Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2024-11-29 22:36:52 +01:00
Code Issues Packages Projects Releases Wiki Activity

further additions + experimenting w indentation

Dirk 2017-06-19 14:36:18 +02:00
parent 63e22fa16e
commit d4b955e78c
1 changed files with 59 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

86
Man-page.md

@ -92,46 +92,78 @@ The nmap output always returns IP addresses and -- only if there's a PTR DNS rec
``--ssl-native`` instead of using a mixture of bash sockets and openssl s_client connects testssl.sh uses the latter only. This is at the moment faster but provides less accurate results, especially in the client ``--ssl-native`` instead of using a mixture of bash sockets and openssl s_client connects testssl.sh uses the latter only. This is at the moment faster but provides less accurate results, especially in the client
simulation and if the openssl binary lacks cipher support. For TLS protocol checks and standard cipher lists and certain other checks you will see a warning if testssl.sh internally can tell if one check cannot be performed or will give you inaccurate results. For e.g. single cipher checks (``--each-cipher`` and ``--cipher-per-proto``) you might end up getting false negatives without a warning. simulation and if the openssl binary lacks cipher support. For TLS protocol checks and standard cipher lists and certain other checks you will see a warning if testssl.sh internally can tell if one check cannot be performed or will give you inaccurate results. For e.g. single cipher checks (``--each-cipher`` and ``--cipher-per-proto``) you might end up getting false negatives without a warning.
``--openssl <path_to_openssl>`` testssl.sh tries very hard to find automagically the binary supplied (where the tree of testssl.sh resides, from the directory where testssl.sh has been started from, etc.). If all that doesn't work it falls back to openssl supplied from the OS (``$PATH``). With this option you can point testssl.sh to your binary of choice and override any internal magic to find the openssl binary. ``OPENSSL=<path_to_openssl>`` is equivalent. ``--openssl <path_to_openssl>`` testssl.sh tries very hard to find automagically the binary supplied (where the tree of testssl.sh resides, from the directory where testssl.sh has been started from, etc.). If all that doesn't work it falls back to openssl supplied from the OS (``$PATH``). With this option you can point testssl.sh to your binary of choice and override any internal magic to find the openssl binary. (environment preset via `OPENSSL=<path_to_openssl>`)
``--bugs`` does some workarounds for buggy servers like padding for old F5 devices. The option is passed as ``-bug`` to openssl when needed, see ``s_client(1)``. For the socket part testssl.sh tries its best also without that option to cope with broken server implementations (environment preset via `BUGS="-bugs"`) ``--bugs`` does some workarounds for buggy servers like padding for old F5 devices. The option is passed as ``-bug`` to openssl when needed, see ``s_client(1)``. For the socket part testssl.sh tries its best also without that option to cope with broken server implementations (environment preset via `BUGS="-bugs"`)
``--assuming-http`` testssl.sh does upfront a protocol detection on the application layer. In cases where for some reasons the usage of HTTP cannot be automatically detected you may want to use this option. It helps you to tell testssl.sh not to skip HTTP specific tests and to run the client simulation with browsers. Sometimes also the severity depends on the application protocol, e.g. SHA1 signed certificates, the lack of any SAN matches and some vulnerabilities will be punished harder when checking a web server as opposed to a mail server. ``--assuming-http`` testssl.sh does upfront a protocol detection on the application layer. In cases where for some reasons the usage of HTTP cannot be automatically detected you may want to use this option. It helps you to tell testssl.sh not to skip HTTP specific tests and to run the client simulation with browsers. Sometimes also the severity depends on the application protocol, e.g. SHA1 signed certificates, the lack of any SAN matches and some vulnerabilities will be punished harder when checking a web server as opposed to a mail server.
``-n, --no-dns`` &ensp; instructs testssl.sh to not do any DNS lookups. It's useful if you either can't or are not willing to perform DNS lookups. The latter applies e.g. to some pentests, the former could e.g. help you to avoid timeouts by DNS lookups.
``--sneaky`` &ensp; as a friendly feature for the server side testssl.sh uses a user agent ``TLS tester from <URL>`` (HTTP). With this option your traces are less verbose and a Firefox user agent is being used. Be aware that it doesn't hide your activities. That is just not possible (environment preset via `SNEAKY=`true` * `-n, --no-dns` instructs testssl.sh to not do any DNS lookups. It's useful if you either can't or are not willing to perform DNS lookups. The latter applies e.g. to some pentests, the former could e.g. help you to avoid timeouts by DNS lookups.
* `--sneaky`
+ as a friendly feature for the server side testssl.sh uses a user agent ``TLS tester from <URL>`` (HTTP). With this option your traces are less verbose and a Firefox user agent is being used. Be aware that it doesn't hide your activities. That is just not possible (environment preset via `SNEAKY=true`).
### SINGLE CHECK OPTIONS ### SINGLE CHECK OPTIONS
Any single option supplied prevents testssl.sh to do a default run. It just takes this and other options and runs them in the order they would also appear in the default run. Any single option supplied prevents testssl.sh from doing a default run. It just takes this and if supplied other options and runs them - in the order they would also appear in the default run.
`-e, --each-cipher` &ensp; checks each of the local 359 cipher (openssl + sockets) remotely on the server and reports back the result in wide mode. I you want to display each cipher tested you need to add `--show-each` `-e, --each-cipher` checks each of the local 359 cipher (openssl + sockets) remotely on the server and reports back the result in wide mode. If you want to display each cipher tested you need to add `--show-each`
-E, --cipher-per-proto checks those per protocol `-E, --cipher-per-proto` checks each of the possible ciphers per protocol. If you want to display each cipher tested you need to add `--show-each`
-f, --ciphers checks common cipher suites
-p, --protocols checks TLS/SSL protocols `-s, --std, --standard` tests certain lists of cipher suites by strength. Those lists are (`openssl ciphers $LIST`, $LIST from below:)
-S, --server_defaults displays the servers default picks and certificate info
-P, --preference displays the servers picks: protocol+cipher * `NULL encryption ciphers`: 'NULL:eNULL'
-y, --spdy, --npn checks for SPDY/NPN * `Anonymous NULL ciphers`: 'aNULL:ADH'
-x, --single-cipher <pattern> tests matched <pattern> of ciphers * `Export ciphers` (w/o the preceding ones): 'EXPORT:!ADH:!NULL'
(if <pattern> not a number: word match) * `LOW` (64 Bit + DES ciphers, without EXPORT ciphers): 'LOW:DES:!ADH:!EXP:!NULL'
-U, --vulnerable tests all vulnerabilities * `Weak 128 Bit ciphers`: 'MEDIUM:!aNULL:!AES:!CAMELLIA:!ARIA:!CHACHA20:!3DES'
-B, --heartbleed tests for heartbleed vulnerability * `3DES Ciphers`: '3DES:!aNULL:!ADH'
-I, --ccs, --ccs-injection tests for CCS injection vulnerability * `High grade Ciphers`: 'HIGH:!NULL:!aNULL:!DES:!3DES:!AESGCM:!CHACHA20:!AESGCM:!CamelliaGCM:!AESCCM8:!AESCCM'
-R, --renegotiation tests for renegotiation vulnerabilities * `Strong grade Ciphers` (AEAD): 'AESGCM:CHACHA20:AESGCM:CamelliaGCM:AESCCM8:AESCCM'
-C, --compression, --crime tests for CRIME vulnerability
-T, --breach tests for BREACH vulnerability
-O, --poodle tests for POODLE (SSL) vulnerability `-p, --protocols` checks TLS/SSL protocols
-Z, --tls-fallback checks TLS_FALLBACK_SCSV mitigation
-F, --freak tests for FREAK vulnerability `-S, --server_defaults` displays the servers default picks and certificate info
-A, --beast tests for BEAST vulnerability
-J, --logjam tests for LOGJAM vulnerability `-P, --preference` displays the servers picks: protocol+cipher
-s, --pfs, --fs,--nsa checks (perfect) forward secrecy settings
-4, --rc4, --appelbaum which RC4 ciphers are being offered? `-y, --spdy, --npn` checks for SPDY/NPN
-H, --header, --headers tests HSTS, HPKP, server/app banner, security headers, cookie, reverse proxy, IPv4 address
`-x, --single-cipher <pattern>` tests matched <pattern> of ciphers
(if <pattern> not a number: word match)
`-U, --vulnerable` tests all vulnerabilities
`-B, --heartbleed` tests for heartbleed vulnerability
`-I, --ccs, --ccs-injection` tests for CCS injection vulnerability
`-R, --renegotiation` tests for renegotiation vulnerabilities
`-C, --compression, --crime` tests for CRIME vulnerability
`-T, --breach` tests for BREACH vulnerability
`-O, --poodle` tests for POODLE (SSL) vulnerability
`-Z, --tls-fallback` checks TLS_FALLBACK_SCSV mitigation
`-F, --freak` tests for FREAK vulnerability
`-A, --beast` tests for BEAST vulnerability
`-J, --logjam` tests for LOGJAM vulnerability
`-s, --pfs, --fs,--nsa ` checks (perfect) forward secrecy settings
`-4, --rc4, --appelbaum` which RC4 ciphers are being offered?
`-H, --header, --headers` tests HSTS, HPKP, server/app banner, security headers, cookie, reverse proxy, IPv4 address
### OUTPUT OPTIONS ### OUTPUT OPTIONS