introducing opabinia / sslauditor
DESCRIPTION
Checking for SSL issues form part of most infrastructure and web application assessments. However, these checks often aren't detailed enough and can miss important issues. This is often due to a perception of being of less importance than other tests and the need to combine manual checks against multiple tools. This talk will introduce SSLAuditor4/Opabinia, a tool that I have developed to automate SSL checks, making the task easier for the tester, while improving the accuracy and level of output. Opabina will also perform an in-depth assessment of SSL and RDP services irrespective of the size of scope and can be used by administrators to identify expired and expiring certs on their servers.TRANSCRIPT
Aman Hardikar M
Security Consultant, IBM Security Services
The Panspermia Toolkit
Panspermia - Seeds everywhere
Eart
h
Euro
pa
Glie
se3
81
c
Mar
s
Rep
ort
Ge
n(N
oth
ron
ych
us)
SSLA
ud
ito
r(O
pab
inia
)
OSA
ud
ito
r
VM
Au
dit
or
DB
Au
dit
or
Co
nC
ute
BLC
Too
l
PIG
Too
l
Kep
ler
69
c
Kep
ler
62
e
Kep
ler
62
f
Glie
se5
81
dAll images from the Internet
Introducing Opabinia/SSLAuditor4 © 2014 Aman Hardikar M
Image from David Attenborough's First Life
FIVE EYES
Certificate
Checker
Web Server
Checker
RDP Checker
Validity Checker
Cipher
Checker
Proboscis Input Module
Has five eyes and a long proboscis
Introducing Opabinia/SSLAuditor4 © 2014 Aman Hardikar M
Introducing Opabinia/SSLAuditor4 © 2014 Aman Hardikar M
Host and port can be
separated by ‘:’, ‘ ’, ‘,’
Automatic timers to detect
a timeout and increase the
time
Introducing Opabinia/SSLAuditor4 © 2014 Aman Hardikar M
REPORT ITEMS
SSL 2 Ciphers Supported
SSL 3 Ciphers Supported
TLS 1.0 Ciphers Supported
Preferred Ciphers
Introducing Opabinia/SSLAuditor4 © 2014 Aman Hardikar M
REPORT ITEMSHost IP
Address
Key Information Protocol Fall-back
Hostname Key Purpose Session
Resumption
Certificate ID Signature
Algorithm
Secure
Renegotiation
Issued To Self-signed MAC Support
Issued By Wild Card BEAST Attack
Alias
Information
Trusted CRIME Attack
Validity
Information
Certificate
Chain
PEM Certificate
Revocation
Information
Protocols
Supported
Introducing Opabinia/SSLAuditor4 © 2014 Aman Hardikar M
REPORT ITEMS
Banner
Cookies with Issues
Cache Settings
HSTS Header Setting
Other Security Related Headers
Vulnerable to Heartbleed
Introducing Opabinia/SSLAuditor4 © 2014 Aman Hardikar M
REPORT ITEMS
CredSSP Support
SSL Support
Native RDP Support
Security Level
Ciphers Supported
Introducing Opabinia/SSLAuditor4 © 2014 Aman Hardikar M
Checks certificate validity
Status Colour
Expired
Expiring in < 45 days
Expiring in < 90 days
Expiring in < 180 days
Valid
Features / Options
Option to only report certificates with issues
Validity details of the entire chain
To check validity across a number of servers in an enterprise
Service Hostname Issuer Valid From Valid Till Valid for
(Days)
Status
Introducing Opabinia/SSLAuditor4 © 2014 Aman Hardikar M
Option to report issue list only.
Option to generatemitigation procedure.
Generate report for the previous scan.
Option to save report to a pre-set directory.Option value is automatically saved.
Supported formats
Introducing Opabinia/SSLAuditor4 © 2014 Aman Hardikar M
Introducing Opabinia/SSLAuditor4 © 2014 Aman Hardikar M
General scan demo at https://www.youtube.com/watch?v=76N523dm3S0Validity scan demo at https://www.youtube.com/watch?v=_QiKWm01iDQ
• Mentor: David Stubley @ 7 Elements
I am very thankful to David for his guidance from the beginning.
His suggestions helped improve the tool and the presentation.
• Friends:
I am very thankful to all my friends for testing the tool and sending their feedback.
Introducing Opabinia/SSLAuditor4 © 2014 Aman Hardikar M
Download software from: http://www.amanhardikar.com/software.html
Sample report:http://www.amanhardikar.com/software/sslauditor4-audit.htmlhttp://www.amanhardikar.com/software/sslauditor4-validity.html
Please send feedback/feature requests/suggestions [email protected]://feedback.amanhardikar.com/
Introducing Opabinia/SSLAuditor4 © 2014 Aman Hardikar M