Pentest Book
Search…
Recon
Exploitation
SSL/TLS
DROWN
1
# Check for "SSLv2 supported"
2
nmap –p- –sV –sC example.com
Copied!
TLS_FALLBACK_SCSV
1
# Check in the lower port
2
openssl s_client –tls1 -fallback_scsv -connect example.com:443
3
# - Response:
4
# tlsv1 alert inappropriate fallback:s3_pkt.c:1262:SSL alert number 86
Copied!
BEAST
1
# TLSv1.0 and CBC ciphers
2
openssl s_client -[sslv3/tls1] -cipher CBC_CIPHER -connect example.com:443
Copied!
LUCKY13
1
openssl s_client -cipher CBC_CIPHER -connect example.com:443
Copied!
Sweet32
1
openssl s_client -cipher 3DES -connect example.com:443
Copied!
Logjam
1
# Check the "Server Temp Key" response is bigger than 1024 (only in OpenSSL 1.0.2 or better)
2
openssl s_client -connect www.example.com:443 -cipher "EDH"
Copied!
SSLv2 Support
1
# If is supported this will return the server certificate information if not, error
2
openssl s_client –ssl2 -connect example.com:443
Copied!
SSLv3 Support
1
# If is supported this will return the server certificate information if not, error
2
openssl s_client -ssl3 -connect google.com:443
Copied!
Cipher suites
1
# Cipher Suites
2
nmap --script ssl-enum-ciphers -p 443 example.com
3
​
4
# - Anon cypher (fail)
5
openssl s_client -cipher aNULL -connect example.com:443
6
​
7
# - DES Cipher (fail)
8
openssl s_client -cipher DES -connect example.com:443
9
​
10
# - 3DES Cipher (fail)
11
openssl s_client -cipher 3DES -connect example.com:443
12
​
13
# - Export Cipher (fail)
14
openssl s_client -cipher EXPORT -connect example.com:443
15
​
16
# - Low Cipher (fail)
17
openssl s_client -cipher LOW -connect example.com:443
18
​
19
# - RC4 Cipher (fail)
20
openssl s_client -cipher RC4 -connect example.com:443
21
​
22
# - NULL Cipher (fail)
23
openssl s_client -cipher NULL -connect example.com:443
24
​
25
# - Perfect Forward Secrecy Cipher (This should NOT fail):
26
openssl s_client -cipher EECDH, EDH NULL -connect example.com:443
Copied!
Secure renegotiation
1
# Check secure renegotiation is not supported
2
# If not, send request in the renegotiation
3
# Once sent, if it's vulnerable it shouldn't return error
4
openssl s_client -connect example.com:443
5
HEAD / HTTP/1.0
6
R
7
# <Enter or Return key>
Copied!
CRIME
1
# Check for "Compression: NONE"
2
openssl s_client -connect example.com:443
Copied!
BREACH
1
# If the response contains encoded data, host is vulnerable
2
openssl s_client -connect example.com:443
3
GET / HTTP/1.1
4
Host: example.com
5
Accept-Encoding: compress, gzip
Copied!
Heartbleed
1
# Heartbleed
2
nmap -p 443 --script ssl-heartbleed --script-args vulns.showall example.com
3
​
4
# Heartbleed checker oneliner from sites list
5
cat list.txt | while read line ; do echo "QUIT" | openssl s_client -connect $line:443 2>&1 | grep 'server extension "heartbeat" (id=15)' || echo $line: safe; done
Copied!
Change cipher spec injection
1
nmap -p 443 --script ssl-ccs-injection example.com
Copied!
Cipher order enforcement
1
# Choose a protocol and 2 different ciphers, one stronger than other
2
# Make 2 request with different cipher order anc check in the response if the cipher is the first of the request in both cases
3
nmap -p 443 --script ssl-enum-ciphers example.com
4
openssl s_client –tls1_2 –cipher ‘AES128-GCM-SHA256:AES128-SHA’ –connect contextis.co.uk:443
5
openssl s_client –tls1_2 –cipher ‘AES128-SHA:AES128-GCM-SHA256’ –connect contextis.co.uk:443
Copied!
Last modified 1yr ago