Skip to content

CryptoNice is both a command line tool and library which provides the ability to scan and report on the configuration of SSL/TLS for your internet or internal facing web services. Built using the sslyze API and ssl, http-client and dns libraries, cryptonice collects data on a given domain and performs a series of tests to check TLS configuration…

License

Notifications You must be signed in to change notification settings

F5-Labs/cryptonice

Repository files navigation

cryptonice

Built using the sslyze API and ssl, http-client and dns libraries, cryptonice collects data on a given domain and performs a series of tests to check TLS configuration and supporting protocols such as HTTP2 and DNS.

Cryptonice is currently supported on Windows, Mac OS and Ubuntu 20.04 (other Linux distros coming soon).

For detailed and up to date documentation, check out our ReadTheDocs pages:

https://cryptonice.readthedocs.io/

Installation

The easiest way to get started is by using PIP to install Cryptonice:

pip install cryptonice

User Guide

cryptonice requires a domain name (such as www.github.com).

cryptonice www.github.com

Providing only a domain name and no other command line input will result in the following default dictionary of commands being run.

{
    "id": "default",
    "port": 443,
    "scans": ["TLS", "HTTP", "HTTP2", "DNS"],
    "tls_params": ["certificate_information", "ssl_2_0_cipher_suites", "ssl_3_0_cipher_suites","tls_1_0_cipher_suites", "tls_1_1_cipher_suites", "tls_1_2_cipher_suites","tls_1_3_cipher_suites", "http_headers"],
    "http_body": false,
    "force_redirect": true,
    "print_out": true,
    "generate_json": true,
    "targets": ["www.github.com"]
}

The user can also choose to specify custom commands. Each custom command must be preceded with the name of the option (ex: to specify the scans TLS and HTTP to run, the user must add --scans TLS HTTP to the command line parameters)

  • --PORT: port to perform the scan on (default = 443)
  • --SCANS: scans to perform
    • TLS scan, HTTP headers, HTTP2 check, DNS data
  • --TLS_PARAMETERS: TLS specific scans to perform (should be listed as specified below, with no commas between options):
    • all, no_vuln_tests, certificate_info, ssl_2_0_cipher_suites, ssl_3_0_cipher_suites, tls_1_0_cipher_suites, tls_1_1_cipher_suites, tls_1_2_cipher_suites, tls_1_3_cipher_suites, tls_compression, tls_1_3_early_data, openssl_ccs_injection, heartbleed, robot, tls_fallback_scsv, session_renegotiation, session_resumption, session_resumption_rate, http_headers
    • all results in all commands being run, no_vuln_tests results in certificate_info, http_headers and the cipher_suites commands being run.
    • More information on each of these scan options can be found at: https://nabla-c0d3.github.io/sslyze/documentation/available-scan-commands.html
  • --HTTP_BODY: Y/y or N/n - sets a Boolean variable to include or exclude HTTP pages information
  • --FORCE_REDIRECTS: Y/y or N/n - sets a Boolean variable to check for automatic redirects from port 80 to 443 in a TLS scan (default = Y)
  • --PRINT_OUT: Y/y or N/n - sets a Boolean variable to print scan results to console (default = Y)
  • --JSON_OUT: Y/y or N/n - sets a Boolean variable to print scan results to JSON output file (default = Y)

Output

cryptonice generates a JSON output file with the information requested by the input parameters. Output files will be named after the domain name and port provided (ex: target = www.github.com, port = 443, output = www.github.com-443.json)

Utilizing the library in your own code

cryptonice can be used within other projects as well. An example of this functionality can be found in the simple sample_script.py file. In that short script, the program input is a JSON file (sample_scan.json also provided) with the required commands. The data is read into a dictionary and sent to the scanner_driver function in cryptonice/scanner. Individual modules can also be called from outside functions, and will return a dictionary of the results. Further information on function parameters can be found in the code comments for each function.

Limitations

This code does not currently have the capability to scan a server based on an IP address and an SNI. Instead, the user must supply a hostname and internally the code will do a DNS resolution. This may lead to discrepancies in the IP address scanned in the TLS portions and the HTTP headers section. Certain domain names may also result in only one certificate being returned. The issue currently persists in the sslyze API where we get the certificate information, and we are working to find a solution.

About

CryptoNice is both a command line tool and library which provides the ability to scan and report on the configuration of SSL/TLS for your internet or internal facing web services. Built using the sslyze API and ssl, http-client and dns libraries, cryptonice collects data on a given domain and performs a series of tests to check TLS configuration…

Topics

Resources

License

Stars

Watchers

Forks

Packages

No packages published