Summerschool Aachen 2005/Challenges/SSL fingerprinting

From C4 Wiki
Jump to: navigation, search

I remembered I already did some SSL fingerprinting. The Pen Testing Toolkit, a very loose collection of tooles created by me contains ssltest which is mainly to test which ciphers are available to an ssl server but also prints out some additiona information.

Example:

md@hextatic ~/Documents/repos/ptt$ python bin/ssltest houston.informatik.rwth-aachen.de
Testing ciphers for houston.informatik.rwth-aachen.de:443
Certificate subject: '/C=DE/ST=./O=./CN=houston.informatik.rwth-aachen.de/emailAddress=.'
Certificate issuer:  '/C=DE/ST=./L=./O=./CN=houston/emailAddress=.'
Ciphers supported by houston.informatik.rwth-aachen.de:443
40 Bit Encryption:      EXP-RC4-MD5, EXP-RC2-CBC-MD5, EXP-DES-CBC-SHA, EXP-RC4-MD5, EXP-RC2-CBC-MD5, EXP-EDH-RSA-DES-CBC-SHA, EXP-DES-CBC-SHA, EXP-RC4-MD5, EXP-RC2-CBC-MD5, EXP-EDH-RSA-DES-CBC-SHA, EXP-DES-CBC-SHA, EXP-RC4-MD5, EXP-RC2-CBC-MD5, EXP-EDH-RSA-DES-CBC-SHA
56 Bit Encryption:      DES-CBC-MD5, DES-CBC-SHA, EDH-RSA-DES-CBC-SHA, DES-CBC-SHA, EDH-RSA-DES-CBC-SHA, DES-CBC-SHA, EDH-RSA-DES-CBC-SHA
64 Bit Encryption:      RC4-64-MD5
128 Bit Encryption:     RC2-CBC-MD5, RC4-MD5, RC4-SHA, DHE-RSA-AES128-SHA, AES128-SHA, RC4-MD5, RC4-SHA, DHE-RSA-AES128-SHA, AES128-SHA, RC4-MD5, RC4-SHA, DHE-RSA-AES128-SHA, AES128-SHA, RC4-MD5
168 Bit Encryption:     DES-CBC3-MD5, EDH-RSA-DES-CBC3-SHA, DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, DES-CBC3-SHA
256 Bit Encryption:     DHE-RSA-AES256-SHA, AES256-SHA, DHE-RSA-AES256-SHA, AES256-SHA, DHE-RSA-AES256-SHA, AES256-SHA
md@hextatic ~/Documents/repos/ptt$ python bin/ssltest secure.amazon.de
Testing ciphers for secure.amazon.de:443
Certificate subject: '/C=US/ST=Washington/L=Seattle/O=Amazon.com Inc./CN=secure.amazon.de'
Certificate issuer:  '/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority'
Ciphers supported by secure.amazon.de:443
40 Bit Encryption:      EXP-RC4-MD5, EXP-RC2-CBC-MD5, EXP-DES-CBC-SHA, EXP-RC4-MD5, EXP-RC2-CBC-MD5, EXP-DES-CBC-SHA, EXP-RC4-MD5, EXP-RC2-CBC-MD5, EXP-DES-CBC-SHA, EXP-RC4-MD5, EXP-RC2-CBC-MD5
56 Bit Encryption:      DES-CBC-MD5, DES-CBC-SHA, EXP1024-RC4-SHA, DES-CBC-SHA, EXP1024-RC4-MD5, EXP1024-RC2-CBC-MD5, EXP1024-DES-CBC-SHA, EXP1024-RC4-SHA, DES-CBC-SHA, EXP1024-RC4-MD5, EXP1024-RC2-CBC-MD5, EXP1024-DES-CBC-SHA
64 Bit Encryption:      RC4-64-MD5
128 Bit Encryption:     IDEA-CBC-MD5, RC2-CBC-MD5, RC4-MD5, RC4-SHA, RC4-MD5, IDEA-CBC-SHA, RC4-SHA, AES128-SHA, RC4-MD5, IDEA-CBC-SHA, RC4-SHA, AES128-SHA, RC4-MD5, IDEA-CBC-SHA
168 Bit Encryption:     DES-CBC3-MD5, DES-CBC3-SHA, DES-CBC3-SHA, DES-CBC3-SHA
256 Bit Encryption:     AES256-SHA, AES256-SHA

The rool is a re-implementation of a tool by Johnny Cyberpunk and was originally meant for penetratoion testing. I'ss see what else I can do with it.

online-check

You might give http://serversniff.net/sslcheck.php a try. This is simply based on a shellscript using openssl 0.9.8 and gnutls and does a bit more, e.g checking for NULL-Ciphers (onlinebanking without encryption), checking for protocols (ssl2,3,tls1.0, tls1.1), and, most important: checking the Default Cipher, which is presented first. Many servers support AES256, but offer 128Bit-RC4 per default :-((. Feed my mailbox if your willing to discuss or just want to get the shellscripts.