and how the rating was calculated. Below is a snippet of the above scan with the *verbose* flag enabled:

    ...
    [*] Using SSL v2.0 handshake.
    [+] SSL2_DES_64_CBC_WITH_MD5 (0x060040)
        Specs: Kx=RSA, Au=RSA, Enc=DES_64_CBC, Bits=64, Mac=MD5
        Score: Kx/Au=LOW, Enc/MAC=LOW, Overall=LOW
    [+] SSL2_RC2_CBC_128_CBC_WITH_MD5 (0x040080)
        Specs: Kx=RSA, Au=RSA, Enc=RC2_CBC_128_CBC, Bits=128, Mac=MD5
        Score: Kx/Au=LOW, Enc/MAC=LOW, Overall=LOW
    [+] SSL2_RC4_128_WITH_MD5 (0x010080)
        Specs: Kx=RSA, Au=RSA, Enc=RC4_128, Bits=128, Mac=MD5
        Score: Kx/Au=LOW, Enc/MAC=MEDIUM, Overall=LOW
    [+] SSL2_RC2_CBC_128_CBC_WITH_MD5 (0x030080)
        Specs: Kx=RSA, Au=RSA, Enc=RC2_CBC_128_CBC, Bits=128, Mac=MD5
        Score: Kx/Au=LOW, Enc/MAC=LOW, Overall=LOW
    [+] SSL2_DES_192_EDE3_CBC_WITH_MD5 (0x0700C0)
        Specs: Kx=RSA, Au=RSA, Enc=DES_192_EDE3_CBC, Bits=192, Mac=MD5
        Score: Kx/Au=LOW, Enc/MAC=HIGH, Overall=LOW
    [+] SSL2_RC4_128_EXPORT40_WITH_MD5 (0x020080)
        Specs: Kx=RSA, Au=RSA, Enc=RC4_128_EXPORT40, Bits=40, Mac=MD5
        Score: Kx/Au=LOW, Enc/MAC=EXPORT, Overall=EXPORT
    ...

Help Screen
===========

The help screen shows a brief outline of tool's functionality:

    Usage: sslmap.py [options]

    Options:
      -h, --help        show this help message and exit
      --host=gmail.com  host
      --port=443        port
      --fuzz            fuzz all possible cipher values (takes time)
      --tls1            use TLS v1.0 handshake
      --tls11           use TLS v1.1 handshake
      --tls12           use TLS v1.2 handshake
      --tls13           use TLS v1.3 handshake (future use)
      --ssl3            use SSL3 handshake
      --ssl2            use SSL2 handshake
      --verbose         enable verbose output
      --db=ciphers.csv  external cipher suite database. DB Format:
                        cipher_id,name,protocol,Kx,Au,Enc,Bits,Mac,Auth
                        Strength,Enc Strength,Overall Strength
    Usage: sslmap.py [options]

Fuzzing
=======

As a special note on the *--fuzz* parameter, you may use it to both stress test as well as discover yet unknown cipher suites on a target system. Naturally as there are a few million possible values for the cipher suite parameter, the test may run for some time.

About

SSLMap - TLS/SSL cipher suite scanner.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages