TLS/SSL Handshake Explained
TL;DR: TLS encrypts communication between client and server. Understanding the handshake helps you identify weak configurations, test certificate validation, and exploit cryptographic vulnerabilities.
Table of Contents
Open Table of Contents
Quick Reference
TLS/SSL Versions
| Version | Status | Security |
|---|
| SSL 2.0 | Deprecated (1995) | Broken - Never use |
| SSL 3.0 | Deprecated (1996) | Broken (POODLE) |
| TLS 1.0 | Deprecated (1999) | Weak (BEAST) |
| TLS 1.1 | Deprecated (2006) | Weak |
| TLS 1.2 | Current (2008) | Secure (with good ciphers) |
| TLS 1.3 | Current (2018) | Most secure |
Essential Commands
| Command | Purpose | Example |
|---|
openssl s_client | Test TLS connection | openssl s_client -connect host:443 |
nmap --script ssl* | Scan for SSL issues | nmap --script ssl-enum-ciphers target |
testssl.sh | Comprehensive testing | testssl.sh target.com |
sslscan | Quick cipher scan | sslscan target.com |
sslyze | Python SSL scanner | sslyze target.com |
Common Ports Using TLS
| Port | Service | Protocol |
|---|
| 443 | HTTPS | HTTP over TLS |
| 465 | SMTPS | SMTP over TLS |
| 636 | LDAPS | LDAP over TLS |
| 853 | DoT | DNS over TLS |
| 993 | IMAPS | IMAP over TLS |
| 995 | POP3S | POP3 over TLS |
| 8443 | HTTPS-alt | Alternative HTTPS |
Why TLS Matters for Pentesters
TLS is everywhere - and misconfigurations are common.
What TLS Protects
| Protection | How | Attack If Broken |
|---|
| Confidentiality | Encryption | Eavesdropping |
| Integrity | MAC/AEAD | Data tampering |
| Authentication | Certificates | Impersonation/MITM |
Real-World TLS Breaches
| Incident | Vulnerability | Impact |
|---|
| Heartbleed (2014) | OpenSSL memory leak | Server memory exposure, private keys |
| POODLE (2014) | SSL 3.0 padding oracle | Decrypt HTTPS traffic |
| DROWN (2016) | SSLv2 export ciphers | Decrypt TLS sessions |
| DigiNotar (2011) | CA compromise | Fake Google certificates |
| Let’s Encrypt (2020) | Certificate misissuance | 3M certs revoked |
What Pentesters Test
- Protocol versions - Deprecated SSL/TLS versions
- Cipher suites - Weak or export ciphers
- Certificate validation - Expiry, chain, hostname
- Known vulnerabilities - BEAST, POODLE, Heartbleed
- Configuration - HSTS, certificate pinning
- Implementation bugs - Specific library issues
TLS vs SSL: What’s the Difference
TL;DR: SSL is the old, broken protocol. TLS is the modern replacement. People say “SSL” but usually mean TLS.
History
1995 ── SSL 2.0 ── Netscape (broken, deprecated)
│
1996 ── SSL 3.0 ── Netscape (POODLE, deprecated)
│
1999 ── TLS 1.0 ── IETF standardization (BEAST, deprecated)
│
2006 ── TLS 1.1 ── Minor improvements (deprecated)
│
2008 ── TLS 1.2 ── Major improvements (current)
│
2018 ── TLS 1.3 ── Complete redesign (recommended)
Why It Matters
| Protocol | Still Seen | Risk |
|---|
| SSL 2.0 | Legacy systems | Critical |
| SSL 3.0 | Legacy systems | Critical (POODLE) |
| TLS 1.0 | Many servers | High (BEAST, deprecated) |
| TLS 1.1 | Some servers | Medium (deprecated) |
| TLS 1.2 | Most servers | Safe with good ciphers |
| TLS 1.3 | Modern servers | Best security |
Finding deprecated protocols = finding for your pentest report.
The TLS Handshake
TL;DR: Client and server negotiate encryption, verify certificates, and establish a secure session in a carefully orchestrated exchange.
TLS 1.2 Handshake (Full)
┌─────────┐ ┌─────────┐
│ Client │ │ Server │
└────┬────┘ └────┬────┘
│ │
│ ──────────── 1. ClientHello ─────────────────────► │
│ - TLS version │
│ - Random bytes (Client Random) │
│ - Session ID │
│ - Cipher suites supported │
│ - Compression methods │
│ - Extensions (SNI, etc.) │
│ │
│ ◄──────────── 2. ServerHello ──────────────────── │
│ - TLS version selected │
│ - Random bytes (Server Random) │
│ - Session ID │
│ - Cipher suite selected │
│ - Compression method │
│ │
│ ◄──────────── 3. Certificate ──────────────────── │
│ - Server's certificate chain │
│ │
│ ◄──────────── 4. ServerKeyExchange ────────────── │
│ - Key exchange parameters (DHE/ECDHE) │
│ - Signature │
│ │
│ ◄──────────── 5. ServerHelloDone ──────────────── │
│ │
│ ──────────── 6. ClientKeyExchange ───────────────► │
│ - Pre-master secret (encrypted) │
│ or DH public value │
│ │
│ ──────────── 7. ChangeCipherSpec ────────────────► │
│ - Switching to encrypted communication │
│ │
│ ──────────── 8. Finished ────────────────────────► │
│ - Encrypted verification │
│ │
│ ◄──────────── 9. ChangeCipherSpec ─────────────── │
│ │
│ ◄──────────── 10. Finished ────────────────────── │
│ │
│ ════════════ Encrypted Application Data ══════════ │
│ │
Key Generation Process
Client Random (32 bytes)
+
Server Random (32 bytes)
+
Pre-Master Secret
│
▼
┌───────────────┐
│ PRF (KDF) │ Pseudo-Random Function
└───────┬───────┘
│
┌───────────────┼───────────────┐
│ │ │
▼ ▼ ▼
┌────────────┐ ┌────────────┐ ┌────────────┐
│ Client │ │ Server │ │ IV for │
│ Write Key │ │ Write Key │ │ CBC mode │
└────────────┘ └────────────┘ └────────────┘
Vulnerabilities in Each Step
| Step | Vulnerability | Attack |
|---|
| 1. ClientHello | Downgrade attack | Force weak cipher/version |
| 2. ServerHello | Protocol selection | POODLE, DROWN |
| 3. Certificate | Validation bypass | Fake certificates, MITM |
| 4. KeyExchange | Weak parameters | Logjam (weak DH), FREAK |
| 6. KeyExchange | Key extraction | Heartbleed |
| 7-10. Encrypted | Padding oracle | BEAST, Lucky13 |
TLS 1.3 Handshake
TL;DR: TLS 1.3 is faster (1 round trip), more secure (removed weak ciphers), and simpler (fewer options to misconfigure).
TLS 1.3 vs 1.2
| Feature | TLS 1.2 | TLS 1.3 |
|---|
| Round trips | 2 RTT | 1 RTT (0-RTT resumption) |
| Key exchange | RSA, DH, ECDH | ECDHE, DHE only |
| Cipher suites | 37+ | 5 AEAD only |
| Encryption start | After handshake | After ServerHello |
| Removed | - | RSA key exchange, CBC mode, RC4, SHA-1, etc. |
TLS 1.3 Handshake
┌─────────┐ ┌─────────┐
│ Client │ │ Server │
└────┬────┘ └────┬────┘
│ │
│ ──────────── ClientHello ────────────────────────► │
│ - Supported versions │
│ - Key shares (ECDHE) │
│ - Cipher suites │
│ │
│ ◄──────────── ServerHello ─────────────────────── │
│ - Selected version │
│ - Key share │
│ │
│ ◄──────────── EncryptedExtensions ─────────────── │
│ ◄──────────── Certificate ─────────────────────── │
│ ◄──────────── CertificateVerify ───────────────── │
│ ◄──────────── Finished ────────────────────────── │
│ │
│ ──────────── Finished ───────────────────────────► │
│ │
│ ══════════════ Application Data ══════════════════ │
What TLS 1.3 Removed
| Removed | Why | Attack Prevented |
|---|
| RSA key exchange | No forward secrecy | Passive decryption |
| CBC cipher modes | Padding oracles | BEAST, Lucky13 |
| RC4 cipher | Broken | RC4 biases |
| SHA-1 for signatures | Collision attacks | Signature forgery |
| Static DH | No forward secrecy | Key compromise |
| Compression | CRIME attack | Session hijacking |
| Renegotiation | Complex attacks | Various |
Certificates and PKI
TL;DR: Certificates prove server identity. The chain of trust goes from server cert → intermediate CA → root CA (trusted by your browser).
Certificate Chain
┌─────────────────────────────────────────────────────────────────┐
│ Root CA Certificate │
│ (Self-signed, in browser/OS trust store) │
│ DigiCert, Let's Encrypt, etc. │
└───────────────────────────────┬─────────────────────────────────┘
│ Signs
▼
┌─────────────────────────────────────────────────────────────────┐
│ Intermediate CA Certificate │
│ (Signed by Root, signs end-entity certs) │
└───────────────────────────────┬─────────────────────────────────┘
│ Signs
▼
┌─────────────────────────────────────────────────────────────────┐
│ End-Entity Certificate │
│ (Server's certificate) │
│ Subject: CN=www.example.com │
└─────────────────────────────────────────────────────────────────┘
Certificate Fields
| Field | Purpose | Example |
|---|
| Subject | Who the cert belongs to | CN=www.example.com |
| Issuer | Who signed the cert | CN=DigiCert SHA2 CA |
| Validity | Not Before/After dates | Jan 1 - Dec 31, 2024 |
| Public Key | Server’s public key | RSA 2048-bit |
| Signature | CA’s signature | SHA256withRSA |
| SAN | Additional hostnames | DNS:example.com, DNS:*.example.com |
| Key Usage | Allowed operations | Digital Signature, Key Encipherment |
Certificate Validation Checks
| Check | Failure Impact | Attack |
|---|
| Chain of trust | Reject connection | Self-signed cert MITM |
| Expiration | Warning/reject | Expired cert exploitation |
| Hostname match | Reject | Wrong certificate |
| Revocation (CRL/OCSP) | Varies | Use revoked cert |
| Key usage | Reject | Misuse certificate |
View Certificate Commands
# View certificate with openssl
openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | \
openssl x509 -noout -text
# View certificate dates
openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | \
openssl x509 -noout -dates
# View certificate chain
openssl s_client -connect example.com:443 -servername example.com -showcerts
# Check certificate SANs
openssl s_client -connect example.com:443 2>/dev/null | \
openssl x509 -noout -ext subjectAltName
# View certificate with curl
curl -vI https://example.com 2>&1 | grep -A6 "Server certificate"
# Check certificate expiry
echo | openssl s_client -connect example.com:443 2>/dev/null | \
openssl x509 -noout -enddate
Cipher Suites Explained
TL;DR: A cipher suite is a combination of algorithms for key exchange, authentication, encryption, and message integrity.
Cipher Suite Naming
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
│ │ │ │ │ │ │
│ │ │ │ │ │ └── Hash for PRF
│ │ │ │ │ └─────── Mode (GCM = AEAD)
│ │ │ │ └─────────── Key size
│ │ │ └─────────────── Encryption algorithm
│ │ └──────────────────────── Authentication (cert type)
│ └────────────────────────────── Key exchange
└─────────────────────────────────── Protocol
Cipher Suite Components
| Component | Options | Recommendation |
|---|
| Key Exchange | RSA, DHE, ECDHE | ECDHE (forward secrecy) |
| Authentication | RSA, ECDSA | Either is fine |
| Encryption | AES, ChaCha20, 3DES, RC4 | AES-GCM or ChaCha20 |
| Mode | CBC, GCM, CCM | GCM (AEAD) |
| MAC | SHA, SHA256, SHA384 | SHA256+ or AEAD |
TLS 1.3 Cipher Suites (Only 5)
| Cipher Suite | Security |
|---|
| TLS_AES_128_GCM_SHA256 | Recommended |
| TLS_AES_256_GCM_SHA384 | Recommended |
| TLS_CHACHA20_POLY1305_SHA256 | Recommended |
| TLS_AES_128_CCM_SHA256 | OK |
| TLS_AES_128_CCM_8_SHA256 | IoT only |
Weak Cipher Indicators
| Indicator | Why Weak | Example |
|---|
NULL | No encryption | TLS_RSA_WITH_NULL_SHA |
EXPORT | Intentionally weak | TLS_RSA_EXPORT_WITH_RC4_40_MD5 |
RC4 | Broken stream cipher | TLS_RSA_WITH_RC4_128_SHA |
DES / 3DES | Weak block cipher | TLS_RSA_WITH_3DES_EDE_CBC_SHA |
MD5 | Broken hash | *_MD5 |
SHA (SHA-1) | Weak hash | *_SHA (without number) |
RSA (no DHE) | No forward secrecy | TLS_RSA_WITH_AES_256_CBC_SHA |
ANON | No authentication | TLS_DH_anon_WITH_AES_256_CBC_SHA |
Check Cipher Suite Commands
# List supported ciphers with openssl
openssl s_client -connect example.com:443 -cipher 'ALL:COMPLEMENTOFALL'
# Check specific cipher
openssl s_client -connect example.com:443 -cipher 'AES256-SHA'
# List cipher suites with nmap
nmap --script ssl-enum-ciphers -p 443 example.com
# Using sslscan
sslscan example.com
# Using testssl.sh
testssl.sh --cipher-per-proto example.com
Common TLS Vulnerabilities
1. Heartbleed (CVE-2014-0160)
OpenSSL memory leak exposing server memory, potentially including private keys.
┌─────────┐ ┌─────────┐
│ Client │ Heartbeat: "Send back 64KB" │ Server │
│ │ ────────────────────────────────► │ │
│ │ (But I only sent 1 byte) │ │
│ │ │ │
│ │ ◄─────────────────────────────── │ │
│ │ Response: 64KB of server memory! │ │
│ │ (May contain private keys, │ │
│ │ passwords, session data) │ │
└─────────┘ └─────────┘
| Attack | Detect | Defend |
|---|
| Send malformed heartbeat | Monitor for heartbeat requests | Update OpenSSL |
| Extract server memory | Log heartbeat anomalies | Disable heartbeat extension |
| Obtain private keys | Detect large heartbeat responses | Revoke and reissue certs |
Testing Commands
# Using nmap
nmap --script ssl-heartbleed -p 443 target.com
# Using testssl.sh
testssl.sh --heartbleed target.com
# Using Metasploit
use auxiliary/scanner/ssl/openssl_heartbleed
set RHOSTS target.com
run
# Manual check with openssl
echo "QUIT" | openssl s_client -connect target.com:443 2>&1 | grep "server extension"
# If "heartbeat" appears, further testing needed
2. POODLE (CVE-2014-3566)
Padding Oracle On Downgraded Legacy Encryption - attacks SSL 3.0 CBC mode.
| Attack | Detect | Defend |
|---|
| Force SSL 3.0 downgrade | Monitor for SSL 3.0 connections | Disable SSL 3.0 |
| Exploit CBC padding oracle | Alert on protocol downgrades | Use TLS 1.2+ only |
| Decrypt HTTPS cookie | Detect POODLE scan patterns | Use AEAD ciphers |
Testing Commands
# Check for SSL 3.0 support
openssl s_client -connect target.com:443 -ssl3
# Using nmap
nmap --script ssl-poodle -p 443 target.com
# Using testssl.sh
testssl.sh --poodle target.com
# Check for TLS POODLE (CVE-2014-8730)
testssl.sh --fallback target.com
3. BEAST (CVE-2011-3389)
Browser Exploit Against SSL/TLS - attacks TLS 1.0 CBC mode.
| Attack | Detect | Defend |
|---|
| Chosen plaintext in TLS 1.0 | Monitor for TLS 1.0 traffic | Disable TLS 1.0 |
| Decrypt session cookies | Alert on CBC cipher use | Use TLS 1.2+ |
| Requires MITM position | Log cipher negotiations | Prefer AEAD ciphers |
Testing Commands
# Check TLS 1.0 support
openssl s_client -connect target.com:443 -tls1
# Using testssl.sh
testssl.sh --beast target.com
# Check cipher preference
nmap --script ssl-enum-ciphers -p 443 target.com | grep -i "cbc"
4. CRIME & BREACH
Compression-based attacks that leak encrypted data.
CRIME - TLS compression leaks session tokens
BREACH - HTTP compression leaks response body secrets
| Attack | Detect | Defend |
|---|
| Measure compressed size | Monitor compression settings | Disable TLS compression |
| Inject known plaintext | Alert on size variations | Disable HTTP compression for sensitive data |
| Brute force secret bytes | Detect unusual request patterns | Randomize secrets in responses |
Testing Commands
# Check for TLS compression (CRIME)
openssl s_client -connect target.com:443 2>/dev/null | grep "Compression"
# "Compression: NONE" = Safe
# "Compression: zlib" = Vulnerable
# Using testssl.sh
testssl.sh --crime target.com
# Check HTTP compression (BREACH)
curl -H "Accept-Encoding: gzip, deflate" -I https://target.com
# If Content-Encoding: gzip appears on sensitive pages = potentially vulnerable
5. DROWN (CVE-2016-0800)
SSLv2 enables cross-protocol attack to decrypt TLS sessions.
| Attack | Detect | Defend |
|---|
| Use SSLv2 to attack TLS | Monitor for SSLv2 traffic | Disable SSLv2 everywhere |
| Bleichenbacher oracle | Inventory all servers sharing keys | Don’t share keys across servers |
| Decrypt recorded TLS traffic | Check certificate reuse | Use unique certificates |
Testing Commands
# Check for SSLv2
openssl s_client -connect target.com:443 -ssl2
# Using nmap
nmap --script sslv2-drown -p 443 target.com
# Using testssl.sh
testssl.sh --drown target.com
6. Logjam (CVE-2015-4000)
Weak Diffie-Hellman parameters allow MITM attacks.
| Attack | Detect | Defend |
|---|
| Attack 512-bit export DH | Monitor for DHE key sizes | Use 2048-bit+ DH groups |
| Downgrade to export ciphers | Alert on weak parameters | Disable DHE_EXPORT ciphers |
| Precompute discrete log | Log key exchange parameters | Prefer ECDHE |
Testing Commands
# Check DH parameters
openssl s_client -connect target.com:443 -cipher "EDH" 2>/dev/null | grep "Server Temp Key"
# Using nmap
nmap --script ssl-dh-params -p 443 target.com
# Using testssl.sh
testssl.sh --logjam target.com
7. FREAK (CVE-2015-0204)
Factoring RSA Export Keys - downgrade to 512-bit RSA.
| Attack | Detect | Defend |
|---|
| Force RSA_EXPORT cipher | Monitor for export ciphers | Disable EXPORT ciphers |
| Factor weak RSA key | Alert on 512-bit RSA | Require 2048-bit+ RSA |
| Decrypt traffic | Log cipher negotiations | Update SSL libraries |
Testing Commands
# Check for EXPORT ciphers
openssl s_client -connect target.com:443 -cipher EXPORT
# Using testssl.sh
testssl.sh --freak target.com
8. ROBOT (CVE-2017-13099)
Return Of Bleichenbacher’s Oracle Threat - RSA key exchange attack.
| Attack | Detect | Defend |
|---|
| Padding oracle on RSA | Monitor decryption errors | Use ECDHE key exchange |
| Decrypt TLS traffic | Alert on timing variations | Disable RSA key exchange |
| Forge signatures | Log RSA operations | Update SSL libraries |
Testing Commands
# Using testssl.sh
testssl.sh --robot target.com
# Using robot-detect tool
python robot-detect.py -h target.com -p 443
Vulnerability Summary
| Vulnerability | Affected | Severity | Fix |
|---|
| Heartbleed | OpenSSL 1.0.1-1.0.1f | Critical | Update OpenSSL |
| POODLE | SSL 3.0 | High | Disable SSL 3.0 |
| BEAST | TLS 1.0 + CBC | Medium | Use TLS 1.2+ |
| CRIME | TLS compression | Medium | Disable compression |
| BREACH | HTTP compression | Medium | Disable for secrets |
| DROWN | SSLv2 | High | Disable SSLv2 |
| Logjam | DHE < 1024 bit | High | Use 2048+ bit DH |
| FREAK | EXPORT ciphers | High | Disable EXPORT |
| ROBOT | RSA key exchange | High | Use ECDHE |
Testing TLS Configuration
Testing Checklist
| Attack | Detect | Defend |
|---|
| Protocol downgrade | Log TLS version negotiation | Disable old protocols |
| Cipher downgrade | Monitor cipher selection | Configure cipher preference |
| Certificate issues | Monitor cert expiry | Automate renewal |
| Missing HSTS | Check headers | Enable HSTS with long max-age |
Comprehensive Testing Commands
# === Protocol Version Testing ===
# Test each protocol version
openssl s_client -connect target.com:443 -ssl3 # Should fail
openssl s_client -connect target.com:443 -tls1 # Should fail
openssl s_client -connect target.com:443 -tls1_1 # Should fail
openssl s_client -connect target.com:443 -tls1_2 # Should work
openssl s_client -connect target.com:443 -tls1_3 # Should work
# === Cipher Suite Testing ===
# Enumerate all ciphers
nmap --script ssl-enum-ciphers -p 443 target.com
# Check for weak ciphers
openssl s_client -connect target.com:443 -cipher 'NULL:EXPORT:LOW:DES:RC4:MD5:ANON'
# Should fail if properly configured
# Check cipher preference
testssl.sh --server-preference target.com
# === Certificate Testing ===
# View full certificate details
echo | openssl s_client -connect target.com:443 2>/dev/null | \
openssl x509 -text -noout
# Check certificate expiry
echo | openssl s_client -connect target.com:443 2>/dev/null | \
openssl x509 -dates -noout
# Verify certificate chain
openssl s_client -connect target.com:443 -verify 5
# Check hostname match
openssl s_client -connect target.com:443 -verify_hostname target.com
# === Vulnerability Testing ===
# Comprehensive test with testssl.sh
testssl.sh target.com
# Quick vulnerability scan
testssl.sh --vulnerable target.com
# Specific checks
testssl.sh --heartbleed --poodle --beast --logjam --drown target.com
# === Header Testing ===
# Check HSTS
curl -sI https://target.com | grep -i "strict-transport"
# Check all security headers
curl -sI https://target.com | grep -iE "(strict-transport|x-frame|x-content|x-xss|content-security)"
Certificate Attacks
1. Self-Signed Certificate Acceptance
If client accepts self-signed certs, MITM is trivial.
| Attack | Detect | Defend |
|---|
| Present self-signed cert | Monitor for self-signed alerts | Reject self-signed in production |
| MITM with custom CA | Log certificate warnings | Certificate pinning |
| Strip TLS entirely | Detect HTTP downgrade | HSTS preloading |
Testing Commands
# Generate self-signed certificate
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes \
-subj "/CN=target.com"
# Test with mitmproxy using self-signed
mitmproxy --cert cert.pem
# Check if client accepts invalid cert
# If app doesn't error on self-signed = vulnerable
2. Certificate Pinning Bypass
Mobile apps often pin certificates. Bypassing enables MITM.
| Attack | Detect | Defend |
|---|
| Frida/Objection bypass | Monitor for hooking attempts | Certificate pinning |
| Modify APK/IPA | Detect app tampering | Root/jailbreak detection |
| Use rooted/jailbroken device | Log connection anomalies | Binary protections |
Bypass Commands
# Using Frida with objection
objection --gadget com.target.app explore
# Then: android sslpinning disable
# Using Frida script
frida -U -f com.target.app -l ssl-unpin.js
# Using apktool + modification
apktool d app.apk
# Modify network_security_config.xml
apktool b app -o app-modified.apk
3. Hostname Verification Bypass
If client doesn’t verify hostname matches certificate.
| Attack | Detect | Defend |
|---|
| Use valid cert for wrong domain | Monitor for hostname mismatches | Strict hostname verification |
| Wildcard abuse | Log certificate warnings | Validate full hostname |
| Null byte injection | Detect unusual CNs | Use modern TLS libraries |
MITM and TLS Interception
TLS Interception Setup
┌─────────┐ ┌──────────┐ ┌─────────┐
│ Client │ ◄─── TLS 1 ──────►│ Proxy │◄───── TLS 2 ──────►│ Server │
│ │ (Proxy's cert) │ (MITM) │ (Server's cert) │ │
└─────────┘ └──────────┘ └─────────┘
| Tool | Use Case | Command |
|---|
| mitmproxy | Interactive HTTP/HTTPS proxy | mitmproxy |
| Burp Suite | Web app testing | GUI-based |
| sslsplit | Transparent MITM | sslsplit -D -k key.pem -c cert.pem ssl 0.0.0.0 8443 |
| bettercap | Network MITM | bettercap -iface eth0 |
MITM Setup Commands
# === mitmproxy Setup ===
# Start mitmproxy
mitmproxy
# Install CA cert on client (from http://mitm.it when connected)
# Transparent mode
mitmproxy --mode transparent
# === Burp Suite Setup ===
# 1. Start Burp
# 2. Configure browser proxy: 127.0.0.1:8080
# 3. Export CA: Proxy > Options > CA Certificate > Export
# 4. Install CA in browser/system
# === sslsplit Setup ===
# Generate CA
openssl genrsa -out ca.key 2048
openssl req -new -x509 -key ca.key -out ca.crt -days 365
# Run sslsplit
sslsplit -D -l connections.log -j /tmp/sslsplit -S /tmp/sslsplit/logs \
-k ca.key -c ca.crt ssl 0.0.0.0 8443
# Redirect traffic (iptables)
iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8443
| Tool | Purpose | Install |
|---|
| testssl.sh | Comprehensive TLS testing | git clone https://github.com/drwetter/testssl.sh |
| sslscan | Quick cipher scan | apt install sslscan |
| sslyze | Python-based scanner | pip install sslyze |
| nmap ssl scripts | NSE scripts for TLS | Built into nmap |
| openssl | Manual testing | apt install openssl |
| Tool | URL | Use |
|---|
| SSL Labs | ssllabs.com/ssltest | Comprehensive grading |
| Hardenize | hardenize.com | Security posture |
| ImmuniWeb | immuniweb.com/ssl | Free SSL test |
| Observatory | observatory.mozilla.org | Mozilla’s scanner |
| CryptCheck | cryptcheck.fr | French scanner |
Browser Extensions
| Extension | Purpose |
|---|
| HTTPS Everywhere | Force HTTPS |
| Certificate Patrol | Detect cert changes |
| Cipherfox | Show connection ciphers |
Tool Usage Examples
# === testssl.sh ===
# Full test
./testssl.sh target.com
# Quick check
./testssl.sh --fast target.com
# Specific checks
./testssl.sh --protocols --ciphers target.com
# JSON output
./testssl.sh --jsonfile results.json target.com
# === sslscan ===
# Basic scan
sslscan target.com
# Show certificate
sslscan --show-certificate target.com
# Check specific port
sslscan --port=8443 target.com
# === sslyze ===
# Regular scan
sslyze target.com
# All checks
sslyze --regular target.com
# JSON output
sslyze --json_out=results.json target.com
# === nmap ===
# Enumerate ciphers
nmap --script ssl-enum-ciphers -p 443 target.com
# All SSL scripts
nmap --script "ssl-*" -p 443 target.com
# Specific vulnerability
nmap --script ssl-heartbleed -p 443 target.com
Practice Labs
Beginner
| Resource | Focus | Link |
|---|
| TryHackMe - Cryptography | TLS basics | tryhackme.com |
| Cryptopals | Crypto challenges | cryptopals.com |
| HackTheBox Academy | TLS fundamentals | academy.hackthebox.com |
| Resource | Focus |
|---|
| PortSwigger - Web Security Academy | TLS attacks |
| PentesterLab | Certificate issues |
| DVWA | HTTPS testing |
Advanced
| Resource | Focus |
|---|
| Root Me | Cryptography challenges |
| HackTheBox | Real-world machines |
| CTF challenges | Various TLS attacks |
Home Lab Setup
# Create vulnerable TLS server for testing
# 1. Generate certificates
openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
# 2. Run server with weak configuration (for testing only!)
openssl s_server -accept 4433 \
-cert server.crt -key server.key \
-ssl3 \
-cipher 'ALL:COMPLEMENTOFALL'
# 3. Test against it
testssl.sh localhost:4433
Glossary
| Term | Definition |
|---|
| AEAD | Authenticated Encryption with Associated Data (GCM, CCM) |
| CA | Certificate Authority - issues certificates |
| CBC | Cipher Block Chaining - encryption mode |
| Certificate Chain | Path from end-entity cert to root CA |
| Cipher Suite | Combination of algorithms for TLS |
| CRL | Certificate Revocation List |
| DHE | Diffie-Hellman Ephemeral - key exchange |
| ECDHE | Elliptic Curve DHE - faster key exchange |
| Forward Secrecy | Past sessions safe if key compromised |
| GCM | Galois/Counter Mode - AEAD cipher mode |
| Handshake | TLS negotiation process |
| HSTS | HTTP Strict Transport Security |
| OCSP | Online Certificate Status Protocol |
| PKI | Public Key Infrastructure |
| Pre-Master Secret | Shared secret before key derivation |
| SNI | Server Name Indication - hostname in TLS |
| TLS | Transport Layer Security |
| X.509 | Certificate format standard |
What’s Next?
Now that you understand TLS, continue your learning path:
| Topic | Description | Link |
|---|
| DNS Deep Dive | How DNS works and attacks | DNS Deep Dive |
| Encoding vs Encryption vs Hashing | Know the differences | Coming Soon |
| PKI & Certificates | Deep dive into certificate infrastructure | Coming Soon |
| Web App Pentesting | Apply TLS knowledge to web testing | Web App Pentesting Guide |
Summary
TLS/SSL security is critical for penetration testing:
- Handshake - Understand the negotiation process and where attacks occur
- Versions - Ensure only TLS 1.2+ is supported
- Cipher Suites - Remove weak ciphers, prefer AEAD
- Certificates - Validate chain, expiry, hostname, revocation
- Vulnerabilities - Test for Heartbleed, POODLE, BEAST, DROWN, etc.
- MITM - Understand interception for testing and attack scenarios
Always include TLS configuration testing in your engagements. Weak TLS is a common finding that demonstrates real security risk.
Found this guide helpful? Check out the other posts in the SecureKhan penetration testing series.