Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How to check for SSL1 ?

From: "Dean H. Saxe" <dean () fullfrontalnerdity com>
Date: Fri, 30 Sep 2005 08:38:26 -0400
Actually, SSLDigger does check the protocol. In addition it checks for the key exchange mechanism (e.g. Diffie-Helman or RSA), the cipher suite and bit length of the keys (e.g. AES 128 bit) and the integrity protection algorithm (e.g. SHA-256). That should answer all of your needs. The one thing it won't do is tell you much about Server Gated Cryptography beyond that its present on the server and will mitigate more vulnerable protocols such as 40 bit RC4 encryption by allowing the browser to negotiate stronger encryption mechanisms than are reported by the server as being available.
Check it out at foundstone.com under the free tools section and read the associated whitepaper which discusses the tool, the protocols, cipher suites, server gated cryptography, etc.
(Disclaimer: I'm a Foundstone consultant, I use the tool regularly for engagements.) 

-dhs

Dean H. Saxe, CEH
dean () fullfrontalnerdity com
"I have always strenuously supported the right of every man to his own opinion, however different that opinion might be to mine. He who denies another this right makes a slave of himself to his present opinion, because he precludes himself the right of changing it." 
    -- Thomas Paine, 1783



On Sep 29, 2005, at 5:08 AM, Thomas Springer wrote:


Hi Sahir,
Foundstone has a free tool called SSL Digger which basically does what you're looking for -- identify the cipher suites supported by a particular
SSLDigger only checks available CIPHERS, not PROTOCOLS, nor will it show you the preferred cipher the server presents first! (Especially busy servers tend to present "cheap" ciphers first to minimize load on server or SSL-proxy, even when they would support stronger ciphers.) 



------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: 

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: