Jul 15, 2021 5:09:08 AM | application security | how to Installation & Use Of TestSSL.sh Tool

When performing pentesting engagements there are times where validation of SSL/TLS ciphers, protocols, certificates, etc. is needed. One tool that our pentesting team tends to make use of is the testssl.sh command line tool that is freely available for anyone to download. In this article, we will go through the installation process and how to use the new toolset.

How To Install TestSSL.sh

Installation is pretty simple as there are a couple different options available. The first option is pulling directly from the testssl.sh website utilizing the following commands:

Latest stable code:

curl -L https://testssl.sh > testssl.nsh

Latest development code:

curl -L https://testssl.sh/dev/ > testssl.sh

The second option is pulling the testssl.sh toolset from GitHub utilizing the following command:

git clone --depth 1 https://github.com/drwetter/testssl.sh.git
Installation of the testssl.sh command line tool by white oak security, screenshot of code verifying the install.

Pretty simple right? Now let’s get into using the toolset.

How Pentesters Use TestSSL.sh     

This tool is one of the simplest pentesting tools to utilize and access valuable information. To start – change into the directory where the testssl.sh script is located. Let’s issue the following commands:

Standard HTTPS webserver:

./testssl.sh https://<IP or Hostname>

Non-Standard SSL Ports:

./testssl.sh <IP or Hostname:PORT>

Here is an example screenshot utilizing the toolset:

Screenshot of testssl.sh testing protocols & testing ciphers by white oak security blog.

Scrolling down the output from testssl.sh – there is useful information in regards to ciphers supported, SSL certificate information, and protocols utilized.

Testssl.sh tool showing the certificates validity and issuer in this screenshot by white oak security.

TestSSL.sh Recap

Hopefully this blog post demonstrates how easy testssl.sh is to be installed and utilized for everyday testing. Any additional information on the toolset can be obtained from their website – https://testssl.sh/. In closing, there are many tools available that perform similar tests however we prefer this tool because it is easy to install, use, and provides clear output for reporting purposes.

MORE FROM OUR TECHNICAL BLOG

Cyber Advisors specializes in providing fully customizable cyber security solutions & services. Our knowledgeable, highly skilled, talented security experts are here to help design, deliver, implement, manage, monitor, put your defenses to the test, & strengthen your systems - so you don’t have to.

Read more from our technical experts...

Talk to a trusted cyber advisor

Written By: Brett DeWall