Script collection for generating testssl.sh command lines that can be executed sequentially or in parallel with tools like GNU Parallel and importing the results into a structured document in ElasticSearch for further analysis.
This fork provides a number of changes:
- Elastic 7.x support
- Testssl.sh 3.1dev version support (April 2022)
- Added additional STARTTLS ports
- various field updates
- Elastic ECS fields where appropriate
- Dashboard for Kibana
- Read additional configuration created by gooseleggs/certscan scanning script (such as local/external host)
This is how the scan result of a service appears in Kibana:
Dashboard included:
- testssl.sh 3.1dev branch or later version
- Python 3 with following modules:
- elasticsearch_dsl
- tzlocal
- Install dependencies (see above)
- Create input file with one
host:portpair per line. - Run
generate_scan_file.py inputfile > cmdfileto generate file with testssl.sh command lines. - Run
parallel < cmdfileto perform testssl.sh scans. - Run
import_testssl.sh_csv_to_ES.py *.csvto import scan results into ElasticSearch. - View/Analyze data with Kibana or the tool of your choice.
- Fix your TLS configurations :)
If you want to not do the above, but instead just provide a list of urls, or scan a network, look at the github project certscan by gooseleggs (https://github.com/gooseleggs/certscan).
Due to the way in which Elastic does aggregates, I could not get it to work correctly with returning just the last scan results for the dashboard. Therefore, if you set the time line to more than a scan interval, the dashboard will show skewed results. Not sure how to fix this at the moment, but open to suggestions (ie pull requests).
List all vulnerabilities in "host;port;vulnerabilities" CSV format:
curl -qsk 'localhost:9200/testssl-*/_search?q=_exists_:vulnerabilities&size=10000' | jq -r '.hits.hits[]._source | [ .ip, ( .port | tostring ), ( .vulnerabilities | join(", ") ) ] | join(";")'
...and add ciphertests field:
curl -qsk 'localhost:9200/testssl-*/_search?q=_exists_:(vulnerabilities+ciphertests)&size=10000' | jq -r '.hits.hits[]._source | [ .ip, ( .port | tostring ), ( .vulnerabilities | if . == null then "" else (. | join(", ") ) end ), ( .ciphertests | if . == null then "" else (. | join(", ") ) end ) ] | join(";")