Aller au contenu
1337skills 1337skills - Aide-mémoires

SSLScan

Installation

Section intitulée « Installation »

Debian/Ubuntu

Section intitulée « Debian/Ubuntu »
sudo apt-get install sslscan

RHEL/CentOS

Section intitulée « RHEL/CentOS »
sudo yum install sslscan

macOS

Section intitulée « macOS »
brew install sslscan

From Source

Section intitulée « From Source »
git clone https://github.com/rbsec/sslscan.git
cd sslscan
./configure
make
sudo make install

Docker

Section intitulée « Docker »
docker pull nmap/nmap:latest
docker run -it nmap/nmap sslscan example.com:443

Basic Scanning

Section intitulée « Basic Scanning »

Simple Host Scan

Section intitulée « Simple Host Scan »
sslscan example.com
sslscan example.com:443

Scan Non-Standard Port

Section intitulée « Scan Non-Standard Port »
sslscan example.com:8443

Verbose Output

Section intitulée « Verbose Output »
sslscan --no-failed example.com
sslscan -v example.com

Quiet Mode

Section intitulée « Quiet Mode »
sslscan -q example.com

Certificate Details

Section intitulée « Certificate Details »

View Certificate Information

Section intitulée « View Certificate Information »
sslscan --show-certificate example.com

Extract Certificate Chain

Section intitulée « Extract Certificate Chain »
sslscan --show-certificate example.com | grep -A 50 "Certificate"

Check Certificate Expiry

Section intitulée « Check Certificate Expiry »
echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -dates

Validate Certificate Chain

Section intitulée « Validate Certificate Chain »
sslscan --show-certificate example.com

Certificate Issuer Details

Section intitulée « Certificate Issuer Details »
openssl s_client -connect example.com:443 </dev/null 2>/dev/null | openssl x509 -text -noout

Cipher Enumeration

Section intitulée « Cipher Enumeration »

List All Supported Ciphers

Section intitulée « List All Supported Ciphers »
sslscan example.com

Identify Weak Ciphers

Section intitulée « Identify Weak Ciphers »
sslscan example.com | grep -i "weak"

Filter by Cipher Strength

Section intitulée « Filter by Cipher Strength »
sslscan example.com | grep -E "256|128|64"

Export Cipher List

Section intitulée « Export Cipher List »
sslscan example.com > ciphers.txt

Test Specific Cipher

Section intitulée « Test Specific Cipher »
openssl s_client -connect example.com:443 -cipher 'DES-CBC3-SHA' 2>/dev/null | head -n 20

Protocol Detection

Section intitulée « Protocol Detection »

Check SSL/TLS Versions

Section intitulée « Check SSL/TLS Versions »
sslscan example.com

Test for SSLv2 (Deprecated)

Section intitulée « Test for SSLv2 (Deprecated) »
sslscan example.com | grep -i "sslv2"

Test for SSLv3 (Deprecated)

Section intitulée « Test for SSLv3 (Deprecated) »
sslscan example.com | grep -i "sslv3"

Test for TLS 1.0/1.1 (Legacy)

Section intitulée « Test for TLS 1.0/1.1 (Legacy) »
sslscan example.com | grep -E "TLSv1\.0|TLSv1\.1"

Test for TLS 1.2+

Section intitulée « Test for TLS 1.2+ »
sslscan example.com | grep -E "TLSv1\.[2-3]"

Protocol-Specific Tests

Section intitulée « Protocol-Specific Tests »
openssl s_client -connect example.com:443 -ssl2    # SSLv2
openssl s_client -connect example.com:443 -ssl3    # SSLv3
openssl s_client -connect example.com:443 -tls1    # TLSv1.0
openssl s_client -connect example.com:443 -tls1_1  # TLSv1.1
openssl s_client -connect example.com:443 -tls1_2  # TLSv1.2
openssl s_client -connect example.com:443 -tls1_3  # TLSv1.3

Vulnerability Detection

Section intitulée « Vulnerability Detection »

Check for Heartbleed (CVE-2014-0160)

Section intitulée « Check for Heartbleed (CVE-2014-0160) »
sslscan example.com | grep -i "heartbleed"

Test Heartbleed Directly

Section intitulée « Test Heartbleed Directly »
echo -n "Q" | openssl s_client -connect example.com:443 2>/dev/null | grep -i heartbeat

Check for POODLE (CVE-2014-3566)

Section intitulée « Check for POODLE (CVE-2014-3566) »
sslscan example.com | grep -i "poodle\|sslv3"

Check for BEAST (CVE-2011-3389)

Section intitulée « Check for BEAST (CVE-2011-3389) »
sslscan example.com | grep -E "TLSv1\.0|CBC"

Check for CRIME (CVE-2012-4929)

Section intitulée « Check for CRIME (CVE-2012-4929) »
sslscan example.com | grep -i "compression"

Check for FREAK (CVE-2015-0204)

Section intitulée « Check for FREAK (CVE-2015-0204) »
sslscan example.com | grep -i "weak.*key\|512.*rsa"

Check for RC4 (Weak Cipher)

Section intitulée « Check for RC4 (Weak Cipher) »
sslscan example.com | grep -i "rc4"

Check for DROWN (CVE-2016-0800)

Section intitulée « Check for DROWN (CVE-2016-0800) »
sslscan example.com | grep -i "sslv2"

Full Vulnerability Report

Section intitulée « Full Vulnerability Report »
sslscan --no-failed example.com | grep -iE "vulnerable|weak|sslv2|sslv3|heartbleed|poodle"

STARTTLS Support

Section intitulée « STARTTLS Support »

SMTP (Port 25/587)

Section intitulée « SMTP (Port 25/587) »
sslscan --starttls example.com:25
sslscan --starttls example.com:587

IMAP (Port 143)

Section intitulée « IMAP (Port 143) »
sslscan --starttls example.com:143

POP3 (Port 110)

Section intitulée « POP3 (Port 110) »
sslscan --starttls example.com:110

FTP (Port 21)

Section intitulée « FTP (Port 21) »
sslscan --starttls example.com:21

LDAP (Port 389)

Section intitulée « LDAP (Port 389) »
sslscan --starttls example.com:389

XMPP (Port 5222)

Section intitulée « XMPP (Port 5222) »
sslscan --starttls example.com:5222

Check STARTTLS Availability

Section intitulée « Check STARTTLS Availability »
echo "EHLO example.com" | nc example.com 25 | grep -i "starttls"

Output Formats

Section intitulée « Output Formats »

XML Output

Section intitulée « XML Output »
sslscan --xml=report.xml example.com

Parse XML Report

Section intitulée « Parse XML Report »
cat report.xml | grep -E "protocol|cipher|certificate"

Human-Readable Output

Section intitulée « Human-Readable Output »
sslscan example.com > report.txt

JSON-like Format (via grep)

Section intitulée « JSON-like Format (via grep) »
sslscan example.com | awk '{print $0}' > report.json

Redirect to File

Section intitulée « Redirect to File »
sslscan example.com 2>&1 | tee report.log

Generate and Compare Reports

Section intitulée « Generate and Compare Reports »
sslscan example.com > baseline.txt
sslscan example.com > current.txt
diff baseline.txt current.txt

Batch Scanning

Section intitulée « Batch Scanning »

Scan Multiple Hosts from List

Section intitulée « Scan Multiple Hosts from List »
cat hosts.txt | while read host; do sslscan "$host" >> results.txt; done

Scan Host List with Ports

Section intitulée « Scan Host List with Ports »
while IFS=: read -r host port; do sslscan "$host:$port" >> batch-results.txt; done < hosts.txt

Parallel Batch Scanning

Section intitulée « Parallel Batch Scanning »
cat hosts.txt | xargs -P 5 -I {} sslscan {} > batch-results.txt

Scan Entire CIDR Range (via nmap)

Section intitulée « Scan Entire CIDR Range (via nmap) »
nmap -p 443 10.0.0.0/24 -oG - | awk '/open/{print $2}' | while read ip; do sslscan "$ip"; done

Store Results in Database

Section intitulée « Store Results in Database »
for host in $(cat hosts.txt); do
  sslscan --xml="$host.xml" "$host"
  echo "Scanned: $host"
done

Track Changes Over Time

Section intitulée « Track Changes Over Time »
timestamp=$(date +%Y%m%d_%H%M%S)
sslscan example.com > "scans/example_$timestamp.txt"

Client Certificate Testing

Section intitulée « Client Certificate Testing »

Scan with Client Certificate

Section intitulée « Scan with Client Certificate »
sslscan --client-cert=cert.pem --client-key=key.pem example.com

Test Mutual TLS (mTLS)

Section intitulée « Test Mutual TLS (mTLS) »
openssl s_client -cert client.pem -key client-key.pem -connect example.com:443

Verify Client Certificate Chain

Section intitulée « Verify Client Certificate Chain »
openssl verify -CAfile ca-chain.pem client.pem

Extract Client Certificate from File

Section intitulée « Extract Client Certificate from File »
openssl x509 -in client.pem -text -noout

OCSP Stapling

Section intitulée « OCSP Stapling »

Check OCSP Stapling Status

Section intitulée « Check OCSP Stapling Status »
echo | openssl s_client -connect example.com:443 -tlsextdebug 2>/dev/null | grep -A 2 "OCSP"

Verify OCSP Response

Section intitulée « Verify OCSP Response »
echo | openssl s_client -connect example.com:443 -status 2>/dev/null | grep "OCSP response"

Detailed OCSP Check

Section intitulée « Detailed OCSP Check »
openssl s_client -connect example.com:443 -tlsextdebug 2>&1 | grep -i "ocsp"

Advanced Options

Section intitulée « Advanced Options »

Disable SNI (Server Name Indication)

Section intitulée « Disable SNI (Server Name Indication) »
sslscan --no-sni example.com

Set Custom Timeout

Section intitulée « Set Custom Timeout »
sslscan --timeout=10 example.com

Specify IP Address

Section intitulée « Specify IP Address »
sslscan --ip=192.168.1.1 example.com

Skip Host Name Verification

Section intitulée « Skip Host Name Verification »
sslscan --no-sni example.com

Test All Named Hosts (SNI)

Section intitulée « Test All Named Hosts (SNI) »
sslscan example.com
sslscan mail.example.com

Comparison: SSLScan vs testssl.sh vs sslyze

Section intitulée « Comparison: SSLScan vs testssl.sh vs sslyze »
FeatureSSLScantestssl.shsslyze
LanguageC/C++BashPython
SpeedFastMediumFast
ProtocolsSSL/TLSSSL/TLS/HTTP/DNSSSL/TLS
Vulnerability ChecksBasicComprehensiveGood
STARTTLS SupportYesYesYes
Output FormatsText, XMLText, JSON, CSVText, JSON
InstallationEasyNo depsPython required
CommunityActiveVery ActiveActive
CVE CoverageStandardExtensiveGood
Best ForQuick scansDeep auditsAutomated checks

When to Use SSLScan

Section intitulée « When to Use SSLScan »
  • Quick SSL/TLS configuration checks
  • Simple vulnerability screening
  • Batch scanning multiple hosts
  • Resource-constrained environments
  • CI/CD integration

When to Use testssl.sh

Section intitulée « When to Use testssl.sh »
  • Comprehensive security audits
  • Deep vulnerability analysis
  • Regulatory compliance checks
  • Edge case testing
  • Maximum CVE coverage

When to Use sslyze

Section intitulée « When to Use sslyze »
  • Automated security testing
  • Python integration
  • API-based scanning
  • CI/CD pipelines
  • Large-scale assessments

Real-World Examples

Section intitulée « Real-World Examples »

Audit Web Server Configuration

Section intitulée « Audit Web Server Configuration »
sslscan --show-certificate example.com | tee audit.txt

Monitor Certificate Expiry

Section intitulée « Monitor Certificate Expiry »
echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -dates

Identify Non-Compliant Hosts

Section intitulée « Identify Non-Compliant Hosts »
sslscan example.com | grep -E "sslv2|sslv3|TLSv1\.0|weak" && echo "Non-compliant" || echo "Compliant"

Generate Compliance Report

Section intitulée « Generate Compliance Report »
sslscan --no-failed example.com > compliance-report.txt

Test After Configuration Change

Section intitulée « Test After Configuration Change »
sslscan example.com > before.txt
# Update SSL/TLS config
sslscan example.com > after.txt
diff before.txt after.txt

Find All Weak Ciphers in Environment

Section intitulée « Find All Weak Ciphers in Environment »
for host in web1 web2 web3; do
  echo "=== $host ===" >> weak-ciphers.txt
  sslscan "$host" | grep -i "weak" >> weak-ciphers.txt
done