Abstract

While performing Web Application Penetration Testing and PCI compliance audits, correctly verifying SSL versions and cipher suites supported by the web server is an important test case. A number of the existing tools provide testers with a fixed set of cipher suites. Further, testing itself is performed by initiating an SSL Socket connection with one cipher suite at a time. This approach is fraught with false positives and often does not provide a clear picture of the true vulnerability of the server.

To combat these shortcomings, during this presentation a new cross-platform and open-source tool called SSLSmart will be introduced. SSLSmart is an advanced, highly flexible and interactive tool aimed at reducing the false positives incurred during SSL testing. The presentation will begin with an introduction to the SSL handshake and provide the audience with an understanding of the packet exchanges between the client and server that occur during this negotiation. This will be followed by a demo of the SSLSmart GUI and its capabilities highlighting how it overcomes the drawbacks seen in other tools. Various tool features such as dynamic cipher suite generation using OpenSSL filters, server certificate validation, content vs. connect Scans, transparent proxy support among others will also be discussed during the course of presentation. Building on that, we will dig deeper and introduce the set of monkey patched Ruby API’s that form the core of SSLSmart and show correspondence between the API’s and the handshake packets they can be used to generate. We will wrap up by creating a quick command line SSL Cipher enumeration script using the Interactive Ruby Shell. This will provide the attendees with hands on experience for creating their own custom scripts.