我正在寻找一种软件,它能帮助检测在中心位置使用弱加密或过时协议的应用程序。如果听起来含糊不清,请见谅。也许举个例子会有所帮助。
假设浏览器通过 https 连接到某个网站。但由于某种原因,协商的密码很弱,低于某个阈值,比如某个 56 位密码。或者协议是 SSL 2.0 或任何“低于”TLS 1.0 的协议。是否有任何软件可以监控网络流量在服务器或路由器上如果发生类似情况,会发出警告或采取其他措施吗?它不必完美无缺,可以是启发式的;每一点信息都有帮助。
我不想在每个客户端上安装执行从技术上来说属于中间人攻击的软件。
编辑:我不是在寻找探测某台特定服务器的工具,而是在寻找运行在我们的服务器/路由器上的工具,当“又一个客户端”与互联网上的“某个服务器”建立不安全连接时,它会发出某种警告。是的,我知道这不太可能……但希望是最不可能实现的。
答案1
我不认为服务器和客户端之间的 SSL 握手完成后您就能监听流量。您可能需要扫描服务器以查看它是否提供弱密码。也许可以使用“sslscan”?
http://sourceforge.net/projects/sslscan/
https://www.titania-security.com/labs/sslscan
我知道有一个 Ubuntu 软件包可用于此。
这将显示服务器提供的密码套件。
因此,使用 sslscan 扫描 GMail,我得到:
$ sslscan --no-failed mail.google.com:443
_
___ ___| |___ ___ __ _ _ __
/ __/ __| / __|/ __/ _` | '_ \
\__ \__ \ \__ \ (_| (_| | | | |
|___/___/_|___/\___\__,_|_| |_|
Version 1.8.2
http://www.titania.co.uk
Copyright Ian Ventura-Whiting 2009
Testing SSL server mail.google.com on port 443
Supported Server Cipher(s):
Accepted SSLv3 256 bits AES256-SHA
Accepted SSLv3 128 bits AES128-SHA
Accepted SSLv3 168 bits DES-CBC3-SHA
Accepted SSLv3 128 bits RC4-SHA
Accepted SSLv3 128 bits RC4-MD5
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA
Accepted TLSv1 128 bits RC4-SHA
Accepted TLSv1 128 bits RC4-MD5
Prefered Server Cipher(s):
SSLv3 128 bits RC4-SHA
TLSv1 128 bits RC4-SHA
SSL Certificate:
Version: 2
Serial Number: 4294967295
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
Not valid before: Oct 26 00:00:00 2011 GMT
Not valid after: Sep 30 23:59:59 2013 GMT
Subject: /C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:af:39:15:98:68:e4:92:fe:4f:4f:f1:bb:ff:0d:
2e:b0:fe:25:aa:bd:68:04:67:27:ea:6c:43:4c:a7:
6d:cb:c8:8f:7e:81:ee:87:26:25:10:12:54:33:9e:
aa:3d:9b:8f:8e:92:b3:4b:01:e3:f9:4a:29:c3:0f:
fd:ac:b7:d3:4c:97:29:3f:69:55:cf:70:83:04:af:
2e:04:6e:74:d6:0f:17:09:fe:9e:20:24:24:e3:c7:
68:9c:ac:11:bd:92:e4:b2:1b:09:f2:02:32:bb:55:
1b:2d:16:5f:30:12:23:e2:4c:4a:8d:c2:da:3f:e1:
b8:bf:f7:3a:b1:86:be:f0:c5
Exponent: 65537 (0x10001)
X509v3 Extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 CRL Distribution Points:
URI:http://crl.thawte.com/ThawteSGCCA.crl
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto
Authority Information Access:
OCSP - URI:http://ocsp.thawte.com
CA Issuers - URI:http://www.thawte.com/repository/Thawte_SGC_CA.crt
Verify Certificate:
unable to get local issuer certificate
编辑:
啊,看看这个页面:http://prefetch.net/articles/debuggingssl.html
因此,您可以使用该工具查看握手以及商定的密码。
答案2
您可以使用SSL 枚举密码脚本来自nmap以获得密码充分性的评估。
一个例子:
$ nmap --script ssl-enum-ciphers.nse mail.google.com
Starting Nmap 5.61TEST2 ( http://nmap.org ) at 2011-11-22 14:09 CET
Nmap scan report for mail.google.com (173.194.34.245)
Host is up (0.0050s latency).
Other addresses for mail.google.com (not scanned): 173.194.34.246 173.194.34.247
rDNS record for 173.194.34.245: mad01s09-in-f21.1e100.net
Not shown: 998 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
| ssl-enum-ciphers:
| SSLv3
| Ciphers (9)
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - unknown strength
| TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - unknown strength
| TLS_RSA_WITH_RC4_128_MD5 - unknown strength
| TLS_RSA_WITH_RC4_128_SHA - strong
| Compressors (1)
| NULL
| TLSv1.0
| Ciphers (9)
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - unknown strength
| TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - unknown strength
| TLS_RSA_WITH_RC4_128_MD5 - unknown strength
| TLS_RSA_WITH_RC4_128_SHA - strong
| Compressors (1)
| NULL
|_ Least strength = unknown strength
Nmap done: 1 IP address (1 host up) scanned in 16.38 seconds