Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2024-11-29 22:36:52 +01:00
Code Issues Packages Projects Releases Wiki Activity

added a few bits. Tried a unicode tab

Dirk 2017-06-19 13:56:55 +02:00
parent 97f7d2e6a5
commit 63e22fa16e
1 changed files with 31 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
Man-page.md

@ -1,10 +1,15 @@
### NAME
### NAME
testssl.sh -- check encryption of SSL/TLS servers
### SYNOPSIS
``testssl.sh <OPTIONS> [ --file FILE | URI ]`` or ``testssl.sh <BANNER OPTIONS>``
``testssl.sh <OPTIONS> [ URI | --file FILE ]``
or
``testssl.sh <BANNER OPTIONS>``
### DESCRIPTION
@ -14,11 +19,11 @@ The output rate findings by color (screen) or severity (file output) so that you
Except DNS lookups it doesn't use any third parties for checks, it's only you who sees the result and you also can use it internally on your LAN.
Portability is another core feature. testssl.sh runs under any Unix-like stack (Linux, *BSD, MacOS X, WSL=bash on Windows, Cygwin and MSYS2). ``/bin/bash`` (also version 3) is a prerequisite as well as standard utilities like awk, sed, tr and head. This can be of BSD, System 5 or GNU flavor whereas grep from System V is not yet supported.
Portability is another core feature. testssl.sh runs under any Unix-like stack (Linux, *BSD, MacOS X, WSL=bash on Windows, Cygwin and MSYS2). ``bash`` (also version 3) is a prerequisite as well as standard utilities like awk, sed, tr and head. This can be of BSD, System 5 or GNU flavor whereas grep from System V is not yet supported.
### GENERAL
``testssl.sh URI`` is the so-called default run which does a number of checks and puts out the results colorized (ANSI and termcap) on the screen. It does every check listed under CHECKS except ``-E``. Following checks are being done (order of appearance) by ``testssl.sh <OPTIONS> URI``
``testssl.sh URI`` is the so-called default run which does a number of checks and puts out the results colorized (ANSI and termcap) on the screen. It does every check listed under CHECKS except ``-E``. Following checks are being done (order of appearance) by ``testssl.sh <OPTIONS> URI``
0) displays a banner (see below), does a DNS lookup also for further IP addresses and does for the returned IP address a reverse lookup. Last but not least a service check is being done.
@ -36,21 +41,21 @@ Portability is another core feature. testssl.sh runs under any Unix-like stack (
7) vulnerabilities
8) testing each of 359 ciphers
8) testing each of 359 ciphers
9) client simulation
### OPTIONS
Options are either short or long options. All options requiring a value can be called with or without '=' e.g. ``testssl.sh -t=smtp --wide --openssl=/usr/bin/openssl <URI>`` is equivalent to ``testssl.sh --starttls smtp --wide --openssl /usr/bin/openssl <URI>``. Some options can also be preset via ENV variables. ``WIDE=true OPENSSL=/usr/bin/openssl testssl.sh --starttls smtp <URI>`` would be the equivalent to the aforementioned examples. Preference has the command line over ENV.
Options are either short or long options. All options requiring a value can be called with or without '=' e.g. ``testssl.sh -t=smtp --wide --openssl=/usr/bin/openssl <URI>`` is equivalent to ``testssl.sh --starttls smtp --wide --openssl /usr/bin/openssl <URI>``. Some options can also be preset via ENV variables. ``WIDE=true OPENSSL=/usr/bin/openssl testssl.sh --starttls smtp <URI>`` would be the equivalent to the aforementioned examples. Preference has the command line over any enviroment variables.
``<URI>`` or ``--file <FILE>`` always needs to be the last parameter.
``<URI>`` or ``--file <FILE>`` always needs to be the last parameter.
##### BANNER OPTIONS
``-h, --help`` command line help
``-b, --banner`` displays testssl.sh banner, including license, usage conditions, version of testssl.sh, detected openssl version, its path to it, # of ciphers of openssl, its build date and the architecture
``-v, --version`` same as before
``-V, --local <pattern>`` or ``-V, --local`` pretty print all local ciphers supported by openssl version. If a pattern is supplied it performs a match (ignore case) on any of the strings supplied in the wide output, see below. The pattern will be searched in the any of the columns: hexcode, cipher suite name (OpenSSL or RFC), key exchange, encryption, bits. It does a word pattern match for non-numbers, for number just a normal match applies. Numbers here are defined as [0-9,A-F]. This means (attention: catch) that the pattern CBC is matched as non-word, but AES as word.
@ -59,11 +64,11 @@ Options are either short or long options. All options requiring a value can be c
``URI`` can be a hostname, an IPv4 or IPv6 address (restriction see below) or an URL. IPv6 addresses need to be in square brackets. For any given parameter port 443 is assumed unless specified by appending a colon and a port number. The only preceding protocol specifier allowed is ``https``. You need to be aware that checks for an IP address might not hit the vhost you want. DNS resolution (A/AAAA record) is being performed unless you have an ``/etc/hosts`` entry for the hostname.
``--file <fname>`` is the mass testing option. Per default it implicitly turns on ``--warnings batch``.
``--file <fname>`` is the mass testing option. Per default it implicitly turns on ``--warnings batch``.
In its first incarnation the mass testing option reads command lines from ``<fname>``. ``<fname>`` consists of command lines of testssl, one line per instance. Comments after ``#`` are ignored, ``EOF`` signals the end of <fname> any subsequent lines will be ignored too. You can also supply additional options which will be inherited to each child, e.g. When invoking ``testssl.sh --wide --log --file <fname>`` . Each single line in ``<fname>`` is parsed upon execution. If there's a conflicting option and serial mass testing option is being performed the check will be aborted at the time it occurs and depending on the output option potentially leaving you with an output file without footer. In parallel mode the mileage varies.
Alternatively ``<fname>`` can be in ``nmap``'s grep(p)able output format (``-oG``). Only open ports will be considered. Multiple ports per line are allowed. The ports can be different and will be tested by testssl.sh according to common practice in the internet, .i.e. if nmap shows in its output an open port 25, automatically ``-t smtp`` will be added before the URI whereas port 465 will be treated as a plain TLS/SSL port, not requiring an STARTTLS SMTP handshake upfront.
The nmap output always returns IP addresses and -- only if there's a PTR DNS record available -- a hostname. As it is not checked by nmap whether the hostname matches the IP (A or AAAA record), testssl.sh does this for you. If the A record of the hostname matches the IP address, the hostname is used and not the IP address. As stated above, checks against an IP address might not hit the vhost you maybe were aiming at.
``--mode <serial|parallel>``. Mass testing to be done serial (default) or parallel (``--parallel ``is shortcut for the latter, ``--serial`` is the opposite option). Per default mass testing is being run in serial mode, i.e. one line after the other is processed and invoked. The variable ``MASS_TESTING_MODE`` can be defined to be either equal ``serial`` or ``parallel``.
@ -71,38 +76,40 @@ The nmap output always returns IP addresses and -- only if there's a PTR DNS rec
##### SPECIAL INVOCATIONS:
``-t, --starttls <protocol>`` does a default run against a STARTTLS enabled ``<protocol>``. ``<protocol>`` is one of ``ftp``,``smtp``,``pop3``,``imap``,``xmpp``,``telnet``,``ldap``, ``postgres`` For the latter three two you need e.g. the supplied openssl.
``-t, --starttls <protocol>`` does a default run against a STARTTLS enabled ``<protocol>``. ``<protocol>`` is one of ``ftp``, ``smtp``, ``pop3``, ``imap``, ``xmpp``, ``telnet``, ``ldap``, ``postgres`` For the latter three two you need e.g. the supplied openssl.
``--xmpphost <jabber_domain>`` is an additional option for STARTTLS enabled XMPP: It expects as a parameter the jabber domain. This is only needed if the domain is different from the URI supplied.
``--xmpphost <jabber_domain>`` is an additional option for STARTTLS enabled XMPP: It expects as a parameter the jabber domain. This is only needed if the domain is different from the URI supplied.
``--mx <domain/host>`` tests all MX records (STARTTLS, port 25) from high to low priority one after the other.
``--ip <ip>`` tests either the supplied IPv4 or IPv6 address instead of resolving host(s) in ``<URI>``. IPv6 addresses needs to be in square brackets.
``--ip=one`` means: just test the first DNS returns (useful for multiple IPs). It's also useful if you want to resolve the supplied hostname to a different IP, similar as if you would edit ``/etc/hosts``. ``--ip=proxy`` tries a DNS resolution via proxy.
``--ip=one`` means: just test the first DNS returns (useful for multiple IPs). It's also useful if you want to resolve the supplied hostname to a different IP, similar as if you would edit ``/etc/hosts``. ``--ip=proxy`` tries a DNS resolution via proxy.
``--proxy <host>:<port>`` does the whole check via the specified HTTP proxy. ``--proxy=auto`` inherits the proxy setting from the environment. Proxying via IPv6 addresses is not possible. The hostname supplied will only be resolved to the first A record. Authentication to the proxy is not supported.
``-6`` does (also) IPv6 checks. This works only with both a supporting openssl binary like the one supplied and IPv6 connectivity. testssl.sh does no connectivity checks for IPv6, it also cannot determine reliably whether the OpenSSL binary you are using has IPv6 support.
``--ssl-native`` instead of using a mixture of bash sockets and openssl s_client connects testssl.sh uses the latter only. This is at the moment faster but provides less accurate results, especially in the client
``--ssl-native`` instead of using a mixture of bash sockets and openssl s_client connects testssl.sh uses the latter only. This is at the moment faster but provides less accurate results, especially in the client
simulation and if the openssl binary lacks cipher support. For TLS protocol checks and standard cipher lists and certain other checks you will see a warning if testssl.sh internally can tell if one check cannot be performed or will give you inaccurate results. For e.g. single cipher checks (``--each-cipher`` and ``--cipher-per-proto``) you might end up getting false negatives without a warning.
``--openssl <path_to_openssl>`` testssl.sh tries very hard to find automagically the binary supplied (where the tree of testssl.sh resides, from the directory where testssl.sh has been started from, etc.). If all that doesn't work it falls back to openssl supplied from the OS (``$PATH``). With this option you can point testssl.sh to your binary of choice and override any internal magic to find the openssl binary. ``OPENSSL=<path_to_openssl>`` is equivalent.
``--bugs`` does some workarounds for buggy servers like padding for old F5 devices. The option is passed as ``-bug`` to openssl when needed, see ``s_client(1)``. For the socket part testssl.sh tries its best also without that option to cope with broken server implementations.
``--bugs`` does some workarounds for buggy servers like padding for old F5 devices. The option is passed as ``-bug`` to openssl when needed, see ``s_client(1)``. For the socket part testssl.sh tries its best also without that option to cope with broken server implementations (environment preset via `BUGS="-bugs"`)
``--assuming-http`` testssl.sh does upfront a protocol detection on the application layer. In cases where for some reasons the usage of HTTP cannot be automatically detected you may want to use this option. It helps you to tell testssl.sh not to skip HTTP specific tests and to run the client simulation with browsers. Sometimes also the severity depends on the application protocol, e.g. SHA1 signed certificates, the lack of any SAN matches and some vulnerabilities will be punished harder when checking a web server as opposed to a mail server.
``-n, --no-dns`` instructs testssl.sh to not do any DNS lookups. It's useful if you either can't or are not willing to perform DNS lookups. The latter applies e.g. to some pentests, the former could e.g. help you to avoid timeouts by DNS lookups.
``-n, --no-dns`` &ensp; instructs testssl.sh to not do any DNS lookups. It's useful if you either can't or are not willing to perform DNS lookups. The latter applies e.g. to some pentests, the former could e.g. help you to avoid timeouts by DNS lookups.
``--sneaky`` As a friendly feature for the server side testssl.sh uses a user agent ``TLS tester from <URL>`` (HTTP). With this option your traces are less verbose and a Firefox user agent is being used. Be aware that it doesn't hide your activities. That is just not possible.
``--sneaky`` &ensp; as a friendly feature for the server side testssl.sh uses a user agent ``TLS tester from <URL>`` (HTTP). With this option your traces are less verbose and a Firefox user agent is being used. Be aware that it doesn't hide your activities. That is just not possible (environment preset via `SNEAKY=`true`
### SINGLE OPTIONS
### SINGLE CHECK OPTIONS
Any single option supplied prevents testssl.sh to do a default run. It just takes this and other options and runs them in the order they would also appear in the default run.
-e, --each-cipher checks each local cipher remotely
`-e, --each-cipher` &ensp; checks each of the local 359 cipher (openssl + sockets) remotely on the server and reports back the result in wide mode. I you want to display each cipher tested you need to add `--show-each`
-E, --cipher-per-proto checks those per protocol
-f, --ciphers checks common cipher suites
-p, --protocols checks TLS/SSL protocols
@ -146,7 +153,7 @@ All output options can also be preset via environment variables.
5: display bytes received via sockets
6: whole 9 yards
##### FILE OUTPUT OPTIONS
### FILE OUTPUT OPTIONS
A few file output options can also be preset via environment variables.
@ -166,6 +173,10 @@ A few file output options can also be preset via environment variables.
### TUNING via ENV variables
* DEBUGTIME
* DEBUG_ALLINONE
### EXAMPLES
testssl.sh testssl.sh