一、工具介绍

SSLScan是一个SSL/TLS快速扫描器，扫描结果默认将以不同颜色显示。其中，红色底色表示没有加密；红色表示可以破解的；黄色表示弱密码；紫色表示未知类型。

1、可以扫描出目标主机的所支持的SSL/TLS协议版本

在这里插入图片描述

2、扫描是否存在心脏滴血漏洞

在这里插入图片描述

3、扫描出服务器支持的密码套件

在这里插入图片描述

4、证书信息

在这里插入图片描述

二、工具安装

1、使用git下载源码

git clone https://github.com/rbsec/sslscan

2、进入目录

cd sslscan

3、编译安装

make static

4、检查是否安装成功

./sslscan --version

在这里插入图片描述
安装成功
PS：注意要在sslcan目录下执行命令

5、使用

./sslscan --tlsall www.xxx.com:443

三、在密评过程中，具体如何使用本工具

指令1：只检测TLS密码
./sslscan --tlsall 目标主机（域名/IP地址/主机名）

[root@miping sslscan]# ./sslscan --tlsall 110.242.68.3
Version: 2.0.15-static
OpenSSL 1.1.1s-dev  xx XXX xxxxConnected to 110.242.68.3Testing SSL server 110.242.68.3 on port 443 using SNI name 110.242.68.3SSL/TLS Protocols:
TLSv1.0   enabled
TLSv1.1   enabled
TLSv1.2   enabled
TLSv1.3   disabledTLS Fallback SCSV:
Server supports TLS Fallback SCSVTLS renegotiation:
Secure session renegotiation supportedTLS Compression:
Compression disabledHeartbleed:
TLSv1.2 not vulnerable to heartbleed
TLSv1.1 not vulnerable to heartbleed
TLSv1.0 not vulnerable to heartbleedSupported Server Cipher(s):
Preferred TLSv1.2  128 bits  ECDHE-RSA-AES128-GCM-SHA256   Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  ECDHE-RSA-RC4-SHA             Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA          Curve P-256 DHE 256
Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-SHA          Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  AES128-SHA                   
Accepted  TLSv1.2  256 bits  AES256-SHA                   
Accepted  TLSv1.2  128 bits  RC4-SHA                      
Preferred TLSv1.1  128 bits  ECDHE-RSA-RC4-SHA             Curve P-256 DHE 256
Accepted  TLSv1.1  128 bits  ECDHE-RSA-AES128-SHA          Curve P-256 DHE 256
Accepted  TLSv1.1  256 bits  ECDHE-RSA-AES256-SHA          Curve P-256 DHE 256
Accepted  TLSv1.1  128 bits  AES128-SHA                   
Accepted  TLSv1.1  256 bits  AES256-SHA                   
Accepted  TLSv1.1  128 bits  RC4-SHA                      
Preferred TLSv1.0  128 bits  ECDHE-RSA-RC4-SHA   Server Key Exchange Group(s):
TLSv1.2  128 bits  secp256r1 (NIST P-256)SSL Certificate:
Signature Algorithm: sha256WithRSAEncryption
RSA Key Strength:    2048Subject:  baidu.com
Altnames: DNS:baidu.com, DNS:baifubao.com, DNS:www.baidu.cn, DNS:www.baidu.com.cn, DNS:mct.y.nuomi.com, DNS:apollo.auto, DNS:dwz.cn, DNS:*.baidu.com, DNS:*.baifubao.com, DNS:*.baidustatic.com, DNS:*.bdstatic.com, DNS:*.bdimg.com, DNS:*.hao123.com, DNS:*.nuomi.com, DNS:*.chuanke.com, DNS:*.trustgo.com, DNS:*.bce.baidu.com, DNS:*.eyun.baidu.com, DNS:*.map.baidu.com, DNS:*.mbd.baidu.com, DNS:*.fanyi.baidu.com, DNS:*.baidubce.com, DNS:*.mipcdn.com, DNS:*.news.baidu.com, DNS:*.baidupcs.com, DNS:*.aipage.com, DNS:*.aipage.cn, DNS:*.bcehost.com, DNS:*.safe.baidu.com, DNS:*.im.baidu.com, DNS:*.baiducontent.com, DNS:*.dlnel.com, DNS:*.dlnel.org, DNS:*.dueros.baidu.com, DNS:*.su.baidu.com, DNS:*.91.com, DNS:*.hao123.baidu.com, DNS:*.apollo.auto, DNS:*.xueshu.baidu.com, DNS:*.bj.baidubce.com, DNS:*.gz.baidubce.com, DNS:*.smartapps.cn, DNS:*.bdtjrcv.com, DNS:*.hao222.com, DNS:*.haokan.com, DNS:*.pae.baidu.com, DNS:*.vd.bdstatic.com, DNS:*
Issuer:   GlobalSign RSA OV SSL CA 2018Not valid before: Jul  5 05:16:02 2022 GMT
Not valid after:  Aug  6 05:16:01 2023 GMT

指令2：显示证书信息
./sslscan --show-certificate 目标主机（域名/IP地址/主机名）

[root@miping sslscan]# ./sslscan --show-certificate 110.242.68.3
Version: 2.0.15-static
OpenSSL 1.1.1s-dev  xx XXX xxxxConnected to 110.242.68.3Testing SSL server 110.242.68.3 on port 443 using SNI name 110.242.68.3SSL/TLS Protocols:
SSLv2     disabled
SSLv3     enabled
TLSv1.0   enabled
TLSv1.1   enabled
TLSv1.2   enabled
TLSv1.3   disabledTLS Fallback SCSV:
Server supports TLS Fallback SCSVTLS renegotiation:
Secure session renegotiation supportedTLS Compression:
Compression disabledHeartbleed:
TLSv1.2 not vulnerable to heartbleed
TLSv1.1 not vulnerable to heartbleed
TLSv1.0 not vulnerable to heartbleedSupported Server Cipher(s):
Preferred TLSv1.2  128 bits  ECDHE-RSA-AES128-GCM-SHA256   Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  ECDHE-RSA-RC4-SHA             Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA          Curve P-256 DHE 256
Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-SHA          Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  AES128-SHA                   
Accepted  TLSv1.2  256 bits  AES256-SHA                   
Accepted  TLSv1.2  128 bits  RC4-SHA                      
Preferred TLSv1.1  128 bits  ECDHE-RSA-RC4-SHA             Curve P-256 DHE 256
Accepted  TLSv1.1  128 bits  ECDHE-RSA-AES128-SHA          Curve P-256 DHE 256
Accepted  TLSv1.1  256 bits  ECDHE-RSA-AES256-SHA          Curve P-256 DHE 256
Accepted  TLSv1.1  128 bits  AES128-SHA                   
Accepted  TLSv1.1  256 bits  AES256-SHA                   
Accepted  TLSv1.1  128 bits  RC4-SHA                      
Preferred TLSv1.0  128 bits  ECDHE-RSA-RC4-SHA  Server Key Exchange Group(s):
TLSv1.2  128 bits  secp256r1 (NIST P-256)SSL Certificate:Certificate blob:
-----BEGIN CERTIFICATE-----
MIIKEjCCCPqgAwIBAgIMRBfOhu+C7GkhzG9oMA0GCSqGSIb3DQEBCwUAMFAxCzAJ
BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSYwJAYDVQQDEx1H
bG9iYWxTaWduIFJTQSBPViBTU0wgQ0EgMjAxODAeFw0yMjA3MDUwNTE2MDJaFw0y
MzA4MDYwNTE2MDFaMIGnMQswCQYDVQQGEwJDTjEQMA4GA1UECBMHYmVpamluZzEQ
MA4GA1UEBxMHYmVpamluZzElMCMGA1UECxMcc2VydmljZSBvcGVyYXRpb24gZGVw
YXJ0bWVudDE5MDcGA1UEChMwQmVpamluZyBCYWlkdSBOZXRjb20gU2NpZW5jZSBU
ZWNobm9sb2d5IENvLiwgTHRkMRIwEAYDVQQDEwliYWlkdS5jb20wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqL8xBjSWug+n0J8QAszlvDpgqVX0H5YBJ
gvrT04WYtd97b7sC3e145AwHK54ehkv2aoZY11dvIVkR2G+WbtLeNij2tOPOlTIp
AMFljmmwAP5SN/SIP4ttD7vw7MXAMe+ttQwGZq2+3EMTxGawXc9WU+LRloIcBrub
X+1gjdLt89JQ7rvNsjaXyM570ku3XLSIyjdui875lv209Ue1IHe7/KidgbJs+McJ
at0iboM/p1Pf8dovKWsiw+kdZejFoLoTThY/A5PwpVmKGoDoJ31JI9/R+UuXtwHE
GfXxxf+RM9ChdMbu1M/2OAztvV6qRPuI93uZcHY0VX5V0g+ev5STAgMBAAGjggaS
MIIGjjAOBgNVHQ8BAf8EBAMCBaAwgY4GCCsGAQUFBwEBBIGBMH8wRAYIKwYBBQUH
MAKGOGh0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L2dzcnNhb3Zz
c2xjYTIwMTguY3J0MDcGCCsGAQUFBzABhitodHRwOi8vb2NzcC5nbG9iYWxzaWdu
LmNvbS9nc3JzYW92c3NsY2EyMDE4MFYGA1UdIARPME0wQQYJKwYBBAGgMgEUMDQw
MgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRv
cnkvMAgGBmeBDAECAjAJBgNVHRMEAjAAMD8GA1UdHwQ4MDYwNKAyoDCGLmh0dHA6
Ly9jcmwuZ2xvYmFsc2lnbi5jb20vZ3Nyc2FvdnNzbGNhMjAxOC5jcmwwggNhBgNV
HREEggNYMIIDVIIJYmFpZHUuY29tggxiYWlmdWJhby5jb22CDHd3dy5iYWlkdS5j
F6yqn4TjqCSd1hd3JoyfensY2jkvd/crxyO4l2/D0XJMfvzGDcxzOBmB++fBeui5
HToF3DYEm/Hw4aZHoDBPVZBs2s+esnYSEaFctmGNFaRoZZpXL3puox/1tJJaPN9x
Cs1X1NAVNn661QMlJ0W0YM0uAsEPCudBb1hpIJ6tR1IatebljR0=
-----END CERTIFICATE-----Version: 2Serial Number: 44:17:ce:86:ef:82:ec:69:21:cc:6f:68Signature Algorithm: sha256WithRSAEncryptionIssuer: /C=BE/O=GlobalSign nv-sa/CN=GlobalSign RSA OV SSL CA 2018Not valid before: Jul  5 05:16:02 2022 GMTNot valid after: Aug  6 05:16:01 2023 GMTSubject: /C=CN/ST=beijing/L=beijing/OU=service operation department/O=Beijing Baidu Netcom Science Technology Co., Ltd/CN=baidu.comPublic Key Algorithm: NULLRSA Public Key: (2048 bit)RSA Public-Key: (2048 bit)Modulus:  00:aa:2f:cc:41:8d:25:ae:83:e9:f4:27:c4:00:b3:39:6f:0e:98:2a:55:7d:07:e5:80:49:82:fa:d3:d3:85:98:b5:df:7b:6f:bb:02:dd:ed:78:e4:0c:07:2b:9e:1e:86:4b:f6:6a:86:58:d7:57:6f:21:59:11:d8:6f:96:6e:d2:de:36:28:f6:b4:e3:ce:95:32:29:00:c1:65:8e:69:b0:00:fe:52:37:f4:88:3f:8b:6d:0f:bb:f0:ec:c5:c0:31:ef:ad:b5:0c:06:66:ad:be:dc:43:13:c4:66:b0:5d:cf:56:53:e2:d1:96:82:1c:06:bb:9b:5f:ed:60:8d:d2:ed:f3:d2:50:ee:bb:cd:b2:36:97:c8:ce:7b:d2:4b:b7:5c:b4:88:ca:37:6e:8b:ce:f9:96:fd:b4:f5:47:b5:20:77:bb:fc:a8:9d:81:b2:6c:f8:c7:09:6a:dd:22:6e:83:3f:a7:53:df:f1:da:2f:29:6b:22:c3:e9:1d:65:e8:c5:a0:ba:13:4e:16:3f:03:93:f0:a5:59:8a:1a:80:e8:27:7d:49:23:df:d1:f9:4b:97:b7:01:c4:19:f5:f1:c5:ff:91:33:d0:a1:74:c6:ee:d4:cf:f6:38:0c:ed:bd:5e:aa:44:fb:88:f7:7b:99:70:76:34:55:7e:55:d2:0f:9e:bf:94:93
Exponent: 65537 (0x10001)X509v3 Extensions:X509v3 Key Usage: criticalDigital Signature, Key EnciphermentAuthority Information Access: CA Issuers - URI:http://secure.globalsign.com/cacert/gsrsaovsslca2018.crtOCSP - URI:http://ocsp.globalsign.com/gsrsaovsslca2018X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.4146.1.20CPS: https://www.globalsign.com/repository/Policy: 2.23.140.1.2.2X509v3 Basic Constraints: CA:FALSEX509v3 CRL Distribution Points: Full Name:URI:http://crl.globalsign.com/gsrsaovsslca2018.crlX509v3 Subject Alternative Name: DNS:baidu.com, DNS:baifubao.com, DNS:www.baidu.cn, DNS:www.baidu.com.cn, DNS:mct.y.nuomi.com, DNS:apollo.auto, DNS:dwz.cn, DNS:*.baidu.com, DNS:*.baifubao.com, DNS:*.baidustatic.com, DNS:*.bdstatic.com, DNS:*.bdimg.com, DNS:*.hao123.com, DNS:*.nuomi.com, DNS:*.chuanke.com, DNS:*.trustgo.com, DNS:*.bce.baidu.com, DNS:*.eyun.baidu.com, DNS:*.map.baidu.com, DNS:*.mbd.baidu.com, DNS:*.fanyi.baidu.com, DNS:*.baidubce.com, DNS:*.mipcdn.com, DNS:*.news.baidu.com, DNS:*.baidupcs.com, DNS:*.aipage.com, DNS:*.aipage.cn, DNS:*.bcehost.com, DNS:*.safe.baidu.com, DNS:*.im.baidu.com, DNS:*.baiducontent.com, DNS:*.dlnel.com, DNS:*.dlnel.org, DNS:*.dueros.baidu.com, DNS:*.su.baidu.com, DNS:*.91.com, DNS:*.hao123.baidu.com, DNS:*.apollo.auto, DNS:*.xueshu.baidu.com, DNS:*.bj.baidubce.com, DNS:*.gz.baidubce.com, DNS:*.smartapps.cn, DNS:*.bdtjrcv.com, DNS:*.hao222.com, DNS:*.haokan.com, DNS:*.pae.baidu.com, DNS:*.vd.bdstatic.com, DNS:*.cloud.baidu.com, DNS:clic