When performing pentesting engagements there are times where validation of SSL/TLS ciphers, protocols, certificates, etc. is needed. One tool that White Oak Security’s pentesting team tends to make use of is the testssl.sh command line tool that is freely available for anyone to download. In this article, we will go through the installation process and how to use the new toolset.
How To Install TestSSL.sh
Installation is pretty simple as there are a couple different options available. The first option is pulling directly from the testssl.sh website utilizing the following commands:
Latest stable code:
curl -L https://testssl.sh > testssl.nsh
Latest development code:
curl -L https://testssl.sh/dev/ > testssl.sh
The second option is pulling the testssl.sh toolset from GitHub utilizing the following command:
git clone --depth 1 https://github.com/drwetter/testssl.sh.git
Pretty simple right? Now let’s get into using the toolset.
How Pentesters Use TestSSL.sh
This tool is one of the simplest pentesting tools to utilize and access valuable information. To start – change into the directory where the testssl.sh script is located. Let’s issue the following commands:
Standard HTTPS webserver:
./testssl.sh https://<IP or Hostname>
Non-Standard SSL Ports:
./testssl.sh <IP or Hostname:PORT>
Here is an example screenshot utilizing the toolset:
Scrolling down the output from testssl.sh – there is useful information in regards to ciphers supported, SSL certificate information, and protocols utilized.
Hopefully this blog post demonstrates how easy testssl.sh is to be installed and utilized for everyday testing. Any additional information on the toolset can be obtained from their website – https://testssl.sh/. In closing, there are many tools available that perform similar tests however we prefer this tool because it is easy to install, use, and provides clear output for reporting purposes.
MORE FROM WHITE OAK SECURITY
White Oak Security is a highly skilled and knowledgeable cyber security testing company that works hard to get into the minds of opponents to help protect those we serve from malicious threats through expertise, integrity, and passion.