mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-22 08:29:31 +01:00
completed end paragraph
Dirk Wetter
parent
1feccafe3e
commit
4523a64929
35
Man-page.md
35
Man-page.md
@ -17,34 +17,27 @@ Options are either short or long options. All options requiring a value can be c
|
|||||||
##### BANNER OPTIONS
|
##### BANNER OPTIONS
|
||||||
``-h, --help`` command line help
|
``-h, --help`` command line help
|
||||||
|
|
||||||
``-b, --banner`` displays testssl.sh banner, including license, usage conditions, version of testssl.sh, detected openssl version, its path to it, # of ciphers of openssl, its build date and the architecture
|
``-b, --banner`` displays testssl.sh banner, including license, usage conditions, version of testssl.sh, detected openssl version, its path to it, # of ciphers of openssl, its build date and the architecture
|
||||||
|
|
||||||
``-v, --version`` same as before
|
``-v, --version`` same as before
|
||||||
|
|
||||||
``-V, --local <pattern>``
|
``-V, --local <pattern>``
|
||||||
``-V, --local`` pretty print all local ciphers supported by openssl version. If a pattern is supplied it performs a match (ignore case) on any of the pattern supplied in the wide output, see below. The pattern will be search in the any of the columns: hexcode, cipher suite name (OpenSSL or RFC), key exchange, encryption, bits. It does a word pattern match for non-numbers. Numbers here are currently defined as [0-9,A-F]. This means that the pattern CBC is matched as non-word, but AES as word.
|
``-V, --local`` pretty print all local ciphers supported by openssl version. If a pattern is supplied it performs a match (ignore case) on any of the strings supplied in the wide output, see below. The pattern will be searched in the any of the columns: hexcode, cipher suite name (OpenSSL or RFC), key exchange, encryption, bits. It does a word pattern match for non-numbers, for number just a normal match applies. Numbers here are defined as [0-9,A-F]. This means (attention: catch) that the pattern CBC is matched as non-word, but AES as word.
|
||||||
|
|
||||||
##### INPUT PARAMETERS
|
##### INPUT PARAMETERS
|
||||||
|
|
||||||
URI {host,ip,URL}:<port> (port 443 is assumed unless otherwise specified)
|
``URI`` can be a hostname, an IPv4 or IPv6 address (restriction see below) or an URL. For any given parameter port 443 is assumed unless otherwise specified as <:port>. The only preceeding protocol specifier allowed is ``https``. You need to be aware that checks for an IP address might not hit the vhost you want.
|
||||||
Please be careful: if checks for the IP address might not hit the vhost you want.
|
|
||||||
|
|
||||||
pattern an ignore case word pattern of cipher hexcode or any other string in the name, kx or bits
|
``--file <fname>`` is the mass testing option. Per default it implicitly turns on ``--warnings batch``.
|
||||||
protocol is one of ftp,smtp,pop3,imap,xmpp,telnet,ldap (for the latter two you need e.g. the supplied openssl)
|
In its first incarnation the mass testing option reads command lines from \<fname\>. \<fname\> consists of command lines of testssl, one line per instance. Comments after ``#`` are ignored, EOF signals the end of \<fname\>. When invoking ``testssl.sh --file <fname>`` you can also supply additional options which will be inherited to each child. The commands are parsed upon execution. So if there's a conflicting option and serial mass testing option is being performed the check will be aborted at the time it occurs and depending on the output option potentially leaving you with an output file without footer. In parallel mode the mileage varies.
|
||||||
--file <fname> Mass testing option: Reads command lines from <fname> in plaintext format, one line per instance.
|
|
||||||
Comments via # allowed, EOF signals end of <fname>. Implicitly turns on "--warnings batch".
|
Alternatively ``<fname>`` can be in ``nmap``'s grep(p)able output format (-oG). Only open ports will be considered. Currently only 1x port per line is allowed. The ports can be different per line and will be tested according to common practice in the internet, .i.e. If nmap shows in its output an open port 25, automatically ``-t smtp`` will be added before the URI whereas port 465 will be treated as a plain TLS/SSL port, not requiring an STARTTLS SMTP handshake upfront.
|
||||||
Per default mass testing is being run in serial mode, i.e. one line after the other is processed and invoked.
|
|
||||||
Besides having individual command line options per line in the supplied file you can additionally specify options on the command line.
|
The nmap output always returns IP addresses and -- only if there's a PTR DNS record available -- a hostname. Unfortunately it is not checked by nmap whether it matches the IP (A or AAAA record). testssl.sh does this for you
|
||||||
The command line options in the file and on the command line must not conflict.
|
and if the A record of the hostname matches the IP address, the hostname is used and not the IP address. As stated above, checks against an IP address might not hit the vhost you maybe was aiming at.
|
||||||
|
|
||||||
Alternatively <fname> can be in nmap's grep(p)able output format (-oG). Only open ports will be considered. Currently only 1x port per line is allowed.
|
``--mode <serial|parallel>`` Mass testing to be done serial (default) or parallel (``--parallel ``is shortcut for the latter, ``--serial`` is the counter option). Per default mass testing is being run in serial mode, i.e. one line after the other is processed and invoked.
|
||||||
The ports can be different per line, however per mass testing run they can be either STARTTLS enabled ports OR plain TLS/SSL ports, not both.
|
|
||||||
nmap returns in that output always IP addresses and -- only if there's a PTR DNS record available -- a hostname.
|
|
||||||
Unfortunately this hostname from nmap is not checked whether it matches the IP (A or AAAA record). testssl.sh does this for you:
|
|
||||||
if the A record of the hostname matches the IP address, the hostname is used and not the IP address.
|
|
||||||
Please be careful: checks against an IP address might not hit the vhost you aimed at.
|
|
||||||
|
|
||||||
--mode <serial|parallel> Mass testing to be done serial (default) or parallel (--parallel is shortcut for the latter)
|
|
||||||
|
|
||||||
##### SPECIAL INVOCATIONS:
|
##### SPECIAL INVOCATIONS:
|
||||||
|
|
||||||
@ -54,6 +47,10 @@ Options are either short or long options. All options requiring a value can be c
|
|||||||
--ip <ip> a) tests the supplied <ip> v4 or v6 address instead of resolving host(s) in URI
|
--ip <ip> a) tests the supplied <ip> v4 or v6 address instead of resolving host(s) in URI
|
||||||
|
|
||||||
b) arg "one" means: just test the first DNS returns (useful for multiple IPs)
|
b) arg "one" means: just test the first DNS returns (useful for multiple IPs)
|
||||||
|
|
||||||
|
|
||||||
|
protocol is one of ftp,smtp,pop3,imap,xmpp,telnet,ldap (for the latter two you need e.g. the supplied openssl)
|
||||||
|
|
||||||
##### DEFAULT CHECKS
|
##### DEFAULT CHECKS
|
||||||
|
|
||||||
testssl.sh <options> URI (`testssl.sh URI` does everything except `-E`)
|
testssl.sh <options> URI (`testssl.sh URI` does everything except `-E`)
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user