sslscan 命令详解
|
选择喜欢的代码风格
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
sslscan 命令可以方便的测试启用 SSL/TLS 的服务以发现支持的密码套件。
sslscan 命令安装:
-bash/zsh: sslscan: command not found # Windows (WSL2) sudo apt-get update sudo apt-get install sslscan # Debian apt-get install sslscan # Ubuntu apt-get install sslscan # Arch Linux pacman -S sslscan # Kali Linux apt-get install sslscan # Fedora dnf install sslscan # OS X brew install sslscan # Raspbian apt-get install sslscan # Dockerfile dockerfile.run/sslscan
sslscan 命令补充说明:
sslscan 命令可以用于测试启用 SSL / TLS 的服务,以发现其支持的密码套件,目前 sslscan 版本 2 现已发布。 这包括对后端扫描代码的重大重写,这意味着它不再依赖 OpenSSL 版本进行许多检查。 这意味着可以支持旧协议(SSLv2 和 SSLv3),以及支持 TLSv1.3 - 无论编译时使用的 OpenSSL 版本。
$ sslscan
_
___ ___| |___ ___ __ _ _ __
/ __/ __| / __|/ __/ _` | '_ \
\__ \__ \ \__ \ (_| (_| | | | |
|___/___/_|___/\___\__,_|_| |_|
2.1.1 (Mingw)
OpenSSL 3.0.9 30 May 2023
sslscan 命令语法:
sslscan [options] [host:port | host]
sslscan 命令选项:
--targets=<file> A file containing a list of hosts to check.
Hosts can be supplied with ports (host:port)
--sni-name=<name> Hostname for SNI
--ipv4, -4 Only use IPv4
--ipv6, -6 Only use IPv6
--show-certificate Show full certificate information
--show-client-cas Show trusted CAs for TLS client auth
--no-check-certificate Don't warn about weak certificate algorithm or keys
--ocsp Request OCSP response from server
--pk=<file> A file containing the private key or a PKCS#12 file
containing a private key/certificate pair
--pkpass=<password> The password for the private key or PKCS#12 file
--certs=<file> A file containing PEM/ASN1 formatted client certificates
--ssl2 Only check if SSLv2 is enabled
--ssl3 Only check if SSLv3 is enabled
--tls10 Only check TLSv1.0 ciphers
--tls11 Only check TLSv1.1 ciphers
--tls12 Only check TLSv1.2 ciphers
--tls13 Only check TLSv1.3 ciphers
--tlsall Only check TLS ciphers (all versions)
--show-ciphers Show supported client ciphers
--show-cipher-ids Show cipher ids
--iana-names Use IANA/RFC cipher names rather than OpenSSL ones
--show-times Show handhake times in milliseconds
--no-cipher-details Disable EC curve names and EDH/RSA key lengths output
--no-ciphersuites Do not check for supported ciphersuites
--no-compression Do not check for TLS compression (CRIME)
--no-fallback Do not check for TLS Fallback SCSV
--no-groups Do not enumerate key exchange groups
--no-heartbleed Do not check for OpenSSL Heartbleed (CVE-2014-0160)
--no-renegotiation Do not check for TLS renegotiation
--show-sigs Enumerate signature algorithms
--starttls-ftp STARTTLS setup for FTP
--starttls-imap STARTTLS setup for IMAP
--starttls-irc STARTTLS setup for IRC
--starttls-ldap STARTTLS setup for LDAP
--starttls-mysql STARTTLS setup for MYSQL
--starttls-pop3 STARTTLS setup for POP3
--starttls-psql STARTTLS setup for PostgreSQL
--starttls-smtp STARTTLS setup for SMTP
--starttls-xmpp STARTTLS setup for XMPP
--xmpp-server Use a server-to-server XMPP handshake
--rdp Send RDP preamble before starting scan
--bugs Enable SSL implementation bug work-arounds
--no-colour Disable coloured output
--sleep=<msec> Pause between connection request. Default is disabled
--timeout=<sec> Set socket timeout. Default is 3s
--connect-timeout=<sec> Set connect timeout. Default is 75s
--verbose Display verbose output
--version Display the program version
--xml=<file> Output results to an XML file. Use - for STDOUT.
--help Display the help text you are now reading
sslscan 命令实例:
sslscan 在端口 443 上测试服务器:
sslscan www.hexun.com ------------------------------------------------------ Version: 2.1.1 (Mingw) OpenSSL 3.0.9 30 May 2023 Connected to 222.84.159.11 Testing SSL server www.hexun.com on port 443 using SNI name www.hexun.com SSL/TLS Protocols: SSLv2 disabled SSLv3 disabled TLSv1.0 disabled TLSv1.1 disabled TLSv1.2 enabled TLSv1.3 enabled TLS Fallback SCSV: Server supports TLS Fallback SCSV TLS renegotiation: Session renegotiation not supported TLS Compression: Compression disabled Heartbleed: TLSv1.3 not vulnerable to heartbleed TLSv1.2 not vulnerable to heartbleed Supported Server Cipher(s): Preferred TLSv1.3 256 bits TLS_AES_256_GCM_SHA384 Curve 25519 DHE 253 Accepted TLSv1.3 256 bits TLS_CHACHA20_POLY1305_SHA256 Curve 25519 DHE 253 Accepted TLSv1.3 128 bits TLS_AES_128_GCM_SHA256 Curve 25519 DHE 253 Preferred TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve 25519 DHE 253 Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA256 Curve 25519 DHE 253 Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve 25519 DHE 253 Accepted TLSv1.2 128 bits AES128-GCM-SHA256 Accepted TLSv1.2 128 bits AES128-CCM8 Accepted TLSv1.2 128 bits AES128-CCM Accepted TLSv1.2 128 bits AES128-SHA256 Accepted TLSv1.2 128 bits AES128-SHA Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve 25519 DHE 253 Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA384 Curve 25519 DHE 253 Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve 25519 DHE 253 Accepted TLSv1.2 256 bits AES256-GCM-SHA384 Accepted TLSv1.2 256 bits AES256-CCM8 Accepted TLSv1.2 256 bits AES256-CCM Accepted TLSv1.2 256 bits AES256-SHA256 Accepted TLSv1.2 256 bits AES256-SHA Accepted TLSv1.2 112 bits ECDHE-RSA-DES-CBC3-SHA Curve 25519 DHE 253 Accepted TLSv1.2 112 bits DES-CBC3-SHA Server Key Exchange Group(s): TLSv1.3 128 bits secp256r1 (NIST P-256) TLSv1.3 192 bits secp384r1 (NIST P-384) TLSv1.3 260 bits secp521r1 (NIST P-521) TLSv1.3 128 bits x25519 TLSv1.3 224 bits x448 TLSv1.2 128 bits secp256r1 (NIST P-256) TLSv1.2 192 bits secp384r1 (NIST P-384) TLSv1.2 260 bits secp521r1 (NIST P-521) TLSv1.2 128 bits x25519 TLSv1.2 224 bits x448 SSL Certificate: Signature Algorithm: sha256WithRSAEncryption RSA Key Strength: 2048 Subject: *.hexun.com Altnames: DNS:*.hexun.com, DNS:hexun.com Issuer: Secure Site CA G2 Not valid before: Aug 29 00:00:00 2023 GMT Not valid after: Sep 28 23:59:59 2024 GMT
sslscan 显示证书信息:
sslscan --show-certificate www.hexun.com
----------------------------
Version: 2.1.1 Windows 64-bit (Mingw)
OpenSSL 3.0.9 30 May 2023
Connected to 183.134.34.29
Testing SSL server www.hexun.com on port 443 using SNI name www.hexun.com
SSL/TLS Protocols:
SSLv2 disabled
SSLv3 disabled
TLSv1.0 disabled
TLSv1.1 disabled
TLSv1.2 enabled
TLSv1.3 enabled
TLS Fallback SCSV:
Server supports TLS Fallback SCSV
TLS renegotiation:
Session renegotiation not supported
TLS Compression:
Compression disabled
Heartbleed:
TLSv1.3 not vulnerable to heartbleed
TLSv1.2 not vulnerable to heartbleed
Supported Server Cipher(s):
Preferred TLSv1.3 256 bits TLS_AES_256_GCM_SHA384 Curve 25519 DHE 253
Accepted TLSv1.3 256 bits TLS_CHACHA20_POLY1305_SHA256 Curve 25519 DHE 253
Accepted TLSv1.3 128 bits TLS_AES_128_GCM_SHA256 Curve 25519 DHE 253
Preferred TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve 25519 DHE 253
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA256 Curve 25519 DHE 253
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve 25519 DHE 253
Accepted TLSv1.2 128 bits AES128-GCM-SHA256
Accepted TLSv1.2 128 bits AES128-CCM8
Accepted TLSv1.2 128 bits AES128-CCM
Accepted TLSv1.2 128 bits AES128-SHA256
Accepted TLSv1.2 128 bits AES128-SHA
Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve 25519 DHE 253
Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA384 Curve 25519 DHE 253
Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve 25519 DHE 253
Accepted TLSv1.2 256 bits AES256-GCM-SHA384
Accepted TLSv1.2 256 bits AES256-CCM8
Accepted TLSv1.2 256 bits AES256-CCM
Accepted TLSv1.2 256 bits AES256-SHA256
Accepted TLSv1.2 256 bits AES256-SHA
Accepted TLSv1.2 112 bits ECDHE-RSA-DES-CBC3-SHA Curve 25519 DHE 253
Accepted TLSv1.2 112 bits DES-CBC3-SHA
Server Key Exchange Group(s):
TLSv1.3 128 bits secp256r1 (NIST P-256)
TLSv1.3 192 bits secp384r1 (NIST P-384)
TLSv1.3 260 bits secp521r1 (NIST P-521)
TLSv1.3 128 bits x25519
TLSv1.3 224 bits x448
TLSv1.2 128 bits secp256r1 (NIST P-256)
TLSv1.2 192 bits secp384r1 (NIST P-384)
TLSv1.2 260 bits secp521r1 (NIST P-521)
TLSv1.2 128 bits x25519
TLSv1.2 224 bits x448
SSL Certificate:
Certificate blob:
-----BEGIN CERTIFICATE-----
MIIGkTCCBXmgAwIBAgIQA0lK2iS08xMkpr+NyGPW6jANBgkqhkiG9w0BAQsFADBb
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMRowGAYDVQQDExFTZWN1cmUgU2l0ZSBDQSBHMjAeFw0y
MzA4MjkwMDAwMDBaFw0yNDA5MjgyMzU5NTlaMGkxCzAJBgNVBAYTAkNOMRIwEAYD
VQQIDAnljJfkuqzluIIxMDAuBgNVBAoTJ0JlaWppbmcgSGV4dW4gT25saW5lIENv
bnN1bHRpbmcgQ28uLEx0ZDEUMBIGA1UEAwwLKi5oZXh1bi5jb20wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCl9ENgjupaLCWaQl+CR1W6GfHul8zB6iQa
KttH+cpYWeMd3jbDk4HCsGf3nDMNeoX7Wn7vXl6aXW4NHMYLSNea8enGe3Q+E1Gt
cB+iTbqVYL3UMDytsIEnl6R0emM7B4gTiTR4c3g0cag/lDjDVZPfFzceON16ex3n
mApwyuyZqtXtv2P4inR1t8AB4n1ATW9jAnRh07RLiLf+VPi0m5DqQOQBBBbz1Eoj
ymGEWvEIDy458lQDaQUiCiLCFPff8QHicctVNnpibHmEfw1ka9bNVy6towbIu0rB
HAyvVKGDUu6Rv38S3K0WHUibrJSIUx0XUJcJREIExdz/CqdzjaxXAgMBAAGjggNB
MIIDPTAfBgNVHSMEGDAWgBTEEX6IQIbCQb9l8xrhtFNAo6vsfTAdBgNVHQ4EFgQU
XfoaBC9NQmWkzmoJscVB4zLqctcwIQYDVR0RBBowGIILKi5oZXh1bi5jb22CCWhl
eHVuLmNvbTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMG8GA1UdHwRoMGYwMaAvoC2GK2h0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNv
bS9TZWN1cmVTaXRlQ0FHMi5jcmwwMaAvoC2GK2h0dHA6Ly9jcmw0LmRpZ2ljZXJ0
LmNvbS9TZWN1cmVTaXRlQ0FHMi5jcmwwPgYDVR0gBDcwNTAzBgZngQwBAgIwKTAn
BggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5jb20vQ1BTMGwGCCsGAQUF
BwEBBGAwXjAhBggrBgEFBQcwAYYVaHR0cDovL29jc3AuZGNvY3NwLmNuMDkGCCsG
AQUFBzAChi1odHRwOi8vY3JsLmRpZ2ljZXJ0LWNuLmNvbS9TZWN1cmVTaXRlQ0FH
Mi5jcnQwCQYDVR0TBAIwADCCAX0GCisGAQQB1nkCBAIEggFtBIIBaQFnAHYA7s3Q
ZNXbGs7FXLedtM0TojKHRny87N7DUUhZRnEftZsAAAGKP8/zVAAABAMARzBFAiBz
JZ1/BZCUom8RBYhWOBzoKaleKBX+T24MJgZJKAFhnAIhAKc0OMCVHuyK06JN4wIc
zNK/1kqSkBNAhzO/lA2W4gXSAHUASLDja9qmRzQP5WoC+p0w6xxSActW3SyB2bu/
qznYhHMAAAGKP8/xuAAABAMARjBEAiBsIoHm6O/PPuwx6Od/MwLDt1NWkmdpV5gb
auZQXSPm5gIgBYN7Vwo7jrDpX3MHeMbbLH0GVqvFPEk1Y3lTbGvmsRQAdgDatr9r
P7W2Ip+bwrtca+hwkXFsu1GEhTS9pD0wSNf7qwAAAYo/z/GGAAAEAwBHMEUCIQDN
AnoX4dmJ3+Qbcj1Bhe16GQBQtECDQD6FySF3zuZFCQIgeMbN4J+yHz48XhpDFiGk
i6AkO2PfhhLcUQuZqdG3vqgwDQYJKoZIhvcNAQELBQADggEBABEn+yb+l8gX4ee/
ReQS0wxiRI5mzJH0YYbi20KrXHBe/7BEG/tB9JPdMESLUz23j3IWRxNORydYR8Sp
0wjTuJFQrybGrwk6Fw2fD/mn3sfRchuVPpcyKWQoG9npabZJ/R6K47PRQ7t8nu5e
bUb8APACU6E5J7CgtZy9HMRR9F3+NaP51d6v1zSLRVbKDcwRBIZa6PGRaU0/s/XV
gMTg6Mn5qTKRS/lMytMLhsbZ5Dz9pvn7FJUe3z/LtHblDawy0lHbl7m3D3IQvxTC
9TDS17/E9kF0pH+Khp+psXMoXXAmDeM6YGJypWIMnLrddoNqgR27xvZjrNaT/pfJ
MsTLjWc=
-----END CERTIFICATE-----
Version: 2
Serial Number: 03:49:4a:da:24:b4:f3:13:24:a6:bf:8d:c8:63:d6:ea
Signature Algorithm: sha256WithRSAEncryption
Issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=Secure Site CA G2
Not valid before: Aug 29 00:00:00 2023 GMT
Not valid after: Sep 28 23:59:59 2024 GMT
Subject: /C=CN/ST=\xE5\x8C\x97\xE4\xBA\xAC\xE5\xB8\x82/O=Beijing Hexun Online Consulting Co.,Ltd/CN=*.hexun.com
Public Key Algorithm: NULL
RSA Public Key: (2048 bit)
RSA Public-Key: (2048 bit)
Modulus:
00:a5:f4:43:60:8e:ea:5a:2c:25:9a:42:5f:82:47:
55:ba:19:f1:ee:97:cc:c1:ea:24:1a:2a:db:47:f9:
ca:58:59:e3:1d:de:36:c3:93:81:c2:b0:67:f7:9c:
33:0d:7a:85:fb:5a:7e:ef:5e:5e:9a:5d:6e:0d:1c:
c6:0b:48:d7:9a:f1:e9:c6:7b:74:3e:13:51:ad:70:
1f:a2:4d:ba:95:60:bd:d4:30:3c:ad:b0:81:27:97:
a4:74:7a:63:3b:07:88:13:89:34:78:73:78:34:71:
a8:3f:94:38:c3:55:93:df:17:37:1e:38:dd:7a:7b:
1d:e7:98:0a:70:ca:ec:99:aa:d5:ed:bf:63:f8:8a:
74:75:b7:c0:01:e2:7d:40:4d:6f:63:02:74:61:d3:
b4:4b:88:b7:fe:54:f8:b4:9b:90:ea:40:e4:01:04:
16:f3:d4:4a:23:ca:61:84:5a:f1:08:0f:2e:39:f2:
54:03:69:05:22:0a:22:c2:14:f7:df:f1:01:e2:71:
cb:55:36:7a:62:6c:79:84:7f:0d:64:6b:d6:cd:57:
2e:ad:a3:06:c8:bb:4a:c1:1c:0c:af:54:a1:83:52:
ee:91:bf:7f:12:dc:ad:16:1d:48:9b:ac:94:88:53:
1d:17:50:97:09:44:42:04:c5:dc:ff:0a:a7:73:8d:
ac:57
Exponent: 65537 (0x10001)
X509v3 Extensions:
X509v3 Authority Key Identifier:
C4:11:7E:88:40:86:C2:41:BF:65:F3:1A:E1:B4:53:40:A3:AB:EC:7D
X509v3 Subject Key Identifier:
5D:FA:1A:04:2F:4D:42:65:A4:CE:6A:09:B1:C5:41:E3:32:EA:72:D7
X509v3 Subject Alternative Name:
DNS:*.hexun.com, DNS:hexun.com
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl3.digicert.com/SecureSiteCAG2.crl
Full Name:
URI:http://crl4.digicert.com/SecureSiteCAG2.crl
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.2
CPS: http://www.digicert.com/CPS
Authority Information Access:
OCSP - URI:http://ocsp.dcocsp.cn
CA Issuers - URI:http://crl.digicert-cn.com/SecureSiteCAG2.crt
X509v3 Basic Constraints:
CA:FALSE
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : EE:CD:D0:64:D5:DB:1A:CE:C5:5C:B7:9D:B4:CD:13:A2:
32:87:46:7C:BC:EC:DE:C3:51:48:59:46:71:1F:B5:9B
Timestamp : Aug 29 05:41:47.476 2023 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:20:73:25:9D:7F:05:90:94:A2:6F:11:05:88:
56:38:1C:E8:29:A9:5E:28:15:FE:4F:6E:0C:26:06:49:
28:01:61:9C:02:21:00:A7:34:38:C0:95:1E:EC:8A:D3:
A2:4D:E3:02:1C:CC:D2:BF:D6:4A:92:90:13:40:87:33:
BF:94:0D:96:E2:05:D2
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 48:B0:E3:6B:DA:A6:47:34:0F:E5:6A:02:FA:9D:30:EB:
1C:52:01:CB:56:DD:2C:81:D9:BB:BF:AB:39:D8:84:73
Timestamp : Aug 29 05:41:47.064 2023 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:6C:22:81:E6:E8:EF:CF:3E:EC:31:E8:E7:
7F:33:02:C3:B7:53:56:92:67:69:57:98:1B:6A:E6:50:
5D:23:E6:E6:02:20:05:83:7B:57:0A:3B:8E:B0:E9:5F:
73:07:78:C6:DB:2C:7D:06:56:AB:C5:3C:49:35:63:79:
53:6C:6B:E6:B1:14
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : DA:B6:BF:6B:3F:B5:B6:22:9F:9B:C2:BB:5C:6B:E8:70:
91:71:6C:BB:51:84:85:34:BD:A4:3D:30:48:D7:FB:AB
Timestamp : Aug 29 05:41:47.014 2023 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:21:00:CD:02:7A:17:E1:D9:89:DF:E4:1B:72:
3D:41:85:ED:7A:19:00:50:B4:40:83:40:3E:85:C9:21:
77:CE:E6:45:09:02:20:78:C6:CD:E0:9F:B2:1F:3E:3C:
5E:1A:43:16:21:A4:8B:A0:24:3B:63:DF:86:12:DC:51:
0B:99:A9:D1:B7:BE:A8
Verify Certificate:
unable to get local issuer certificate
SSL Certificate:
Signature Algorithm: sha256WithRSAEncryption
RSA Key Strength: 2048
Subject: *.hexun.com
Altnames: DNS:*.hexun.com, DNS:hexun.com
Issuer: Secure Site CA G2
Not valid before: Aug 29 00:00:00 2023 GMT
Not valid after: Sep 28 23:59:59 2024 GMT
sslscan 扩展阅读:
- rbsec/sslscan: sslscan tests SSL/TLS enabled services to discover supported cipher suites
- file_get_contents 访问 https 协议报错
- sslscan 命令
- openssl 命令
- certbot 命令
- arp-scan 命令
- apg 命令详解
sslscan 命令评论
网络相关
-
ab 命令
apachectl 命令
arp 命令
arp-scan 命令
arpd 命令
arping 命令
arptables 命令
arpwatch 命令
axel 命令
bmon 命令
bye 命令
cu 命令
curl 命令
dhclient 命令
dhcpd 命令
dhcrelay 命令
dig 命令
dnsdomainname 命令
domainname 命令
drill 命令
ethtool 命令
fping 命令
host 命令
http 命令
ifcfg 命令
ifconfig 命令
ifdown 命令
ifstat 命令
ifup 命令
ip 命令
iperf、iperf3 命令
iptraf、iptraf-ng 命令
lsof 命令
mtr 命令
nc 命令
netstat 命令
nisdomainname 命令
nload 命令
nmap 命令
nscd 命令
nslookup 命令
ping 命令
pssh 命令
rcp 命令
route 命令
rsync 命令
scp 命令
sendmail 命令
speedometer 命令
ss 命令
ssh 命令
sslscan 命令
sysdig 命令
tc 命令
tcpdump 命令
tcpflow 命令
tcping 命令
telnet 命令
traceroute 命令
ufw 命令
vue 命令
wget 命令
whois 命令
wrk 命令
wuzz 命令
ypdomainname 命令
yppasswd 命令
共收录到 512 个 Linux 命令