Updating SSLScan to the New Decade
SSLScan-win is a tool that we have been using for nearly every test over the past 6-18 months within the Cigital Assessment Center. Thanks to the recent Heartbleed fiasco, it came to my attention that the version of the sslscan codebase which we have been using was compiled in April of 2010. Since that time, TLSv1.1 and TLSv1.2 have grown in popularity and support and other vulnerabilities such as TLS Renegotiation (DoS) and Heartbleed have come about and been released publicly. It is our duty as a leader in the Security industry to be leaders with our tools, so it was time that we update our toolset.
There have been a few groups on Github who have kept the sslcsan codebase up to date over the pase 4 years; the most recent being rbsec who updated the codebase to include testing support for Heartbleed as well as TLSv1.2 (TLSv1.1 had already been implemented). But alas, the code existed in an un-compiled state. Looking into the code it had not even been kept up to date for Windows compilation. All of the code was built for POSIX libraries and needed to be translated for WinSOCK libraries to run on Windows (since all of our clients have Windows environments that we do testing in).
I gave it my best go, but being unfamiliar with POSIX vs WinSOCK programming, I was not able to finish the job (though I did come very close). After many people telling me it couldn't or shouldn't be done, I was able to find a guy (within Cigital) – Larry Trowell – who was interested in finishing the job. Here is the result thanks to him.
We have 32-bit (x86) and 64-bit (x64) binaries compiled for use within the zip file. The actual usage has changed slightly "sslscan_x86.exe www.google.com" will give you only the accepted list, and automatically run the additional tests (such as TLS Renegotiation and Heartbleed). Play around with it and run some tests. You will also notice that there are some fancy text colors to help users identify good vs bad ciphers.
NOTE: green text color does not mean acceptable, it simply is a color. Please refer to the CAC policy for reporting SSL Ciphers as that has not changed.
Download Link: http://www.mediafire.com/download/1m0gfylrfr3sz33/sslscan-win.zip
Video: (none) I was going to post a video, but to be honest – this tool shouldn't need a video.
Here's a sample output of the tool running against google.com:
(added based on emails sent to clients)
Summary of Key Changes
This compilation is based off of the rbsec-sslscan fork from github and includes 4 notable changes over the previous version of sslscan-win which we have been using (compiled April 2010).
Changes:
Support for Heartbleed -- While the tool does include Heartbleed support, Symantec installations (and potentially other Virus Scanning tools) block the Heartbleed payload so we may not be able to fully test this vulnerability. AppScan 9.0.0 iFix 001 adds the Heartbleed payload to AppScan's test suite. I have not yet seen it successfully reported, so I cannot verify if it is also being blocked by Symantec as of yet. In order to properly test for Heartbleed, Virus Scanning tools should be disabled.
Support for TLS Renegotiation testing -- This represents an attack vector for Denial of Service and is either turned On or Off in the SSL/TLS configuration on the application server. Because this is a Denial of Service attack vector it will most often come out with a CVSSv2 rating of High and can be fixed by simply disabling the setting on the application server.
More expansive support for testing SSLv2 -- This support won't make much of a difference in testing or vulnerabilities reported, but it will potentially have a longer list of "Low Strength SSL Ciphers Supported" when we report them. This won't change the need/recommendation to disable SSLv2, only provide a more extensive list of SSLv2 cases.
Support for TLSv1.1 and TLSv1.2 -- All modern desktop browsers now support TLSv1.2 (as of March 2014), the only exception to the list is mobile device browsers. Our recommendation advice for SSL Cipher settings includes TLSv1.2 support and we can now differentiate between versions of TLS (the old version of sslscan was only able to identify TLS and not v1.0 vs v1.1 vs v1.2). As such my team will be adding TLSv1.1 and TLSv1.0 to the "Medium Strength SSL Ciphers Supported" vulnerability categorization.
-cholt-















