This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "O-Saft"

From OWASP
Jump to: navigation, search
(Quick Download)
(Introduction)
 
(20 intermediate revisions by the same user not shown)
Line 47: Line 47:
 
: ''o-saft.tcl''
 
: ''o-saft.tcl''
 
: ''o-saft.tcl your.tld''
 
: ''o-saft.tcl your.tld''
 +
 +
* Kali 2019
 +
: ''apt install o-saft'' # installs version 19.01.19
 +
: ''apt install libidn11-dev libidn2-0-dev libzip-dev libsctp-dev libkrb5-dev''
 +
: ''cd /usr/share/o-saft''
 +
: # get updated script
 +
: ''curl -O contrib/install_openssl.sh https://raw.githubusercontent.com/OWASP/O-Saft/master/contrib/install_openssl.sh''
 +
: ''sh contrib/install_openssl.sh --m''
 +
: # enjoy commands as described before ...
  
 
====Description====
 
====Description====
Line 58: Line 67:
 
:* check for ciphers without any dependency to a library (+cipherall)
 
:* check for ciphers without any dependency to a library (+cipherall)
 
:* checks the server's priority for ciphers (+cipherall)  
 
:* checks the server's priority for ciphers (+cipherall)  
:* check for special HTTP(S) support (like SNI, HSTS, certificate pinning)
+
:* check for special HTTP(S) support (like SNI, HSTS, certificate pinning, SSTP)
:* check for protections against attacks (BEAST, CRIME, DROWN, FREAK, Heartbleed, Lucky 13, POODLE, RC4 Bias, Sweet32 ...)
+
:* check for vulnerabilities (BEAST, CRIME, DROWN, FREAK, Heartbleed, Lucky 13, POODLE, RC4 Bias, Sweet32 ...)
 
:* check the length of Diffie Hellman Parameters by the cipher (+cipherall needs option '--experimental')
 
:* check the length of Diffie Hellman Parameters by the cipher (+cipherall needs option '--experimental')
 
:* may check for a single attribute
 
:* may check for a single attribute
Line 115: Line 124:
  
 
== Presentations ==
 
== Presentations ==
* 03.04.2015 O-Saft Workshop at <u>[[https://sites.google.com/view/bsidesmunich2017 BSides Munich 2017]]</u>
+
* 03.04.2017 O-Saft Workshop at <u>[[https://sites.google.com/view/bsidesmunich2017 BSides Munich 2017]]</u>
  
 
* Workshop <u>[http://www.it-security-konferenz.de/programm.html#workshop3|3. Kölner IT-Security-Konferenz]</u>
 
* Workshop <u>[http://www.it-security-konferenz.de/programm.html#workshop3|3. Kölner IT-Security-Konferenz]</u>
Line 155: Line 164:
  
 
== Quick Download ==
 
== Quick Download ==
* '''Stable Release (17.09.17)''': <u>[https://github.com/OWASP/O-Saft/archive/17.07.19.tar.gz o-saft.tgz]</u>
+
* '''Stable Release (19.01.19)''': <u>[https://github.com/OWASP/O-Saft/archive/19.01.19.tar.gz o-saft.tgz]</u>
 
* more see  [[#Change Log]]
 
* more see  [[#Change Log]]
  
== docker ==
+
== Docker ==
* Docker Container is available at <u>https://hub.docker.com/r/punkstar/o-saft/</u>, thanks to punkstar.
+
A Docker Container can be found at <u>https://hub.docker.com/r/owasp/o-saft/</u>
  
 
== News and Events ==
 
== News and Events ==
 +
* [2019] O-Saft is available as package in '''Kali 2019'''
 
* [12. - 16.06.17] <u>[[https://owaspsummit.org/Working-Sessions/Owasp-Projects/O-Saft.html O-Saft Track]]</u> (at OWASP Summit, London)
 
* [12. - 16.06.17] <u>[[https://owaspsummit.org/Working-Sessions/Owasp-Projects/O-Saft.html O-Saft Track]]</u> (at OWASP Summit, London)
 
* '''2013 Top Security Tools'''
 
* '''2013 Top Security Tools'''
Line 246: Line 256:
 
=Change Log=
 
=Change Log=
 
==Change Log==
 
==Change Log==
 +
* 19.01.2019  Stable Release '''19.01.19''';
 +
* 18.11.2018  Stable Release '''18.11.18''';
 +
* 18.07.2018  Stable Release '''18.07.18'''; bugfixes, GUI improved, docker improved, OCSP Stapling, Makefile*, contrib/build_openssl.sh
 +
* 16.04.2018 Link Docker Container (pinkstar removed) as docker is supported directly
 +
<!-- Docker Containeris available at <u>https://hub.docker.com/r/punkstar/o-saft/</u>, thanks to punkstar. outdated -->
 +
* 18.01.2018 Docker improved; +sni checks improved; wrapper script o-saft; +robot
 +
* 17.11.2017 Dockerfile improved; +cipherall improved; bugfix: no prefered cipher for SSLv2; bit-length for serial number corrected
 +
* 17.09.2017 docker build openssl with GOST and KRB5 ciphers; bugfix for BEAST and sub-domain checks
 
* 17.07.2017 docker image supported; performance improved; support unresponsive targets
 
* 17.07.2017 docker image supported; performance improved; support unresponsive targets
 
* 17.04.2017 ALPN and NPN support improved
 
* 17.04.2017 ALPN and NPN support improved
Line 267: Line 285:
  
 
== Download ==
 
== Download ==
 +
* Stable Release (18.07.18): <u>[https://github.com/OWASP/O-Saft/archive/18.07.18.tar.gz o-saft.tgz]</u>
 +
* Stable Release (18.01.18): <u>[https://github.com/OWASP/O-Saft/archive/18.01.18.tar.gz o-saft.tgz]</u>
 +
* Stable Release (17.11.17): <u>[https://github.com/OWASP/O-Saft/archive/17.11.17.tar.gz o-saft.tgz]</u>
 
* Stable Release (17.06.17): <u>[https://github.com/OWASP/O-Saft/archive/17.06.17.tar.gz o-saft.tgz]</u>
 
* Stable Release (17.06.17): <u>[https://github.com/OWASP/O-Saft/archive/17.06.17.tar.gz o-saft.tgz]</u>
 
* Stable Release (17.05.17): <u>[https://github.com/OWASP/O-Saft/archive/17.05.17.tar.gz o-saft.tgz]</u>
 
* Stable Release (17.05.17): <u>[https://github.com/OWASP/O-Saft/archive/17.05.17.tar.gz o-saft.tgz]</u>

Latest revision as of 20:19, 27 July 2019

O-Saft - check for SSL connection, certificate and ciphers(this text to make crawlers happy;-)
Lab big.jpg

O-Saft

OWASP SSL advanced forensic tool / OWASP SSL audit for testers

O-Saft is an easy to use tool to show informations about SSL certificate and tests the SSL connection according given list of ciphers and various SSL configurations.

It's designed to be used by penetration testers, security auditors or server administrators. The idea is to show the important informations or the special checks with a simple call of the tool. However, it provides a wide range of options so that it can be used for comprehensive and special checks by experienced people.

O-Saft is a command-line tool, so it can be used offline and in closed environments. There is also a GUI based on Tcl/Tk. However, it can simply be turned into an online CGI-tool (please read documentation first).

Introduction

Quick Installation
  • Download and unpack o-saft.tgz (Stable Release)
  • to run o-saft: Ensure that following perl modules (and their dependencies) are installed
      IO::Socket::INET, IO::Socket::SSL, Net::SSLeay
      Net::SSLinfo, Net::SSLhello (which are part of the tarball)
  • read and (re-)move o-saft-README
  • Show help
o-saft --help=commands
o-saft --help
  • Start
o-saft +info your.tld
o-saft +check your.tld
o-saft +quick your.tld
o-saft +cipherall your.tld
o-saft +cipherall --starttls=pop3 pop3.your.tld:110
o-saft +info mail.tld:25 --starttls
  • to run the optional checkAllCiphers (tiny program to check solely ciphers, like command '+cipherall'): It usually does not need any perl module to be additionally installed
      Socket (should be part of your perl installation)
      Net::SSLhello (which is part of the tarball)
      NET::DNS (only needed, if option '--mx' is used)
  • Start
checkAllCiphers your.tld
checkAllCiphers --starttls=pop3 pop3.your.tld:110
checkAllCiphers --mx your.tld:25 --starttls=smtp
  • Simple GUI
o-saft.tcl
o-saft.tcl your.tld
  • Kali 2019
apt install o-saft # installs version 19.01.19
apt install libidn11-dev libidn2-0-dev libzip-dev libsctp-dev libkrb5-dev
cd /usr/share/o-saft
# get updated script
curl -O contrib/install_openssl.sh https://raw.githubusercontent.com/OWASP/O-Saft/master/contrib/install_openssl.sh
sh contrib/install_openssl.sh --m
# enjoy commands as described before ...

Description

The main idea is to have a tool which works on common platforms and can simply be automated.

In a Nutshell
  • show SSL connection details
  • show certificate details
  • check for supported ciphers
  • check for ciphers provided in your own libssl.so and libcrypt.so
  • check for ciphers without any dependency to a library (+cipherall)
  • checks the server's priority for ciphers (+cipherall)
  • check for special HTTP(S) support (like SNI, HSTS, certificate pinning, SSTP)
  • check for vulnerabilities (BEAST, CRIME, DROWN, FREAK, Heartbleed, Lucky 13, POODLE, RC4 Bias, Sweet32 ...)
  • check the length of Diffie Hellman Parameters by the cipher (+cipherall needs option '--experimental')
  • may check for a single attribute
  • may check multiple targets at once
  • can be scripted (headless or as CGI)
  • should work on any platform (just needs perl, openssl optional)
  • can be used in CI / CD environments
  • output format can be customized
  • various trace and debug options to hunt unusual connection problems
  • supports STARTTLS for various protocols like (SMTP, POP3, IMAP, LDAP, RDP, XMPP, IRC (experimental) ...),[without options using openssl]
      slows down to prevent blockades of requests due to too much connections (supported for some protocols like SMTP)
  • Proxy is supported (besides commands using openssl)
  • check of STARTTLS/SMTP for all servers of a MX Resource Record (e.g. checkAllCiphers --mx your.tld:25 --starttls=smtp)
  • checkAllCiphers.pl and '+cipherall' support DTLS for '--experimental' use (if records are *not* fragmented)

New Features of Test Version

Quick Installation (test version)
  • Download and unpack: master.zip
  • Start INSTALL.sh (if you want:)
  • Enjoy new functionality:
  • --starttls='CUSTOM' to customize your own STARTTLS sequence including error handling, see help for '--starttls_phase1..5' and '--starttls_error1..3'
  • '+cipherraw' and 'checkAllCiphers.pl' changed bahavior to check sni (now the default is to use solely sni >=tls1,
    new option --togglesni tests without and with sni in one call
  • checkAllCiphers.pl/+cipherall: shows the length of dh_parameter for ciphers with DHE and DH_anon, shows the elliptic curve that the server prefers for ECDHE (independant from openssl)
  • checkAllCiphers.pl/+cipherall: support of fagmented messages reassembling SSL/TLS-records

What is O-Saft?

O-Saft provides:

  • SSL connection details
  • certificate details
  • full cipher check
  • special HTTP(s) checks
  • check for SSL vulnerabilities
  • can be scripted
  • platfrom independent
  • customizable output
  • supports STARTTLS and Proxy (for most commands)

Screen Shots

Documentation

Presentations

There will be a training O-Saft - TLS/SSL in Practice.
There will be a training TLS/SSL in Practice which in particular covers O-Saft.
There will be a training TLS/SSL in Practice which in particular covers O-Saft. For schedule see here.

(These presentations are in German)

Project Leader

Achim Hoffmann

Licensing

OWASP O-Saft is free to use. It is licensed under the GPL v2 license.

Related Projects

Github

Ohloh

Quick Download

Docker

A Docker Container can be found at https://hub.docker.com/r/owasp/o-saft/

News and Events

  • [2019] O-Saft is available as package in Kali 2019
  • [12. - 16.06.17] [O-Saft Track] (at OWASP Summit, London)
  • 2013 Top Security Tools
thanks for voting O-Saft as #10 best security tools 2013

In Print / Media

Find a OWASP 24/7 podcast about the tool here.

Classifications

Owasp-labs-trans-85.png Owasp-builders-small.png
Owasp-defenders-small.png
Cc-button-y-sa-small.png
Project Type Files TOOL.jpg
Retrieved from "https://wiki.owasp.org/index.php?title=O-Saft&oldid=253313"