Hello,
This post is related to the SSL related vulnerabilities reported by the automated
scanners (qualys and nessus) but most of them can be confirmed manually.
scanners (qualys and nessus) but most of them can be confirmed manually.
Here is the list of few SSL related
vulnerabilities that can be tested.
SSL Server Allows Anonymous
Authentication Vulnerability
openssl s_client -connect TARGET_IP:PORT_NUMBER -cipher aNULL
SSL Server Supports Weak Encryption Vulnerability
openssl s_client -connect TARGET_IP:PORT_NUMBER -cipher LOW (this can
be tested with sslscan)
OpenSSL server with NULL cipher support
openssl s_client -connect TARGET_IP:PORT_NUMBER -cipher NULL
openssl s_client -connect TARGET_IP:PORT_NUMBER -cipher 0x00
openssl s_client -connect TARGET_IP:PORT_NUMBER -cipher eNULL
(if no ciphers were supported then we can sniff the data by packet sniffing tools like wireshark)
SSL Server weak CBC mode
openssl s_client -connect TARGET_IP:PORT_NUMBER -cipher DES-CBC3-SHA
Connecting to ftp or smtp service over SSL
openssl s_client -connect TARGET_IP:PORT_NUMBER -cipher -starttls smtp
(for SMTP service)
openssl s_client -connect TARGET_IP:PORT_NUMBER -cipher -starttls ftp
(for FTP service)
While testing for the default usernames and password for the
device , service or any thing please following this link:
SSL/TLS Compression Algorithm Information Leakage
Vulnerability (or) TLS Crime attack.
$ openssl s_client
-connect Ip:port
GET / HTTP/1.1
[Enter]
Host: google.com [Enter]
Accept-Encoding:
compress, gzip [Enter, Enter]
HTTP/1.1 200 OK
Date: Thu, 13 Sep 2012
16:58:57 GMT
Server: Apache/2.4.1
(Unix) OpenSSL/1.0.0g
Last-Modified: Thu, 13
Sep 2012 15:09:56 GMT
ETag:
"891a-4c996b33b64aa-gzip"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 9005
Content-Type:
text/html; charset=utf-8
No comments:
Post a Comment