Difference between revisions of "O-Saft"

O-Saft

OWASP SSL advanced forensic tool / OWASP SSL audit for testers

O-Saft is an easy to use tool to show informations about SSL certificate and tests the SSL connection according given list of ciphers and various SSL configurations.

It's designed to be used by penetration testers, security auditors or server administrators. The idea is to show the important informations or the special checks with a simple call of the tool. However, it provides a wide range of options so that it can be used for comprehensive and special checks by experienced people.

O-Saft is a command-line tool, so it can be used offline and in closed environments. However, it can simply be turned into an online CGI-tool (please read documentation first).

Introduction

Quick Installation

• Download and unpack o-saft.tgz (Stable Release)
• to run o-saft: Ensure that following perl modules (and their dependencies) are installed

      IO::Socket::INET, IO::Socket::SSL, Net::SSLeay

      Net::SSLinfo, Net::SSLhello (which are part of the tarball)

• read and (re-)move o-saft-README
• Show help

o-saft --help=commands

o-saft --help

• Start

o-saft +info your.tld

o-saft +check your.tld

o-saft +quick your.tld

o-saft +cipherall your.tld

o-saft +cipherall --starttls=pop3 pop3.your.tld:110

• to run the optional checkAllCiphers (tiny program to check solely ciphers, like command '+cipherall'): It usually does not need any perl module to be additionally installed

      Socket (should be part of your perl installation)

      Net::SSLhello (which is part of the tarball)

      NET::DNS (only needed, if option '--mx' is used)

• Start

checkAllCiphers your.tld

checkAllCiphers --starttls=pop3 pop3.your.tld:110

checkAllCiphers --mx your.tld:25 --starttls=smtp

• Simple GUI

o-saft.tcl

o-saft.tcl your.tld

Description

The main idea is to have a tool which works on common platforms and can simply be automated.

In a Nutshell

• show SSL connection details
• show certificate details
• check for supported ciphers
• check for ciphers provided in your own libssl.so and libcrypt.so
• check for ciphers without any dependency to a library (+cipherall)
• checks the server's priority for ciphers (+cipherall)
• check for special HTTP(S) support (like SNI, HSTS, certificate pinning)
• check for protections against attacks (BEAST, CRIME, FREAK, Heartbleed, Lucky 13, POODLE, RC4 Bias, ...)
• may check for a single attribute
• may check multiple targets at once
• can be scripted (headless or as CGI)
• should work on any platform (just needs perl, openssl optional)
• scoring for all checks (still to be improved in many ways ;-)
• output format can be customized
• various trace and debug options to hunt unusual connection problems
• +cipherall: supports STARTTLS for various protocols like (SMTP, POP3, IMAP, LDAP, RDP, XMPP, IRC (experimental) ...),
    slows down to prevent blockades of requests due to too much connections (supported for some protocols like SMTP)
• check of STARTTLS/SMTP for all servers of a MX Resource Record (e.g. checkAllCiphers --mx your.tld:25 --starttls=smtp)

New Features of Test Version

Quick Installation (test version)

• Download and unpack: master.zip
• Start INSTALL-devel.sh
• Enjoy new functionality:

• supports now STARTTLS and Proxy for all commands, e.g.

o-saft +info mail.tld:25 --starttls

• '+cipherall (+cipherraw)', checkAllCiphers.pl: Fixed a Bug in SNI

• please give us feedback via the mailinglist

What is O-Saft?

O-Saft provides:

• SSL connection details
• certificate details
• full cipher check
• special HTTP(s) checks
• check for SSL vulnerabilities
• can be scripted
• platfrom independent
• customizable output
• supports STARTTLS (+cipherall)

Documentation

• help/man page

Presentations

• Vortrag beim German OWASP Day 2014: Richtig verschlüsseln mit SSL/TLS
• Vortrag beim Münchner OWASP-Stammtisch: Überblick über aktuelle Angriffsmöglichkeiten auf HTTPS / SSL (enthält auch ein paar Beispiele mit o-saft)

(These presentations are in German)

Project Leader

Achim Hoffmann

Licensing

OWASP O-Saft is free to use. It is licensed under the GPL v2 license.

Related Projects

Github

• https://github.com/OWASP/O-Saft

Ohloh

• https://www.ohloh.net/p/O-Saft

Quick Download

• Stable Release (15.05.15): o-saft.tgz
• Test Version: master.zip

News and Events

• 05.04.2015, simple GUI available o-saft.tcl
• 20.05.2015 AppSecEU 2015, Amsterdam

There will be a training TLS/SSL in Practice which in particular covers O-Saft.

• 08.01.2015, stable release 15.01.07
• 09.12.2014 Presentation Richtig verschlüsseln mit SSL/TLS at German OWASP Day 2014, program see here
• 07.12.2014, stable release 14.12.07
• 16.11.2014, stable release 14.11.14
• 15.10.2014, check for Poodle vulnerability, see test version: master.zip
• AppSecEU 2014, Cambridge

There will be a training TLS/SSL in Practice which in particular covers O-Saft. For schedule see here.

• Heartbleed check

10.04.2014, see https://github.com/OWASP/O-Saft

• 2013 Top Security Tools

thanks for voting O-Saft as #10 best security tools 2013

In Print / Media

Find a OWASP 24/7 podcast about the tool here.

Classifications