Today, we talk about SSLyze. SSLyze is a Python tool that can analyze the SSL configuration of a server. It is designed to be fast and comprehensive, and should help organizations and testers identify mis-configurations affecting their SSL servers.
Key features include:
- Multi-processed and multi-threaded scanning (it’s fast)
- SSL 2.0/3.0 and TLS 1.0/1.1/1.2 compatibility
- Performance testing: session resumption and TLS tickets support
- Security testing: weak cipher suites, insecure renegotiation, CRIME, Heartbleed and more
- Server certificate validation and revocation checking through OCSP stapling
- Support for StartTLS handshakes on SMTP, XMPP, LDAP, POP, IMAP, RDP and FTP
- Support for client certificates when scanning servers that perform mutual authentication
- XML output to further process the scan results
Source: https://github.com/iSECPartners/sslyze SSLyze Homepage | Kali SSLyze Repo
- Author: iSECPartners
- License: GPLv2
Let’s get started.
First, we need to install SSLyze. Before installing SSLyze, we need to install python setuptools using the following command:
pip install --upgrade setuptools
Then we install SSLyze using the following command:
pip install --upgrade sslyze
Then when the installation is completed, you shall see a screen similar to this:
At this level, you managed to successfully install sslyze.
Now, let’s use the tool and find out what it can really do.
To start SSLyze and go to the help menu, simple type the following command:
To extract the configuration of a particular website, type the following command:
sslyze –-regular www.yahoo.com
(Here, we took www.yahoo.com as an example, you can replace it with any website of your choice)
Your screen should look like that (if you used www.yahoo.com):
You can scroll down your terminal to see what information the tool has extracted.
You can also go back to the help menu and utilize the commands available until you get what you want.
What Bunny Rating Does it Get
SSLyze is an effective tool to extract ssl configuration about the server. It allows the hacker to gather information such as the issue date, the public key, the key size, status etc. It also provides information whether the OpenSSL heartbleed vulnerability is present or not. This is a powerful tool and I would give it a 5 out of 5 rating.
Want to learn more about ethical hacking?
Do you know of another GitHub related hacking tool?
Get in touch with us via the contact form if you would like us to look at any other GitHub ethical hacking tools.