sslcaudit 介绍

sslcaudit项目的目标是开发一个工具来测试SSL/TLS客户端自动进行对MITM攻击性。这可能是用于测试胖客户端,移动应用,家电,几乎任何有关通过在TCP上SSL/TLS的通信。

资料来源
sslcaudit 首页
sslcaudit 源代码版本库

包含在sslcaudit里的工具

sslcaudit - 测试SSL/TLS客户的MITM攻击敏感性
:~# sslcaudit -h
Usage: sslcaudit [OPTIONS]

Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -l LISTEN_ON          Specify IP address and TCP PORT to listen on, in
                        format of HOST:PORT. Default is 0.0.0.0:8443
  -m MODULES            Launch specific modules. For now the only functional
                        module is 'sslcert'. There is also 'dummy' module used
                        for internal testing or as a template code for new
                        modules. Default is sslcert
  -v VERBOSE            Increase verbosity level. Default is 0. Try 1.
  -d DEBUG_LEVEL        Set debug level. Default is 0, which disables
                        debugging output. Try 1 to enable it.
  -c NCLIENTS           Number of clients to handle before quitting. By
                        default sslcaudit will quit as soon as it gets one
                        client fully processed.
  -N TEST_NAME          Set the name of the test. If specified will appear in
                        the leftmost column in the output.
  -T SELF_TEST          Launch self-test. 0 - plain TCP client, 1 - CN
                        verifying client, 2 - curl.
  --user-cn=USER_CN     Set user-specified CN.
  --server=SERVER       Where to fetch the server certificate from, in
                        HOST:PORT format.
  --user-cert=USER_CERT_FILE
                        Set path to file containing the user-supplied
                        certificate.
  --user-key=USER_KEY_FILE
                        Set path to file containing the user-supplied key.
  --user-ca-cert=USER_CA_CERT_FILE
                        Set path to file containing certificate for user-
                        supplied CA.
  --user-ca-key=USER_CA_KEY_FILE
                        Set path to file containing key for user-supplied CA.
  --no-default-cn       Do not use default CN
  --no-self-signed      Don't try self-signed certificates
  --no-user-cert-signed
                        Do not sign server certificates with user-supplied one

sslcaudit用法示例

监听443端口(-L 0.0.0.0:443)在详细模式(-v 1):

:~# sslcaudit -l 0.0.0.0:443 -v 1
# filebag location: sslcaudit.1
127.0.0.1:38978  selfsigned(www.example.com)          tlsv1 alert unknown ca