Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-22 08:29:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

more

Dirk Wetter 2017-06-18 13:46:50 +02:00
parent 4523a64929
commit 2e150976c0
1 changed files with 10 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
Man-page.md

@ -26,30 +26,29 @@ Options are either short or long options. All options requiring a value can be c
##### INPUT PARAMETERS
``URI`` can be a hostname, an IPv4 or IPv6 address (restriction see below) or an URL. For any given parameter port 443 is assumed unless otherwise specified as <:port>. The only preceeding protocol specifier allowed is ``https``. You need to be aware that checks for an IP address might not hit the vhost you want.
``URI`` can be a hostname, an IPv4 or IPv6 address (restriction see below) or an URL. For any given parameter port 443 is assumed unless otherwise specified as <:port>. The only preceding protocol specifier allowed is ``https``. You need to be aware that checks for an IP address might not hit the vhost you want. DNS resolution (A/AAAA record) is being performed unless you have an ``/etc/hosts`` entry for the hostname.
``--file <fname>`` is the mass testing option. Per default it implicitly turns on ``--warnings batch``.
In its first incarnation the mass testing option reads command lines from \<fname\>. \<fname\> consists of command lines of testssl, one line per instance. Comments after ``#`` are ignored, EOF signals the end of \<fname\>. When invoking ``testssl.sh --file <fname>`` you can also supply additional options which will be inherited to each child. The commands are parsed upon execution. So if there's a conflicting option and serial mass testing option is being performed the check will be aborted at the time it occurs and depending on the output option potentially leaving you with an output file without footer. In parallel mode the mileage varies.
Alternatively ``<fname>`` can be in ``nmap``'s grep(p)able output format (-oG). Only open ports will be considered. Currently only 1x port per line is allowed. The ports can be different per line and will be tested according to common practice in the internet, .i.e. If nmap shows in its output an open port 25, automatically ``-t smtp`` will be added before the URI whereas port 465 will be treated as a plain TLS/SSL port, not requiring an STARTTLS SMTP handshake upfront.
Alternatively ``<fname>`` can be in ``nmap``'s grep(p)able output format (-oG). Only open ports will be considered. Multiple ports per line are allowed. The ports can be different and will be tested by testssl.sh according to common practice in the internet, .i.e. if nmap shows in its output an open port 25, automatically ``-t smtp`` will be added before the URI whereas port 465 will be treated as a plain TLS/SSL port, not requiring an STARTTLS SMTP handshake upfront.
The nmap output always returns IP addresses and -- only if there's a PTR DNS record available -- a hostname. Unfortunately it is not checked by nmap whether it matches the IP (A or AAAA record). testssl.sh does this for you
The nmap output always returns IP addresses and -- only if there's a PTR DNS record available -- a hostname. Unfortunately it is not checked by nmap whether it matches the IP (A or AAAA record). testssl.sh does this for you
and if the A record of the hostname matches the IP address, the hostname is used and not the IP address. As stated above, checks against an IP address might not hit the vhost you maybe was aiming at.
``--mode <serial|parallel>`` Mass testing to be done serial (default) or parallel (``--parallel ``is shortcut for the latter, ``--serial`` is the counter option). Per default mass testing is being run in serial mode, i.e. one line after the other is processed and invoked.
``--mode <serial|parallel>``. Mass testing to be done serial (default) or parallel (``--parallel ``is shortcut for the latter, ``--serial`` is the opposite option). Per default mass testing is being run in serial mode, i.e. one line after the other is processed and invoked.
##### SPECIAL INVOCATIONS:
-t, --starttls <protocol> does a default run against a STARTTLS enabled <protocol>
--xmpphost <to_domain> for STARTTLS enabled XMPP it supplies the XML stream to-'' domain -- sometimes needed
--mx <domain/host> tests MX records from high to low priority (STARTTLS, port 25)
--ip <ip> a) tests the supplied <ip> v4 or v6 address instead of resolving host(s) in URI
``-t, --starttls <protocol>`` does a default run against a STARTTLS enabled ``<protocol>``. ``<protocol``> is one of ``ftp``,``smtp``,``pop3``,``imap``,``xmpp``,``telnet``,``ldap``, ``postgres`` For the latter three two you need e.g. the supplied openssl.
b) arg "one" means: just test the first DNS returns (useful for multiple IPs)
``--xmpphost <jabber_domain>`` is an additional option for STARTTLS, specifically for STARTTLS enabled XMPP: It expects as a parameter the jabber domain. This is only needed if the domain is different from the URI supplied.
``--mx <domain/host>`` tests all MX records (STARTTLS, port 25) from high to low priority one after the other.
``--ip <ip>`` a) tests either the supplied IPv4 or IPv6 address instead of resolving host(s) in URI. b) ``--ip=one`` means: just test the first DNS returns (useful for multiple IPs). It's also useful if you want to resolve the supplied hostname to a different IP, similar as if you would edit ``/etc/hosts``.
protocol is one of ftp,smtp,pop3,imap,xmpp,telnet,ldap (for the latter two you need e.g. the supplied openssl)
##### DEFAULT CHECKS