WS-TLS-Scanner is a Webservice created by the Chair for Network and Data Security from the Ruhr-University Bochum for the integration of the TLS-Scanner in the SIWECOS Project. The Webservice scans a provided URL for various TLS misconfigurations and responds with a JSON report in either HTTPS, IMAP (STARTTLS), POP3 (STARTTLS), SMTP (STARTTLS), POP3S, IMAPS or SMTPS.
In order to compile and use WS-TLS-Scanner, you need to have Java installed, as well as TLS-Attacker, ModifiableVariables and the TLS-Scanner
$ cd WS-TLS-Scanner
$ mvn clean package
For hints on installing the required libraries checkout the corresponding GitHub repositories.
Please note: In order to run this tool you need TLS-Attacker 3.2b
In order to run WS-TLS-Scanner you need to deploy the .war file from the target/ folder to your favourite java application server (eg. Glassfish, Tomcat ...). After that the webservice should be up and running and can be called by sending a POST like
{
"url": "google.de",
"dangerLevel": 0,
"callbackurls": [
"http://127.0.0.1:8080"
]
}
to either
http://127.0.0.1:8080/WS-TLS-Scanner-3.0.0/tls
http://127.0.0.1:8080/WS-TLS-Scanner-3.0.0/pop3
http://127.0.0.1:8080/WS-TLS-Scanner-3.0.0/pop3s
http://127.0.0.1:8080/WS-TLS-Scanner-3.0.0/imap
http://127.0.0.1:8080/WS-TLS-Scanner-3.0.0/imaps
http://127.0.0.1:8080/WS-TLS-Scanner-3.0.0/smtp
http://127.0.0.1:8080/WS-TLS-Scanner-3.0.0/smtp_msa
http://127.0.0.1:8080/WS-TLS-Scanner-3.0.0/smtps
or
http://127.0.0.1:8080/tls
http://127.0.0.1:8080/pop3
http://127.0.0.1:8080/pop3s
http://127.0.0.1:8080/imap
http://127.0.0.1:8080/imaps
http://127.0.0.1:8080/smtp
http://127.0.0.1:8080/smtps
Depending on your application server.
TLS-Scanner uses the concept of "checks" which are performed after it collected configuration information. A check which results in "true" is consideres a non optimal choice and is an indicator for a pentester for a possible problem.
An example output may look like this:
{
"name" : "TLS",
"hasError" : false,
"errorMessage" : null,
"score" : 0,
"tests" : [ {
"name" : "PORT_NO_RESPONSE",
"hasError" : false,
"errorMessage" : null,
"score" : 100,
"scoreType" : "success",
"testDetails" : null
}, {
"name" : "TLS_NOT_SUPPORTED",
"hasError" : false,
"errorMessage" : null,
"score" : 100,
"scoreType" : "hidden",
"testDetails" : null
}, {
"name" : "CERTIFICATE_EXPIRED",
"hasError" : false,
"errorMessage" : null,
"score" : 100,
"scoreType" : "success",
"testDetails" : null
}, {
"name" : "CERTIFICATE_NOT_VALID_YET",
"hasError" : false,
"errorMessage" : null,
"score" : 100,
"scoreType" : "success",
"testDetails" : null
}, {
"name" : "CERTIFICATE_NOT_SENT_BY_SERVER",
"hasError" : false,
"errorMessage" : null,
"score" : 100,
"scoreType" : "hidden",
"testDetails" : null
}, {
"name" : "CERTIFICATE_WEAK_HASH_FUNCTION",
"hasError" : false,
"errorMessage" : null,
"score" : 100,
"scoreType" : "success",
"testDetails" : null
}, {
"name" : "CIPHERSUITE_ANON",
"hasError" : false,
"errorMessage" : null,
"score" : 100,
"scoreType" : "success",
"testDetails" : [ {
"placeholder" : "ANON_SUITES",
"values" : ""
} ]
}, {
"name" : "CIPHERSUITE_EXPORT",
"hasError" : false,
"errorMessage" : null,
"score" : 100,
"scoreType" : "success",
"testDetails" : [ {
"placeholder" : "EXPORT_SUITES",
"values" : ""
} ]
}, {
"name" : "CIPHERSUITE_NULL",
"hasError" : false,
"errorMessage" : null,
"score" : 100,
"scoreType" : "success",
"testDetails" : [ {
"placeholder" : "NULL_SUITES",
"values" : ""
} ]
}, {
"name" : "CIPHERSUITE_RC4",
"hasError" : false,
"errorMessage" : null,
"score" : 100,
"scoreType" : "success",
"testDetails" : [ {
"placeholder" : "RC4_SUITES",
"values" : ""
} ]
}, {
"name" : "CIPHERSUITEORDER_ENFORCED",
"hasError" : false,
"errorMessage" : null,
"score" : 90,
"scoreType" : "success",
"testDetails" : null
}, {
"name" : "PROTOCOLVERSION_SSL2",
"hasError" : false,
"errorMessage" : null,
"score" : 100,
"scoreType" : "success",
"testDetails" : null
}, {
"name" : "PROTOCOLVERSION_SSL3",
"hasError" : false,
"errorMessage" : null,
"score" : 100,
"scoreType" : "success",
"testDetails" : null
}, {
"name" : "BLEICHENBACHER_VULNERABLE",
"hasError" : true,
"errorMessage" : null,
"score" : 100,
"scoreType" : "success",
"testDetails" : null
}, {
"name" : "CRIME_VULNERABLE",
"hasError" : false,
"errorMessage" : null,
"score" : 100,
"scoreType" : "success",
"testDetails" : null
}, {
"name" : "HEARTBLEED_VULNERABLE",
"hasError" : true,
"errorMessage" : null,
"score" : 100,
"scoreType" : "success",
"testDetails" : null
}, {
"name" : "INVALID_CURVE_EPHEMERAL_VULNERABLE",
"hasError" : true,
"errorMessage" : null,
"score" : 100,
"scoreType" : "success",
"testDetails" : null
}, {
"name" : "INVALID_CURVE_VULNERABLE",
"hasError" : true,
"errorMessage" : null,
"score" : 100,
"scoreType" : "success",
"testDetails" : null
}, {
"name" : "PADDING_ORACLE_VULNERABLE",
"hasError" : true,
"errorMessage" : null,
"score" : 100,
"scoreType" : "success",
"testDetails" : null
}, {
"name" : "POODLE_VULNERABLE",
"hasError" : false,
"errorMessage" : null,
"score" : 100,
"scoreType" : "success",
"testDetails" : null
}, {
"name" : "TLS_POODLE_VULNERABLE",
"hasError" : true,
"errorMessage" : null,
"score" : 100,
"scoreType" : "success",
"testDetails" : null
}, {
"name" : "CIPHERSUITE_DES",
"hasError" : false,
"errorMessage" : null,
"score" : 100,
"scoreType" : "success",
"testDetails" : [ {
"placeholder" : "DES_SUITES",
"values" : ""
} ]
}, {
"name" : "PROTOCOLVERSION_TLS13",
"hasError" : false,
"errorMessage" : null,
"score" : 0,
"scoreType" : "bonus",
"testDetails" : null
}, {
"name" : "SWEET32_VULNERABLE",
"hasError" : false,
"errorMessage" : null,
"score" : 80,
"scoreType" : "warning",
"testDetails" : null
} ]
}| Check | Meaning |
|---|---|
| HTTPS_NO_RESPONSE | Checks if we get any response on port 443 |
| HTTPS_NOT_SUPPORTED | Checks if the server supports TLS on port 443 |
| CERTIFICATE_EXPIRED | Checks if the certificate is expired yet |
| CERTIFICATE_NOT_VALID_YET | Checks if the certificate is valid yet |
| CERTIFICATE_WEAK_HASH_FUNCTION | Checks if the server uses a weak hash algorithm for its certificate |
| CERTIFICATE_WEAK_SIGN_ALGORITHM | Checks if the server uses a weak signature algorithm for its certificate |
| CERTIFICATE_NOT_SENT_BY_SERVER | Checks if the server did send a certificate at all |
| CIPHERSUITE_ANON | Checks if the server has ANON ciphersuites enabled |
| CIPHERSUITE_EXPORT | Checks if the server has EXPORT ciphersuites enabled |
| CIPHERSUITE_NULL | Checks if the server has NULL ciphersuites enabled |
| CIPHERSUITE_RC4 | Checks if the server has RC4 ciphersuites enabled |
| CIPHERSUITEORDER_ENFORCED | Checks if the server does not enforce a ciphersuite ordering |
| PROTOCOLVERSION_SSL2 | Checks if SSL 2 is enabled |
| PROTOCOLVERSION_SSL3 | Checks if SSL 3 is enabled |
| PROTOCOLVERSION_TLS13 | Checks if the server supports TLS 1.3 |
| BLEICHENBACHER_VULNERABLE | Checks if the server is vulnerable to the Bleichenbacher attack (ROBOT) |
| PADDING_ORACLE_VULNERABLE | Checks if the server is vulnerable to the Padding Oracle attack |
| INVALID_CURVE_VULNERABLE | Checks if the server is vulnerable to the Invalid Curve attack |
| INVALID_CURVE_EPHEMERAL_VULNERABLE | Checks if the server is vulnerable to the Ephemeral Invalid Curve attack |
| POODLE_VULNERABLE | Checks if the server is vulnerable to the Poodle attack |
| TLS_POODLE_VULNERABLE | Checks if the server is vulnerable to the TLS-Poodle attack |
| CRIME_VULNERABLE | Checks if the server is vulnerable to the CRIME attack |
| SWEET32_VULNERABLE | Checks if the server is vulnerable to the SWEET32 attack |
| HEARTBLEED_VULNERABLE | Checks if the server is vulnerable to the Heartbleed attack |
| EARLYCCS_VULNERABLE | Checks if the server is vulnerable to the EarlyCCS attack |
For more information on the interpretation of this output checkout the TLS-Scanner repository.
You can also run WS-TLS-Scanner with Docker. You can build with:
docker build . -t tls-scanner
You can then run it with:
docker run -it --network host tls-scanner
The webservice is then reachable under:
http://127.0.0.1:8080/https
http://127.0.0.1:8080/pop3
http://127.0.0.1:8080/pop3s
http://127.0.0.1:8080/imap
http://127.0.0.1:8080/imaps
http://127.0.0.1:8080/smtp
http://127.0.0.1:8080/smtps
You can also make WS-TLS-Scanner use Redis to store its tasks. Just set the following enviroment variables:
REDIS_HOST=<NODE ADDRESS HERE>
REDIS_DB=<DATABSE HERE>