tlsaudit

module

v0.4.3 Latest Latest Go to latest Published: Feb 15, 2019 License: BSD-3-Clause

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/adedayo/tlsaudit

Links

Open Source Insights

README ¶

TLSAudit

TLSAudit is a utility for auditing TLS (including SSL and STARTTLS) security settings. You can use it to enumerate protocols, ciphers and curves supported by an open TCP port. Scan entire CIDR ranges with TLSAudit to discover which ports are open and get details of the TLS configurations of the open ports. You can scan specific port ranges within CIDR ranges too, by using a format such as tlsaudit 10.10.5.0:443/24, which scans the entire CIDR range 10.10.5.0/24 but looking only at port 443.

Using it as a command-line tool

TLSAudit is also available as a command-line tool.

Installation

Prebuilt binaries may be found for your operating system here: https://github.com/adedayo/tlsaudit/releases

For macOS X, you could install via brew as follows:

brew tap adedayo/tap
brew install tlsaudit

Scanning CIDR ranges

tlsaudit 8.8.8.8 192.168.2.5/30 10.11.12.13:443/31

For JSON-formatted output simply add the --json or -j flag:

tlsaudit --json 8.8.8.8 192.168.2.5/30 10.11.12.13:443/31

Depending on the fidelity of the network being scanned or the size of CIDR ranges, it may be expedient to adjust the scan timeout and the number of packets per second to send during the open port discovery phase. Several scanning options are available. See the options from the commandline help.

Command line options

Usage:
  tlsaudit [flags]

Examples:
tlsaudit 8.8.8.8/32 10.10.10.1/30
tlsaudit --timeout=10 8.8.8.8:443/32

Flags:
  -h, --help                                                help for tlsaudit
  -c, --hide-certs                                          suppress certificate information in output (default: false)
  -i, --input string[="tlsaudit_input.txt"]                 read the CIDR range, IPs and domains to scan from an input FILE separated by commas, or newlines (default "tlsaudit_input.txt")
  -j, --json                                                generate JSON output
  -o, --output string[="tlsaudit.txt"]                      write results into an output FILE (default "tlsaudit.txt")
  -p, --protocols-only                                      only check supported protocols - will not do detailed checks on supported ciphers (default: false)
  -q, --quiet                                               control whether to produce a running commentary of progress or stay quiet till the end (default: false)
  -r, --rate int                                            the rate (in packets per second) that we should use to scan for open ports (default 1000)
  -s, --service string[="data/config/TLSAuditConfig.yml"]   run tlsaudit as a service (default "data/config/TLSAuditConfig.yml")
  -t, --timeout int                                         TIMEOUT (in seconds) to adjust how much we are willing to wait for servers to come back with responses. Smaller timeout sacrifices accuracy for speed (default 5)
      --version                                             version for tlsaudit

An issue on macOS

You may encounter errors such as

panic: en0: You don't have permission to capture on that device ((cannot open BPF device) /dev/bpf0: Permission denied)

Fix the permission problem permanently by using the "Wireshark" approach of pre-allocating /dev/bpf*, and changing their permissions so that the admin group can read from and write packets to the devices. I have provided the fix-bpf-permissions.sh script to simplify the steps, you can run it as shown below. It will ask for your password for the privileged part of the script, but read the script to satisfy yourself that you trust what it is doing! You care about security, right?

curl -O https://raw.githubusercontent.com/adedayo/tlsaudit/master/fix-bpf-permissions.sh
chmod +x fix-bpf-permissions.sh
./fix-bpf-permissions.sh

You should be good to go! You may need to reboot once, but this works across reboots. Note that this is a common problem for tools such as Wireshark, TCPDump etc. that need to read from or write to /dev/bpf*. This solution should fix the problem for all of them - the idea was actually stolen from Wireshark with some modifications :-).

Running as non-root on Linux

You ideally want to be able to run tlsaudit as an ordinary user, say, my_user, but since tlsaudit sends raw packets you need to adjust capabilities to allow it to do so. The following may be necessary:

Ensure the following two lines are in /etc/security/capability.conf

cap_net_admin   my_user
none *

Also, in /etc/pam.d/login add the following

auth    required        pam_cap.so

Finally, grant the capability to the tlsaudit file (assuming /path/to is the absolute path to your tlsaudit binary)

setcap cap_net_raw,cap_net_admin=eip /path/to/tlsaudit

License

BSD 3-Clause License

Directories ¶

Path	Synopsis
cmd
tlsaudit
tlsaudit/cmd
pkg
golang
model

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL