H4hacks: Qualys SSL labs API - A MultiThreaded python script to scan large number of servers and produce neat results

Thursday, June 18, 2015

Hi Security enthusiast,

So if you were following closely on recent developments regarding SSL/TLS security, you might have heard that Qualys SSL labs released an API to automate the testing of internet hosted applications with their awesome hosted testing solution.

If you have not heard about it here is the location to their server testing page - https://www.ssllabs.com/ssltest/

And their API documentation here - https://github.com/ssllabs/ssllabs-scan/blob/master/ssllabs-api-docs.md

So now that the API is released you can automate testing of any number of servers with any language that is able to talk with qualys server via HTTP protocol. My company wanted to test all of our servers with SSL labs, so i thought why can't i automate it with python or something. So here it is, i made a multithreaded python script to test a large number of servers in one go and get results in neat format that my management wanted :-)

The script is intended for python 2.7

You can find the script here - https://github.com/moheshmohan/pyssltest

The script takes a text file as input with the urls to servers that you need test listed line by line and it initites ssl lab tests on each of them (25 threads parallel so 25 tests) and based on the result it generates a CSV file with extended information from the results

Please note that the script currently supports only one endpoint per url, i will enhance it in future to iterate through each endpoints, in case of urls with multiple endpoints.

The results will contain the following items each row

Input_URL - The input URL

Domain - The domain

IP - The IP address it resolved to

returncode - The value returned from Qualys server (READY, ERROR etc)

Grade - The Grade as per Qualys rating

Secondary grade - Secondary Grade as per qualys rating

Now it contains these items per each server. Basically these contain Y (yes) or N (no) values and the headings are self explanatory

Freak

Poodle_TLS

Insecure renegotiation

OpenSSL ccs

Insecure DH

SSL v2

Poodle_SSL

wrong domain

cert expired

self signed cert

No TLS1.2?

SSL v3

RC4

cert chain issue

CRIME

forward secrecy not supported?

weak private key?

weak signature

secure renegotiation

TLS 1.0

TLS 1.1

TLS 1.2

Running the script

To run the script you can use the following command

python pyssltest.py -i inp.txt -o inp.csv -n

I will explain each switches,

-i <filename> :- A text file with target urls listed line by line

-o <filename> :- A csv file to which the output will be written

-n :- Optional, To always initiate new tests. If this is omitted cached results from qualys is fetched

Its pretty simple and fast way to run ssl labs against a bunch of servers.

Please provide some feedback about script on comments below.

Thanks for reading

H4hacks

Menu

Thursday, June 18, 2015

Qualys SSL labs API - A MultiThreaded python script to scan large number of servers and produce neat results

Running the script

12 comments: