Awesome
TLS-Scanner
TLS-Scanner is a tool to assist pentesters and security researchers in the evaluation of TLS server and client configurations.
Please note: TLS-Scanner is a research tool intended for TLS developers, pentesters, administrators and researchers. There is no GUI. It is in the first version and may contain some bugs.
Compiling
In order to compile and use TLS-Scanner, you need to run:
$ cd TLS-Scanner
$ git submodule update --init --recursive
$ mvn clean package
Alternatively, if you are in a hurry, you can skip the tests by using:
$ mvn clean package -DskipTests=true
If you want to use TLS-Scanner as a library you need to install it with the following command:
$ mvn clean install
Running
In order to run TLS-Scanner you need to run the jar file in the apps/ folder.
$ java -jar apps/TLS-Server-Scanner.jar -connect localhost:4433
You can specify a host you want to scan with the -connect parameter. If you want to improve the performance of the scan you can use the -threads parameter (default=1).
In order to see more details about the Guidelines, use "-reportDetail ALL".
Docker
We provide you with a Dockerfile, which lets you run the scanner directly:
$ docker build . -t tlsscanner
$ docker run -t tlsscanner
Please note: I am by no means familiar with Docker best practices. If you know how to improve the Dockerfile feel free to issue a pull request
Requirement System
(TLS) probes sometimes have prerequisites that are required to execute this specific probe. The requirement system allows you to define sets of such requirements that must be met in order for the probe to be executed.
Each requirement offers an evaluate
function which returns a boolean value indicating whether the requirement has been fulfilled.
Requirements can be concatenated in several ways using well-known logical operations. Each requirement offers and
, or
, not
, and xor
instance methods to chain multiple requirements. The following probes are currently implemented and can be used off the shelf:
FulfilledRequirement
- Always evalutes totrue
, useful to indicate no requirement.UnfulfillableRequirement
- Always evalutes tofalse
, prevents execution of probes.ProbeRequirement
- Evaluates totrue
if the specified probe(s) has been executed.PropertyRequirement
- Evaluates totrue
if the specified analyzed properties have a predefined value. The value may either be provided as a constructor parameter or one may usePropertyTrueRequirement
andPropertyFalseRequirement
as a shorthand forTestResults.TRUE
andTestResults.FALSE
.PropertyComparatorRequirement
- Evaluates totrue
if the collection result of an analyzed property is smaller, equal, or greater than a constant value.ProtocolRequirement
- Evaluates totrue
if certain protocol versions are supported.ExtensionRequirement
- Evaluates totrue
if certain extensions are supported by the remote peer.OptionsRequirement
- Evaluates totrue
if additional cli flags are set. Currently used in some client probes (ALPN, SNI, session resumption).WorkingConfigRequirement
- Evaluates totrue
if a working configuration has been found.
Aside from these predefined requirements one may also extend the Requirement
class anonymously within the getRequirements
method. If nothing is required, you can use may return a FulfilledRequirement
which always evaluates to true.
Examples on how to use requirements can be found in the probe
packages of the tls-client-scanner
and tls-server-scanner
.
@Override
public Requirement<ClientReport> getRequirements() {
return new ProbeRequirement<ClientReport>(TlsProbeType.CIPHER_SUITE)
.and(new PropertyTrueRequirement<>(TlsAnalyzedProperty.SUPPORTS_DHE));
}