nullcon 2011 - SSLSmart – Smart SSL Cipher Enumeration

SSLSmart – Smart SSL

Cipher Enumeration

Gursev Singh Kalra

nullcon | Feb26, 2011

www.foundstone.com

© 2010, McAfee, Inc.

Agenda

►Introduction

►Why Enumerate SSL Ciphers?

►Why SSLSmart?

►SSLSmart Demonstrations

►Q&A

www.foundstone.com

© 2010, McAfee, Inc.

Introduction

►Who am I?

■ Managing Consultant – Foundstone Professional

Services

■ Web Applications, Networks, Mobile Applications,

Research, Tools…

www.foundstone.com

© 2010, McAfee, Inc.

Why Enumerate SSL Ciphers?

►PCI Compliance

►Web Application Penetration Testing

►Network Assessments

►Insecure Crypto Implementation

www.foundstone.com

© 2010, McAfee, Inc.

Why SSLSmart?

Flexible WYSIWYG

Open Source and Cross Platform

Rich Reporting

SSLSmart

www.foundstone.com

© 2010, McAfee, Inc.

Flexibility

• Granular Cipher Control

• Certificate Verification

• Proxy Support

• Content and CONNECT Tests

www.foundstone.com

© 2010, McAfee, Inc.

What You See Is What You Get

www.foundstone.com

© 2010, McAfee, Inc.

Open Source and Cross Platform

• Works with Ruby 1.8.6, 1.8.7, 1.9.1 & 1.9.2

• Tested on Windows, Linux

www.foundstone.com

© 2010, McAfee, Inc.

Rich Reporting

• Text

• HTML

• XML

www.foundstone.com

© 2010, McAfee, Inc.

SSLSmart Demonstrations

►SSLSmart GUI

►Custom scripts using SSLSmart API’s

www.foundstone.com

© 2010, McAfee, Inc.

Queries

www.foundstone.com

© 2010, McAfee, Inc.

Thank You

Gursev Kalra

gursev.kalra@foundstone.com