projectdiscovery / tlsx Goto Github PK

View Code? Open in Web Editor NEW

784.0 26.0 73.0 1.2 MB

Fast and configurable TLS grabber focused on TLS based data collection.

License: MIT License

Go 99.59% Dockerfile 0.19% Makefile 0.23%

tlsx's Introduction

Features • Installation • Usage • Running tlsx • Join Discord

A fast and configurable TLS grabber focused on TLS based data collection and analysis.

Features

Fast And fully configurable TLS Connection
Multiple Modes for TLS Connection
Multiple TLS probes
Auto TLS Fallback for older TLS version
Pre Handshake TLS connection (early termination)
Customizable Cipher / SNI / TLS selection
JARM/JA3 TLS Fingerprint
TLS Misconfigurations
ASN,CIDR,IP,HOST, and URL input
STD IN/OUT and TXT/JSON output

Installation

tlsx requires Go 1.21 to install successfully. To install, just run the below command or download pre-compiled binary from release page.

go install github.com/projectdiscovery/tlsx/cmd/tlsx@latest

Usage

tlsx -h

This will display help for the tool. Here are all the switches it supports.

TLSX is a tls data gathering and analysis toolkit.

Usage:
  tlsx [flags]

Flags:
INPUT:
   -u, -host string[]  target host to scan (-u INPUT1,INPUT2)
   -l, -list string    target list to scan (-l INPUT_FILE)
   -p, -port string[]  target port to connect (default 443)

SCAN-MODE:
   -sm, -scan-mode string     tls connection mode to use (ctls, ztls, openssl, auto) (default "auto")
   -ps, -pre-handshake        enable pre-handshake tls connection (early termination) using ztls
   -sa, -scan-all-ips         scan all ips for a host (default false)
   -iv, -ip-version string[]  ip version to use (4, 6) (default 4)

PROBES:
   -san                     display subject alternative names
   -cn                      display subject common names
   -so                      display subject organization name
   -tv, -tls-version        display used tls version
   -cipher                  display used cipher
   -hash string             display certificate fingerprint hashes (md5,sha1,sha256)
   -jarm                    display jarm fingerprint hash
   -ja3                     display ja3 fingerprint hash (using ztls)
   -wc, -wildcard-cert      display host with wildcard ssl certificate
   -tps, -probe-status      display tls probe status
   -ve, -version-enum       enumerate and display supported tls versions
   -ce, -cipher-enum        enumerate and display supported cipher
   -ct, -cipher-type value  ciphers types to enumerate. possible values: all/secure/insecure/weak (comma-separated) (default all)
   -ch, -client-hello       include client hello in json output (ztls mode only)
   -sh, -server-hello       include server hello in json output (ztls mode only)
   -se, -serial             display certificate serial number

MISCONFIGURATIONS:
   -ex, -expired      display host with host expired certificate
   -ss, -self-signed  display host with self-signed certificate
   -mm, -mismatched   display host with mismatched certificate
   -re, -revoked      display host with revoked certificate
   -un, -untrusted    display host with untrusted certificate

CONFIGURATIONS:
   -config string               path to the tlsx configuration file
   -r, -resolvers string[]      list of resolvers to use
   -cc, -cacert string          client certificate authority file
   -ci, -cipher-input string[]  ciphers to use with tls connection
   -sni string[]                tls sni hostname to use
   -rs, -random-sni             use random sni when empty
   -rps, -rev-ptr-sni           perform reverse PTR to retrieve SNI from IP
   -min-version string          minimum tls version to accept (ssl30,tls10,tls11,tls12,tls13)
   -max-version string          maximum tls version to accept (ssl30,tls10,tls11,tls12,tls13)
   -cert, -certificate          include certificates in json output (PEM format)
   -tc, -tls-chain              include certificates chain in json output
   -vc, -verify-cert            enable verification of server certificate
   -ob, -openssl-binary string  OpenSSL Binary Path
   -hf, -hardfail               strategy to use if encountered errors while checking revocation status

OPTIMIZATIONS:
   -c, -concurrency int  number of concurrent threads to process (default 300)
   -cec, -cipher-concurrency int  cipher enum concurrency for each target (default 10)
   -timeout int          tls connection timeout in seconds (default 5)
   -retry int            number of retries to perform for failures (default 3)
   -delay string         duration to wait between each connection per thread (eg: 200ms, 1s)

UPDATE:
   -up, -update                 update tlsx to latest version
   -duc, -disable-update-check  disable automatic tlsx update check

OUTPUT:
   -o, -output string  file to write output to
   -j, -json           display output in jsonline format
   -dns                display unique hostname from SSL certificate response
   -ro, -resp-only     display tls response only
   -silent             display silent output
   -nc, -no-color      disable colors in cli output
   -v, -verbose        display verbose output
   -version            display project version

DEBUG:
   -health-check, -hc  run diagnostic check up

Using tlsx as library

Examples of using tlsx as library are provided in the examples folder.

Running tlsx

Input for tlsx

tlsx requires ip to make TLS connection and accept multiple format as listed below:

AS1449 # ASN input
173.0.84.0/24 # CIDR input
93.184.216.34 # IP input
example.com # DNS input
example.com:443 # DNS input with port
https://example.com:443 # URL input port

Input host can be provided using -host / -u flag, and multiple values can be provided using comma-separated input, similarly file input is supported using -list / -l flag.

Example of comma-separated host input:

$ tlsx -u 93.184.216.34,example.com,example.com:443,https://example.com:443 -silent

Example of file based host input:

$ tlsx -list host_list.txt

Port Input:

tlsx connects on port 443 by default, which can be customized using -port / -p flag, single or multiple ports can be specified using comma sperated input or new line delimited file containing list of ports to connect.

Example of comma-separated port input:

$ tlsx -u hackerone.com -p 443,8443

Example of file based port input:

$ tlsx -u hackerone.com -p port_list.txt

Note:

When input host contains port in it, for example, 8.8.8.8:443 or hackerone.com:8443, port specified with host will be used to make TLS connection instead of default or one provided using -port / -p flag.

TLS Probe (default run)

This will run the tool against the given CIDR range and returns hosts that accepts tls connection on port 443.

$ echo 173.0.84.0/24 | tlsx 
  

  _____ _    _____  __
 |_   _| |  / __\ \/ /
   | | | |__\__ \>  < 
   |_| |____|___/_/\_\  v0.0.1

    projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions.
[WRN] Developers assume no liability and are not responsible for any misuse or damage.

173.0.84.69:443
173.0.84.67:443
173.0.84.68:443
173.0.84.66:443
173.0.84.76:443
173.0.84.70:443
173.0.84.72:443

SAN/CN Probe

TLS certificate contains DNS names under subject alternative name and common name field that can be extracted using -san, -cn flag.

$ echo 173.0.84.0/24 | tlsx -san -cn -silent

173.0.84.104:443 [uptycspay.paypal.com]
173.0.84.104:443 [api-3t.paypal.com]
173.0.84.104:443 [api-m.paypal.com]
173.0.84.104:443 [payflowpro.paypal.com]
173.0.84.104:443 [pointofsale-s.paypal.com]
173.0.84.104:443 [svcs.paypal.com]
173.0.84.104:443 [uptycsven.paypal.com]
173.0.84.104:443 [api-aa.paypal.com]
173.0.84.104:443 [pilot-payflowpro.paypal.com]
173.0.84.104:443 [pointofsale.paypal.com]
173.0.84.104:443 [uptycshon.paypal.com]
173.0.84.104:443 [api.paypal.com]
173.0.84.104:443 [adjvendor.paypal.com]
173.0.84.104:443 [zootapi.paypal.com]
173.0.84.104:443 [api-aa-3t.paypal.com]
173.0.84.104:443 [uptycsize.paypal.com]

For ease of automation, optionally -resp-only flag can be used to list only dns names in CLI output.

$ echo 173.0.84.0/24 | tlsx -san -cn -silent -resp-only

api-aa-3t.paypal.com
pilot-payflowpro.paypal.com
pointofsale-s.paypal.com
uptycshon.paypal.com
a.paypal.com
adjvendor.paypal.com
zootapi.paypal.com
api-aa.paypal.com
payflowpro.paypal.com
pointofsale.paypal.com
uptycspay.paypal.com
api-3t.paypal.com
uptycsize.paypal.com
api.paypal.com
api-m.paypal.com
svcs.paypal.com
uptycsven.paypal.com
uptycsven.paypal.com
a.paypal.com
api.paypal.com
pointofsale-s.paypal.com
pilot-payflowpro.paypal.com

subdomains obtained from TLS certificates can be further piped to other PD tools for further inspection, here is an example piping tls subdomains to dnsx to filter passive subdomains and passing to httpx to list hosts running active web services.

$ echo 173.0.84.0/24 | tlsx -san -cn -silent -resp-only | dnsx -silent | httpx

    __    __  __       _  __
   / /_  / /_/ /_____ | |/ /
  / __ \/ __/ __/ __ \|   /
 / / / / /_/ /_/ /_/ /   |
/_/ /_/\__/\__/ .___/_/|_|
             /_/              v1.2.2

    projectdiscovery.io

Use with caution. You are responsible for your actions.
Developers assume no liability and are not responsible for any misuse or damage.
https://api-m.paypal.com
https://uptycsize.paypal.com
https://api.paypal.com
https://uptycspay.paypal.com
https://svcs.paypal.com
https://adjvendor.paypal.com
https://uptycshap.paypal.com
https://uptycshon.paypal.com
https://pilot-payflowpro.paypal.com
https://slc-a-origin-pointofsale.paypal.com
https://uptycsven.paypal.com
https://api-aa.paypal.com
https://api-aa-3t.paypal.com
https://uptycsbrt.paypal.com
https://payflowpro.paypal.com
http://pointofsale-s.paypal.com
http://slc-b-origin-pointofsale.paypal.com
http://api-3t.paypal.com
http://zootapi.paypal.com
http://pointofsale.paypal.com

TLS / Cipher Probe

$ subfinder -d hackerone.com | tlsx -tls-version -cipher

mta-sts.hackerone.com:443 [TLS1.3] [TLS_AES_128_GCM_SHA256]
hackerone.com:443 [TLS1.3] [TLS_AES_128_GCM_SHA256]
api.hackerone.com:443 [TLS1.3] [TLS_AES_128_GCM_SHA256]
mta-sts.managed.hackerone.com:443 [TLS1.3] [TLS_AES_128_GCM_SHA256]
mta-sts.forwarding.hackerone.com:443 [TLS1.3] [TLS_AES_128_GCM_SHA256]
www.hackerone.com:443 [TLS1.3] [TLS_AES_128_GCM_SHA256]
support.hackerone.com:443 [TLS1.2] [TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]

TLS Misconfiguration

Expired / Self Signed / Mismatched / Revoked / Untrusted Certificate

A list of host can be provided to tlsx to detect expired / self-signed / mismatched / revoked / untrusted certificates.

$ tlsx -l hosts.txt -expired -self-signed -mismatched -revoked -untrusted
  

  _____ _    _____  __
 |_   _| |  / __\ \/ /
   | | | |__\__ \>  < 
   |_| |____|___/_/\_\  v0.0.1

    projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions.
[WRN] Developers assume no liability and are not responsible for any misuse or damage.

wrong.host.badssl.com:443 [mismatched]
self-signed.badssl.com:443 [self-signed]
expired.badssl.com:443 [expired]
revoked.badssl.com:443 [revoked]
untrusted-root.badssl.com:443 [untrusted]

JARM TLS Fingerprint

$ echo hackerone.com | tlsx -jarm -silent

hackerone.com:443 [29d3dd00029d29d00042d43d00041d5de67cc9954cc85372523050f20b5007]

JA3 TLS Fingerprint

$ echo hackerone.com | tlsx -ja3 -silent

hackerone.com:443 [20c9baf81bfe96ff89722899e75d0190]

JSON Output

tlsx does support multiple probe flags to query specific data, but all the information is always available in JSON format, for automation and post processing using -json output is most convenient option to use.

echo example.com | tlsx -json -silent | jq .

{
  "timestamp": "2022-08-22T21:22:59.799053+05:30",
  "host": "example.com",
  "ip": "93.184.216.34",
  "port": "443",
  "probe_status": true,
  "tls_version": "tls13",
  "cipher": "TLS_AES_256_GCM_SHA384",
  "not_before": "2022-03-14T00:00:00Z",
  "not_after": "2023-03-14T23:59:59Z",
  "subject_dn": "CN=www.example.org, O=Internet Corporation for Assigned Names and Numbers, L=Los Angeles, ST=California, C=US",
  "subject_cn": "www.example.org",
  "subject_org": [
    "Internet Corporation for Assigned Names and Numbers"
  ],
  "subject_an": [
    "www.example.org",
    "example.net",
    "example.edu",
    "example.com",
    "example.org",
    "www.example.com",
    "www.example.edu",
    "www.example.net"
  ],
  "issuer_dn": "CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US",
  "issuer_cn": "DigiCert TLS RSA SHA256 2020 CA1",
  "issuer_org": [
    "DigiCert Inc"
  ],
  "fingerprint_hash": {
    "md5": "c5208a47259d540a6e3404dddb85af91",
    "sha1": "df81dfa6b61eafdffffe1a250240db5d2e6cee25",
    "sha256": "7f2fe8d6b18e9a47839256cd97938daa70e8515750298ddba2f3f4b8440113fc"
  },
  "tls_connection": "ctls",
  "sni": "example.com"
}

Configuration

Scan Mode

tlsx provides multiple modes to make TLS Connection -

auto (automatic fallback to other modes upon failure) - default
ctls (crypto/tls)
ztls (zcrypto/tls)
openssl (openssl)

Some pointers for the specific mode / library is highlighted in linked discussions, auto mode is supported to ensure the maximum coverage and scans for the hosts running older version of TLS by retrying the connection using ztls and openssl mode upon any connection error.

An example of using ztls mode to scan website using old / outdated TLS version.

$ echo tls-v1-0.badssl.com | tlsx -port 1010 -sm ztls
  

  _____ _    _____  __
 |_   _| |  / __\ \/ /
   | | | |__\__ \>  < 
   |_| |____|___/_/\_\  v0.0.1

    projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions.
[WRN] Developers assume no liability and are not responsible for any misuse or damage.

tls-v1-0.badssl.com:1010

OpenSSL

To use the openssl connection mode, you will need to have openssl installed on your system. Most modern systems come with openssl pre-installed, but if it is not present on your system, you can install it manually. You can check if openssl is installed by running the command openssl version. If openssl is installed, this command will display the version number.

Pre-Handshake (Early Termination)

tlsx supports terminating SSL connection early which leads to faster scanning and less connection request (disconnecting after TLS serverhello and certificate data is gathered).

For more detail, please refer to Hunting-Certificates-And-Servers by @erbbysam

An example of using -pre-handshake mode:

$ tlsx -u example.com -pre-handshake 
  

  _____ _    _____  __
 |_   _| |  / __\ \/ /
   | | | |__\__ \>  < 
   |_| |____|___/_/\_\  v0.0.1

    projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions.
[WRN] Developers assume no liability and are not responsible for any misuse or damage.

example.com:443

Note:

pre-handshake mode utilizes ztls (zcrypto/tls) which also means the support is limited till TLS v1.2 as TLS v1.3 is not supported by ztls library.

TLS Version

Minimum and Maximum TLS versions can be specified using -min-version and -max-version flags, as default these value are set by underlying used library.

The acceptable values for TLS version is specified below.

ssl30
tls10
tls11
tls12
tls13

Here is an example using max-version to scan for hosts supporting an older version of TLS, i.e TLS v1.0

$ tlsx -u example.com -max-version tls10
  

  _____ _    _____  __
 |_   _| |  / __\ \/ /
   | | | |__\__ \>  < 
   |_| |____|___/_/\_\  v0.0.1

    projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions.
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
example.com:443

Custom Cipher

Supported custom cipher can provided using -cipher-input / -ci flag, supported cipher list for each mode is available at wiki page.

$ tlsx -u example.com -ci TLS_AES_256_GCM_SHA384 -cipher

$ tlsx -u example.com -ci cipher_list.txt -cipher

Acknowledgements

This program optionally uses:

zcrypto library from the zmap team.
cfssl library from the cloudflare team
cipher data from ciphersuite.info for ciphersuite classification

tlsx is made with ❤️ by the projectdiscovery team and distributed under MIT License.

tlsx's People

Contributors

Stargazers

Watchers

Forkers

atlassion isarabia92 polling-repo-continua edvacco reydd sajeeshab 0xsojalsec schue30 linuxchunk bbhunter chernobrov-andrei lalkaltest sylviagaytaneh2021 hxlxmjxbbxs slooppe killvxk hmilkovi phylumchordata abramas teicu code-r5 willardjansen excloudx6 security-geeks 5l1v3r1 gprime31 xmardus scriptkkiddie phuong39 s41n1k papyrusdo qianniaoge ramkumareinstein data-gami cybersecurity-labs tarunkoyalwar huangyuan666 vinnyvinoth noraj yearnming opoet7 sec99 pbuff07 seeyarh cyberfury101 sc0o hr1stijan 3tternp micky1warrior iq-scm dark-night0 dogancanbakir mnagarajapppa zen0fpy rrouzbeh egida mohshbe dvenadm caretakerport chased9166 ana7r hartl3y94 dahabjr balance0033 etyvrox guspan-tanadi danzajork filthyshoe amirwhitehat newengce26 mistrzhieroglif

tlsx's Issues

CLI flags to display probbed tls data

Flag description:

PROBES:
   -san				display subject alternative names (false)
   -cn				display subject common name (false)
   -so				display subject organization name (false)
   -tv -tls-version		display used tls version (false)
   -cipher			display used cipher (false)
   -ex -expired			display validity status of tls certificate (false)
   -ss -self-signed		display status of self-signed certificate (false)
   -hash string			display certificate fingerprint hashes (md5,sha1,sha256)
   
OUTPUT:
   -ro, -resp-only     display tls response only
   -nc, -no-color      disable colors in cli output

Example runs:

$ echo yahoo.com | tlsx -san -cn -silent

yahoo.com:443 [yahoo.com]
yahoo.com:443 [tw.rd.yahoo.com]
yahoo.com:443 [s.yimg.com]
yahoo.com:443 [mbp.yimg.com]
yahoo.com:443 [hk.rd.yahoo.com]
yahoo.com:443 [fr-ca.rogers.yahoo.com]
yahoo.com:443 [ddl.fp.yahoo.com]
yahoo.com:443 [ca.rogers.yahoo.com]
yahoo.com:443 [ca.my.yahoo.com]
yahoo.com:443 [brb.yahoo.net]
yahoo.com:443 [add.my.yahoo.com]
yahoo.com:443 [www.yahoo.com]
yahoo.com:443 [media.yahoo.com]
yahoo.com:443 [global.vespa.oath.cloud]
yahoo.com:443 [att.yahoo.com]
yahoo.com:443 [amp.yimg.com]

$ echo yahoo.com | tlsx -san -cn -resp-only -silent

yahoo.com
tw.rd.yahoo.com
s.yimg.com
mbp.yimg.com
hk.rd.yahoo.com
fr-ca.rogers.yahoo.com
ddl.fp.yahoo.com
ca.rogers.yahoo.com
ca.my.yahoo.com
brb.yahoo.net
add.my.yahoo.com
www.yahoo.com
media.yahoo.com
global.vespa.oath.cloud
att.yahoo.com
amp.yimg.com

$ chaos -d hackerone.com | tlsx -tv -cipher

gslink.hackerone.com:443 [TLS 1.2] [TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
support.hackerone.com:443 [TLS 1.2] [TLS_AES_128_GCM_SHA256]
www.hackerone.com:443 [TLS 1.2] [TLS_AES_128_GCM_SHA256]
api.hackerone.com:443 [TLS 1.2] [TLS_AES_128_GCM_SHA256]
mta-sts.hackerone.com:443 [TLS 1.2] [TLS_AES_128_GCM_SHA256]
mta-sts.forwarding.hackerone.com:443 [TLS 1.2] [TLS_AES_128_GCM_SHA256]
mta-sts.managed.hackerone.com:443 [TLS 1.2] [TLS_AES_128_GCM_SHA256]
docs.hackerone.com:443 [TLS 1.2] [TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]

$ echo self-signed.badssl.com | tlsx -expired
self-signed.badssl.com:443 [expired]

$ echo expired.badssl.com | tlsx -self-signed
expired.badssl.com:443 [self-signed]

Notes:

Consider using colors to distinguish input and responses data
With -san and -cn flag, wildcard string (*) from DNS data needs to be removed + unique in CLI output and remains as original in JSON data.
When subject-cn == issuer-cn, self-signed marked as true
When times.now > not-after, exipred marked as true

panic: runtime error: invalid memory address or nil pointer dereference

tlsx version:

main/dev

Current Behavior:

echo 12.35.70.0/23 | ./tlsx -silent
12.35.70.76:443
12.35.70.74:443
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x2 addr=0x660 pc=0x1016a48cc]

goroutine 234 [running]:
github.com/zmap/zcrypto/verifier.CheckOCSP({0x101fcfa90, 0x140001a6050}, 0x0, 0x1400134e300?)
	/Users/geekboy/go/pkg/mod/github.com/zmap/[email protected]/verifier/revocation.go:30 +0x2c
github.com/projectdiscovery/tlsx/pkg/tlsx/clients.IsZTLSRevoked(0x0)
	/Users/geekboy/Github/tlsx/pkg/tlsx/clients/clients.go:324 +0x3c
github.com/projectdiscovery/tlsx/pkg/tlsx/clients.IsTLSRevoked(0x14001028900?)
	/Users/geekboy/Github/tlsx/pkg/tlsx/clients/clients.go:319 +0x30
github.com/projectdiscovery/tlsx/pkg/tlsx/tls.(*Client).convertCertificateToResponse(0x1400024a918, {0x14001028900, 0xb}, 0x1400168c000)
	/Users/geekboy/Github/tlsx/pkg/tlsx/tls/tls.go:206 +0x158
github.com/projectdiscovery/tlsx/pkg/tlsx/tls.(*Client).ConnectWithOptions(0x1400024a918, {0x14001028900, 0xb}, {0x0, 0x0}, {0x101767745, 0x3}, {{0x0, 0x0}, {0x0, ...}, ...})
	/Users/geekboy/Github/tlsx/pkg/tlsx/tls/tls.go:186 +0x734
github.com/projectdiscovery/tlsx/pkg/tlsx/auto.(*Client).ConnectWithOptions(0x1400024a948, {0x14001028900, 0xb}, {0x0, 0x0}, {0x101767745, 0x3}, {{0x0, 0x0}, {0x0, ...}, ...})
	/Users/geekboy/Github/tlsx/pkg/tlsx/auto/auto.go:38 +0x88
github.com/projectdiscovery/tlsx/pkg/tlsx.(*Service).ConnectWithOptions(0x1400024a900, {0x14001028900, 0xb}, {0x0, 0x0}, {0x101767745, 0x3}, {{0x0, 0x0}, {0x0, ...}, ...})
	/Users/geekboy/Github/tlsx/pkg/tlsx/tlsx.go:58 +0xe0
github.com/projectdiscovery/tlsx/internal/runner.(*Runner).processInputElementWorker(0x1400043de40, 0x0?, 0x0?)
	/Users/geekboy/Github/tlsx/internal/runner/runner.go:161 +0x528
created by github.com/projectdiscovery/tlsx/internal/runner.(*Runner).Execute
	/Users/geekboy/Github/tlsx/internal/runner/runner.go:122 +0x58

Expected Behavior:

no crash

issue with custom tls version selection with auto mode

tlsx version:

dev,latest

Current Behavior:

echo 104.16.100.52 | tlsx -max-version ssl30 -silent -tps
[FTL] could not create tlsx client: could not create tls service: could not create tls client: invalid max version specified: ssl30

Expected Behavior:

echo 104.16.100.52 | tlsx -max-version ssl30 -silent -tps
104.16.100.52:443 [failed]

Steps To Reproduce:

echo 104.16.100.52 | tlsx -max-version ssl30 -silent -tps

TLS Versions and Ciphers enumeration support

Flag description:

   -ve -version-enum	enumerate and display supported tls versions (false)
   -ce -cipher-enum	enumerate and display supported cipher (false)

CLI Output:

echo tls-v1-0.badssl.com | tlsx -port 1010 -ve 

tls-v1-0.badssl.com:1010 [TLS1.0,TLS1.1,TLS1.2]

JSON Output:

{
   "version-enum":[
      "TLS1.0",
      "TLS1.1",
      "TLS1.2"
   ],
   "cipher-enum": [
      "ECDHE-RSA-AES256-GCM-SHA384",
      "ECDHE-RSA-AES256-SHA384",
      "ECDHE-RSA-AES256-SHA",
      "DHE-RSA-AES256-GCM-SHA384",
      "DHE-RSA-AES256-SHA256",
      "DHE-RSA-AES256-SHA",
      "DHE-RSA-CAMELLIA256-SHA",
      "AES256-GCM-SHA384",
      "AES256-SHA256",
      "AES256-SHA",
      "CAMELLIA256-SHA",
      "ECDHE-RSA-AES128-GCM-SHA256",
      "ECDHE-RSA-AES128-SHA256",
      "ECDHE-RSA-AES128-SHA",
      "DHE-RSA-AES128-GCM-SHA256",
      "DHE-RSA-AES128-SHA256",
      "DHE-RSA-AES128-SHA",
      "DHE-RSA-CAMELLIA128-SHA",
      "AES128-GCM-SHA256",
      "AES128-SHA256",
      "AES128-SHA",
      "CAMELLIA128-SHA",
      "ECDHE-RSA-DES-CBC3-SHA",
      "DES-CBC3-SHA"
    ]
}

tlsx as library documentation

Please describe your feature request:

tlsx as library example
integration tests for library code

Add retries for failed connection

Please describe your feature request:

   -retries int                       number of retries on failed connection

OpenSSL scan

Please describe your feature request:

As a continuation of #31 it would be interesting to add support for OpenSSL scan (example bindings at https://pkg.go.dev/github.com/spacemonkeygo/openssl). The scan type should be optional.

This includes:

New Scan mode (openssl)
Extending auto mode to support openssl

   -sm, -scan-mode string  tls connection mode to use (ctls, ztls, openssl, auto) (default ctls)

Describe the use case of this feature:

Increased coverage and certificate parsing capabilities.

Issues with JARM fingerpriting

Same as projectdiscovery/httpx#736

JA3 fingerprint support

Adding support for JA3 based TLS fingerprinting.

Reference:

https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967/

CLI Flag:

   -ja3                display ja3 fingerprint hash

JSON Flag:

  "ja3_hash": "XXXXX"

Failed TLS connection with WAFs

tlsx version:

dev | master

Current Behavior:

echo 45.60.13.153:443 | tlsx -json -tps  | jq .
  

  _____ _    _____  __
 |_   _| |  / __\ \/ /
   | | | |__\__ \>  < 
   |_| |____|___/_/\_\	v0.0.6

		projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions.
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[INF] Connections made using crypto/tls: 0, zcrypto/tls: 0, openssl: 0
{
  "host": "45.60.13.153",
  "port": "443",
  "probe_status": false,
  "error": "could not do handshake: remote error: tls: unrecognized name; could not do tls handshake: remote error: alert(112)"
}

Expected Behavior:

Pulling certificate information like in the browser - https://45.60.13.153:443

Client certificates support

Description

Consider adding support for client certificates to supply in tls.Config/ztls.Config

   -cc, -cacert string  client certificate authority file

Use cases

Servers accepting arbitrary certificates
Identify hosts accepting a specific certificate (or a specific set of certificates)

TLS13 Cipher Enumeration

Please describe your feature request:

Investigate the feasibility of enumerations for TLS1.3 (cipher selection is automatic - ref #20 (comment))

Describe the use case of this feature:

Cipher enumeration for TLS 1.3

Add Revoked Certificate detection

Please describe your feature request:

Add the flag -revoked (-re) in order to spot hosts having revoked certificates (similar to expired, mismatched and self-signed).

Describe the use case of this feature:

It can be useful to identify vulnerable hosts (since a revoked certificate could indicate bad things: Encryption keys of the certificate have been compromised, Issuer not trusted anymore..)

Update helpers libraries

Use utils.

JSON output improvements

Example output:

{
   "timestamp":"2022-06-16 04:27:00 GMT",
   "host":"youtube.com",
   "ip":"13.225.34.120",
   "port":"443",
   "tls-version":"TLS1.3",
   "cipher":"TLS_CHACHA20_POLY1305_SHA256",
   "tls-connection":"ctls",
   "not-before":"2017-11-06 12:23:45 GMT",
   "not-after":"2027-11-06 12:23:45 GMT",
   "expired":false,
   "self-signed":false,
   "subject-dn":"CN=*.google.com",
   "subject-cn":"*.google.com",
   "subject-an":[
      "*.google.com",
      "*.appengine.google.com",
      "android.com",
      "*.android.com",
      "developers.android.google.cn",
      "source.android.google.cn"
   ],
   "issuer-dn":"C=US, O=Google Trust Services LLC, CN=GTS CA 1C3",
   "issuer-cn":"GTS CA 1C3",
   "issuer-organization":[
      "Google Trust Services LLC"
   ],
   "fingerprint-hash":{
      "md5":"52e90a5eefa986c99991bf9c662ce05b",
      "sha1":"9539ef6c90415f8dce30f8f0b475fb0adbbb1862",
      "sha256":"405f170599ab1f7b9563c41c84972fe622efb802e7b8651f85b14cd576e380a5"
   }
}

Wildcard SSL Certificate detection

Please describe your feature request:

This is more of a feature for data analysis; currently two types of wildcard certificate are issuesd:

Wildcard SSL certificate for a specific domain (*.cn)
Wildcard SAN Certificate (*.san)

CLI Option:

   -wc, -wildcard-cert    display wildcard certificate

Example run with JSON output:

echo expired.badssl.com | tlsx -json

{
  "timestamp": "2022-07-19T16:24:59.085676+05:30",
  "host": "expired.badssl.com",
  "ip": "104.154.89.105",
  "port": "443",
  "probe_status": true,
+  "wildcard_certificate": true,
  "tls_version": "tls12",
  "cipher": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
  "expired": true,
  "not_before": "2015-04-09T00:00:00Z",
  "not_after": "2015-04-12T23:59:59Z",
  "subject_dn": "CN=*.badssl.com, OU=PositiveSSL Wildcard, OU=Domain Control Validated",
  "subject_cn": "*.badssl.com",
  "subject_an": [
    "*.badssl.com",
    "badssl.com"
  ],
  "issuer_dn": "CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
  "issuer_cn": "COMODO RSA Domain Validation Secure Server CA",
  "issuer_org": [
    "COMODO CA Limited"
  ],
  "fingerprint_hash": {
    "md5": "67344e61c0431cf1f7257c1d6de7a785",
    "sha1": "404bbd2f1f4cc2fdeef13aabdd523ef61f1c71f3",
    "sha256": "ba105ce02bac76888ecee47cd4eb7941653e9ac993b61b2eb3dcc82014d21b4f"
  },
  "tls_connection": "ctls",
  "sni": "expired.badssl.com"
}

Example run with CLI output:

echo expired.badssl.com | tlsx -wc

hackerone.com:443 [wildcard]

Detection logic:

if subject_cn || subject_an contains *., wildcard_certificate == true

Option to display host with mismatched certificate

An option to display hosts with mismatched certificates.

echo 104.16.53.111 | tlsx -mm

104.16.53.111:443 [mismatched]

CLI Flag:

   -mm, -mis-matched        display mismatched certificate

JSON:

  "mis_matched": true,

Logic:

input host != (cert.SubjectAN || cert.SubjectCN)

i.e certificate name does not match input error when using -verify-cert option with -tps flag.

Support scan-all-ips modality

Please describe your feature request:

The tool should support the scan-all-ips modality and enumerate all the ips (IPv4 and IPv6) associated with a domain name

   -scan-all-ips, -sa                  scan all the ips associated with dns record
   -ip-version, -iv string[]           ip version to scan of hostname (4,6) - (default 4)

Describe the use case of this feature:

Better coverage of TLS enumeration

Identify invalid hostname

I'm not sure if self-signed certificates should also be flagged as mismatched:

❯ echo "target.com" | tlsx -silent -mm
target.com:443 [mismatched]
❯ echo "target.com" | tlsx -silent -cn
target.com:443 [sslvpn]
❯ echo "target.com" | tlsx -silent -ss
target.com:443 [self-signed]

Maybe the logic could be that if the cn is not a valid domain / subdomain it should not be flagged as a mismatch ?

Also the fact that you cannot combine -cn and -mm or -ss is really too bad since it makes it harder to identify problems.

My workaround:

cat subdomains.txt|tlsx -silent -mm -ss|grep -E 'mismatch|signed'|cut -d':' -f1|tlsx -silent -cn

Crash running tlsx in auto-mode

tlsx version:

dev

Current Behavior:

Crash with auto mode

Expected Behavior:

Scan finishes succesfully

panic: runtime error: invalid memory address or nil pointer dereference\n[signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0xc8f258]
goroutine 313 [running]:\ngithub.com/projectdiscovery/tlsx/pkg/tlsx/ztls.(*Client).ConnectWithOptions(0xc001216d98, {0xc003e64b90, 0xc}, {0x0, 0x0}, {0xf2041f, 0x3}, {{0x0?, 0xc8b2b2?}})
/root/tlsx/pkg/tlsx/ztls/ztls.go:187 +0x878\ngithub.com/projectdiscovery/tlsx/pkg/tlsx/auto.(*Client).ConnectWithOptions(0xc001216db0, {0xc003e64b90, 0xc}, {0x0, 0x0}, {0xf2041f, 0x3}, {{0x0?, 0xc00001fa98?}})
/root/tlsx/pkg/tlsx/auto/auto.go:42 +0xfd\ngithub.com/projectdiscovery/tlsx/pkg/tlsx.(*Service).ConnectWithOptions(0xc001216d68, {0xc003e64b90, 0xc}, {0x0, 0x0}, {0xf2041f, 0x3}, {{0x0?, 0x0?}})
/root/tlsx/pkg/tlsx/tlsx.go:58 +0xfd\ngithub.com/projectdiscovery/tlsx/internal/runner.(*Runner).processInputElementWorker(0xc000016600, 0x0?, 0x0?)
/root/tlsx/internal/runner/runner.go:152 +0x445\ncreated by github.com/projectdiscovery/tlsx/internal/runner.(*Runner).Execute
/root/tlsx/internal/runner/runner.go:118 +0x65

Anything else:

{"ip":"104.248.121.26","level":"error","msg":"Could not execute work module tlsx 2.16.0.0/12: could not run tlsx: could not wait for command to finish: exit status 2 =\u003e   \n\n  _____ _    _____  __\n |_   _| |  / __\\ \\/ /\n   | | | |__\\__ \\\u003e  \u003c \n   |_| |____|___/_/\\_\\\tv0.0.5\n\n\t\tprojectdiscovery.io\n\n[\u001b[34mWRN\u001b[0m] Use with caution. You are responsible for your actions.\n[\u001b[34mWRN\u001b[0m] Developers assume no liability and are not responsible for any misuse or damage.\npanic: runtime error: invalid memory address or nil pointer dereference\n[signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0xc8f258]\n\ngoroutine 313 [running]:\ngithub.com/projectdiscovery/tlsx/pkg/tlsx/ztls.(*Client).ConnectWithOptions(0xc001216d98, {0xc003e64b90, 0xc}, {0x0, 0x0}, {0xf2041f, 0x3}, {{0x0?, 0xc8b2b2?}})\n\t/root/tlsx/pkg/tlsx/ztls/ztls.go:187 +0x878\ngithub.com/projectdiscovery/tlsx/pkg/tlsx/auto.(*Client).ConnectWithOptions(0xc001216db0, {0xc003e64b90, 0xc}, {0x0, 0x0}, {0xf2041f, 0x3}, {{0x0?, 0xc00001fa98?}})\n\t/root/tlsx/pkg/tlsx/auto/auto.go:42 +0xfd\ngithub.com/projectdiscovery/tlsx/pkg/tlsx.(*Service).ConnectWithOptions(0xc001216d68, {0xc003e64b90, 0xc}, {0x0, 0x0}, {0xf2041f, 0x3}, {{0x0?, 0x0?}})\n\t/root/tlsx/pkg/tlsx/tlsx.go:58 +0xfd\ngithub.com/projectdiscovery/tlsx/internal/runner.(*Runner).processInputElementWorker(0xc000016600, 0x0?, 0x0?)\n\t/root/tlsx/internal/runner/runner.go:152 +0x445\ncreated by github.com/projectdiscovery/tlsx/internal/runner.(*Runner).Execute\n\t/root/tlsx/internal/runner/runner.go:118 +0x65\n\n","taskid":"cbp8t778j1tdoqpk4mag","time":"2022-08-09T16:49:04Z"}

TLS Connection Pooling

Please describe your feature request:

TLS probes might require multiple connections to the same host (e.g., jarm, SNI bruteforce, ciphers enumeration, etc.); therefore, a connection pooling mechanism similar to http.Transport should be considered (TLS tends to break connections, so before putting them back in the pool, it's necessary to check the connection consistency state).

The associated PR covers the existing specific jarm case #10 and it's needed to verify if tls connection reuse is feasible in the following cases:

Custom resolver input / file support

For DNS resolutions against a large list of dns input, custom resolver input/list can be supported.

   -r, -resolver string          list of resolvers to use (INPUT_1,INPUT_2,INPUT_FILE)

cat dns.txt | tlsx -r 1.1.1.1,resolver.txt

crypto/tls failed to make tls connection

host google.com
google.com has address 142.251.42.110

Does not work with default (crypto/tls):

echo 142.251.42.110 | tlsx -json | jq .
# echo 142.251.42.110 | tlsx -json -max-version tls12 | jq .

{
  "host": "142.251.42.110",
  "port": "443",
  "version": "tls13",
  "leaf": {
    "issuer-common-name": "invalid2.invalid",
    "subject-common-name": "invalid2.invalid"
  }
}

Works with ztls

echo 142.251.42.110 | tlsx -json -ztls | jq .

{
  "host": "142.251.42.110",
  "port": "443",
  "version": "tls12",
  "leaf": {
    "dns-names": [
      "*.google.com",
      "*.appengine.google.com",
      "*.bdn.dev",
      "*.cloud.google.com",
      "*.crowdsource.google.com",
      "*.datacompute.google.com",
      "*.google.ca",
      "*.google.cl",
      "*.google.co.in",
      "*.google.co.jp",
      "*.google.co.uk",
      "*.google.com.ar",
      "*.google.com.au",
      "*.google.com.br",
      "*.google.com.co",
      "*.google.com.mx",
      "*.google.com.tr",
      "*.google.com.vn",
      "*.google.de",
      "*.google.es",
      "*.google.fr",
      "*.google.hu",
      "*.google.it",
      "*.google.nl",
      "*.google.pl",
      "*.google.pt",
      "*.googleadapis.com",
      "*.googleapis.cn",
      "*.googlevideo.com",
      "*.gstatic.cn",
      "*.gstatic-cn.com",
      "googlecnapps.cn",
      "*.googlecnapps.cn",
      "googleapps-cn.com",
      "*.googleapps-cn.com",
      "gkecnapps.cn",
      "*.gkecnapps.cn",
      "googledownloads.cn",
      "*.googledownloads.cn",
      "recaptcha.net.cn",
      "*.recaptcha.net.cn",
      "recaptcha-cn.net",
      "*.recaptcha-cn.net",
      "widevine.cn",
      "*.widevine.cn",
      "ampproject.org.cn",
      "*.ampproject.org.cn",
      "ampproject.net.cn",
      "*.ampproject.net.cn",
      "google-analytics-cn.com",
      "*.google-analytics-cn.com",
      "googleadservices-cn.com",
      "*.googleadservices-cn.com",
      "googlevads-cn.com",
      "*.googlevads-cn.com",
      "googleapis-cn.com",
      "*.googleapis-cn.com",
      "googleoptimize-cn.com",
      "*.googleoptimize-cn.com",
      "doubleclick-cn.net",
      "*.doubleclick-cn.net",
      "*.fls.doubleclick-cn.net",
      "*.g.doubleclick-cn.net",
      "doubleclick.cn",
      "*.doubleclick.cn",
      "*.fls.doubleclick.cn",
      "*.g.doubleclick.cn",
      "dartsearch-cn.net",
      "*.dartsearch-cn.net",
      "googletraveladservices-cn.com",
      "*.googletraveladservices-cn.com",
      "googletagservices-cn.com",
      "*.googletagservices-cn.com",
      "googletagmanager-cn.com",
      "*.googletagmanager-cn.com",
      "googlesyndication-cn.com",
      "*.googlesyndication-cn.com",
      "*.safeframe.googlesyndication-cn.com",
      "app-measurement-cn.com",
      "*.app-measurement-cn.com",
      "gvt1-cn.com",
      "*.gvt1-cn.com",
      "gvt2-cn.com",
      "*.gvt2-cn.com",
      "2mdn-cn.net",
      "*.2mdn-cn.net",
      "googleflights-cn.net",
      "*.googleflights-cn.net",
      "admob-cn.com",
      "*.admob-cn.com",
      "*.gstatic.com",
      "*.metric.gstatic.com",
      "*.gvt1.com",
      "*.gcpcdn.gvt1.com",
      "*.gvt2.com",
      "*.gcp.gvt2.com",
      "*.url.google.com",
      "*.youtube-nocookie.com",
      "*.ytimg.com",
      "android.com",
      "*.android.com",
      "*.flash.android.com",
      "g.cn",
      "*.g.cn",
      "g.co",
      "*.g.co",
      "goo.gl",
      "www.goo.gl",
      "google-analytics.com",
      "*.google-analytics.com",
      "google.com",
      "googlecommerce.com",
      "*.googlecommerce.com",
      "ggpht.cn",
      "*.ggpht.cn",
      "urchin.com",
      "*.urchin.com",
      "youtu.be",
      "youtube.com",
      "*.youtube.com",
      "youtubeeducation.com",
      "*.youtubeeducation.com",
      "youtubekids.com",
      "*.youtubekids.com",
      "yt.be",
      "*.yt.be",
      "android.clients.google.com",
      "developer.android.google.cn",
      "developers.android.google.cn",
      "source.android.google.cn"
    ],
    "issuer-common-name": "GTS CA 1C3",
    "subject-common-name": "*.google.com",
    "issuer-organization": [
      "Google Trust Services LLC"
    ]
  },
  "chain": [
    {
      "issuer-common-name": "GTS Root R1",
      "subject-common-name": "GTS CA 1C3",
      "issuer-organization": [
        "Google Trust Services LLC"
      ],
      "subject-organization": [
        "Google Trust Services LLC"
      ]
    },
    {
      "issuer-common-name": "GlobalSign Root CA",
      "subject-common-name": "GTS Root R1",
      "issuer-organization": [
        "GlobalSign nv-sa"
      ],
      "subject-organization": [
        "Google Trust Services LLC"
      ]
    }
  ]
}

Input target / list improvements

Currently supported input:

host (1.1.1.1, example.com)

Additional format to support:

host:port (1.1.1.1:443, example.com:443)
scheme:host (https://1.1.1.1, https://example.com, http://example.com)
scheme:host:port (https://1.1.1.1:443, http://example.com:443, https://example.com:443)
all above for IPv6

TLS connection with pre-handshake / early-termination support

Implement a new tls layer intercepting go socket tls pre-handshake in order to collect SNI dns names + certificates of non-http endpoints.

   -ps, -pre-handshake       	use pre-handshake tls connection (early termination) using ztls (default false)

Technical details: all information are contained within https://golang.org/src/crypto/tls/common.go?s=11248:12341#L322 but can't be accessed due to abstraction

TLS Connection improvements

Example host: 209.17.116.160

TLSX Run:

echo 209.17.116.160 | tlsx -silent -v

[INF] Processing input 209.17.116.160:443
[WRN] Could not connect input 209.17.116.160:443: could not connect to host: could not do handshake: remote error: tls: internal error

As we see above, 209.17.116.160 failed to connect but also available as part of shodan scan shared below:

Shodan: https://www.shodan.io/host/209.17.116.160#443

File input and bruteforce support to SNI flag

Please describe your feature request:

Extend sni cli flag to support file input in a manner it can be used to bruteforce sni field to make TLS connection.

Describe the use case of this feature:

A faster and more cost-effective(save http requests) way to detect virtual hosts

echo 142.251.42.110 | tlsx -vc -tps -sni "*.google.com" # CLI Input
echo hackerone.com | tlsx  -tps -silent -sni sni.txt # File Input

$ cat sni_list.txt

a
b
c
d
localhost
*.google.com

echo hackerone.com | tlsx -vc -sni sni_list.txt -tps -silent

142.251.42.110:443 [failed] [a]
142.251.42.110:443 [failed] [b]
142.251.42.110:443 [failed] [c]
142.251.42.110:443 [failed] [d]
142.251.42.110:443 [failed] [localhost]
142.251.42.110:443 [success] [*.google.com]

SNI Input iteration (optional)
SNI Input display (optional)
SNI JSON field (default)

Note:

Reuse a TLS connection to brute force a sni list

Reference:

https://github.com/GrrrDog/sni_bruter

Support for JARM fingerprint

echo 96.6.234.14 | tlsx -silent -jarm

96.6.234.14:443 [2ad2ad0002ad2ad00042d42d000000d71691dd6844b6fa08f9c5c2b4b882cc][475c9302dc42b2751db9edcac3b74891]

Reference:

Add an option to dump the whole certificate (PEM format)

It would be great to add an option to enable the dump of the certificates. Something like:

$ echo 8.8.8.8 | ./tlsx -json -certs -tc | jq .

{
  "timestamp": "2022-06-27T15:16:45.455002342+02:00",
  "host": "8.8.8.8",
  "port": "443",
  "tls-version": "tls13",
  "cipher": "TLS_AES_128_GCM_SHA256",
  [...]
  "certificate": "-----BEGIN CERTIFICATE-----\n[...]"
  "chain": [
    {
      "certificate": "-----BEGIN CERTIFICATE-----\n[...]",
      [...]
    },
    {
      "certificate": "-----BEGIN CERTIFICATE-----\n[...]",
      [...]
    }
  ],
  [...]
}

That would be useful for tools such as IVRE that store this data.

SNI bruteforce "wildcard" handling

Please describe your feature request:

with #46, tlsx allows doing SNI brute-forcing. Unfortunately, similar to DNS, SNI also comes with wildcard fqdn input support and is required to detect and filter the host when performing SNI bruteforce.

Example host with wildcard SNI input support:

echo google.com | tlsx -silent -sni $(seq 1 20 | awk '{print "invalid"$1".com,"}' | tr -d '\n\r' )

Describe the use case of this feature:

Automatic filtering of hosts with wildcard SNI input list.

Scan Strategy with automatic ztls fallback

Description

I'm proposing a third type of scan with automatic selection of ztls/tls depending on the server requested TLS version:

Perform by default an initial complete connect with tls. Hopefully, this will ensure we select lightweight TLS1.3 while at the same time retaining the capability of lowering the version with compatible ciphers down to SSLv3 within the same connection
On the specific error of unsupported TLS version, attempt a new connection with ztls
Track in the output structure which engine was used for enumeration. In this way, we would know:

How many hosts could be enumerated with ztls only
How many hosts with tls only (if the server minimum required tls version is TLS1.3)

   -sm, -scan-mode string       tls connection mode to use (ctls, ztls, auto) (default tls)

Notes

Probably Tls1.3 is not yet so well adopted, but performing recon with it would somehow optimize the roundtrip time.

go install command does not download the current version.

Hi team,
go install command does not download the current version.
example :
go install github.com/projectdiscovery/tlsx/cmd/tlsx@latest
normally it should download the released version 0.0.7 but it downloads version 0.0.6.
I tested it on different devices and it won't download the latest version. can you please check?
Best Regards.

Certificate matching doesn't seem to be implemented correctly

Reference: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3

Initial tests are implemented at c5065af with few commented-out tests that are not covered with the current implementation and need to be fixed.

		/* TODO enable these tests once the functionality is corrected #76
		{args{host: "baz1.example.net", names: []string{"baz*.example.net"}}, false},
		{args{host: "foobaz.example.net", names: []string{"*baz.example.net"}}, false},
		{args{host: "buzz.example.net", names: []string{"b*z.example.net"}}, false},
		*/

		// negative scenarios
		/* TODO enable these tests once the functionality is corrected #76
		{args{host: "subdomain.target.com", names: []string{"other-target.com", "subdomain.target.*"}}, true},
		{args{host: "subdomain.target.com", names: []string{"subdomain.*.com", "other-target.com"}}, true},
		*/

Fix current implementation to cover all the cases
Uncomment tests after fixing and ensure all tests are passing.

custom ciphers input support

To make a TLS connection with custom / desired ciphers, new CLI flag can be added as follows:

CLI Flag:

   -ci, -cipher-input string  ciphers to use with tls connection (INPUT_1,INPUT_2,INPUT_FILE)

Example:

echo google.com | tlsx -ci TLS_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
echo google.com | tlsx -ci cipher_list.txt

Note: this is already supported in nuclei (SSL protocol)

Custom SNI Input support

When connecting to domain / ip, many servers will require valid SNI for TLS connection, this will flag provide an option to feed collected SNI data for more data collection.

   -sni string                 tls sni hostname to use (default: input host name)

projectdiscovery/httpx#581
projectdiscovery/nuclei#1964

Run scans for comparison using zcrypto and crypto/tls

Comparison between two datasets
Versions of servers
Consider merging of both data for maximum coverage

resolvedIP does not return ip address when hostname is used

tlsx version:

main | dev

Current Behaviour:

when using ConnectWithOptions with hostname hackerone.com , resolvedIP does not return ip instead returns hostname itself .

Expected Behaviour:

Whatever the input type is hostname or ip resolvedIP should always return IP address of connection

Remediation

Ip address of hostname can be obtained using rawConn.RemoteAddr().String()

Failed handshake failure

tlsx version:

dev,master

Current Behavior:

echo dh-composite.badssl.com | tlsx -silent -tps -json | jq .

{
  "host": "dh-composite.badssl.com",
  "port": "443",
  "probe_status": false,
  "error": "could not do handshake: remote error: tls: handshake failure"
}

Expected Behavior:

curl https://dh-composite.badssl.com -v

*   Trying 104.154.89.105:443...
* Connected to dh-composite.badssl.com (104.154.89.105) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / DHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=*.badssl.com
*  start date: May 17 14:07:56 2022 GMT
*  expire date: Aug 15 14:07:55 2022 GMT
*  subjectAltName: host "dh-composite.badssl.com" matched cert's "*.badssl.com"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.

Default option updates

Please describe your feature request:

enable -ac, -all-ciphers as default
update -sm, -scan-mode default ctls to auto

Describe the use case of this feature:

To avoid cases like #65

Exposing client/server hellos

For projectdiscovery/nuclei#2780

TLS Connection errors investigation

remote error: internal error

echo 209.17.116.160 | tlsx -silent -v

[INF] Processing input 209.17.116.160:443
[WRN] Could not connect input 209.17.116.160:443: could not connect to host: could not do handshake: remote error: tls: internal error

https://www.shodan.io/host/209.17.116.160#443

could not do handshake: EOF (works with openssl)

echo 1.6.23.18 | tlsx -silent -v
[INF] Processing input 1.6.23.18:443
[WRN] Could not connect input 1.6.23.18:443: could not connect to host: could not do handshake: EOF

remote error: tls: handshake

echo 1.0.0.102 | tlsx -silent -v
[INF] Processing input 1.0.0.102:443
[WRN] Could not connect input 1.0.0.102:443: could not connect to host: could not do handshake: remote error: tls: handshake failure

oversized record received with length XXXX

echo 1.2.220.218 | tlsx -silent -v -sm ztls
[INF] Processing input 1.2.220.218:443
[WRN] Could not connect input 1.2.220.218:443: could not connect to host: could not do tls handshake: tls: oversized record received with length 20527

tls: bad certificate (works with openssl)

echo 24.196.75.118 | tlsx -silent -v
[INF] Processing input 24.196.75.118:443
[WRN] Could not connect input 24.196.75.118:443: could not connect to host: could not do handshake: remote error: tls: bad certificate

tls: unrecognized name

echo 4.4.89.33 | tlsx -silent -v
[INF] Processing input 4.4.89.33:443
[WRN] Could not connect input 4.4.89.33:443: could not connect to host: could not do handshake: remote error: tls: unrecognized name

remote error: alert(112)

echo 4.4.89.33 | tlsx -silent -sm auto -v
[INF] Processing input 4.4.89.33:443
[WRN] Could not connect input 4.4.89.33:443: could not connect to host: could not do tls handshake: remote error: alert(112)

Add support for AS identifiers

Please describe your feature request:

$ echo "AS1449" | tlsx -san -cn -silent
...

Should result in tlsx scanning all the IP ranges announced by AS1449.

Describe the use case of this feature:

Attack surface management/recon.

Add more tests

Add tests for:

Revoked cert
Self Signed cert

false negative result - incorrectly states TLS version support

tlsx version:

v0.0.6

Current Behavior:

I am trying to check the version support for all my subdomains. There are few subdomains I know are running on TLS 1.1 and 1.0 but tlsx returns TLS1.2 on them when used via -sv flag.
testssl shows TLS1.0 is supported but tlsx does not.

Expected Behavior:

Minimum tls version supported should be shown correctly.

Steps To Reproduce:

Anything else:

Add probing for Diffie-Hellman key exchange, where the prime is less than 2048 bits

Results from sslscan:

Inputs for testing:

dh480.badssl.com 
dh512.badssl.com 
dh1024.badssl.com
dh2048.badssl.com
dh-small-subgroup.badssl.com
dh-small-subgroup.badssl.com

Support for delay between TLS connection

Please describe your feature request:

   -d, -delay int              delay between each tls connection in seconds

Describe the use case of this feature:

To ensure and control the connection speed, it would be useful control TLS connection speed. It should be mutually exclusive with connection pooling (#43)

JA3S fingerprint support

Adding support for JA3S based TLS fingerprinting.

Reference:

https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967/

CLI Flag:

   -ja3s                display ja3 fingerprint hash

JSON Flag:

  "ja3s_hash": "XXXXX"

Adding optional support to display probe status

Please describe your feature request:

   -tps, -probe-status  display tls probe status

Describe the use case of this feature:

Full scan logging
Error logging

Fallback mechanism for SNI value to use in case of IP input

tlsx version:

dev/main

Please describe your feature request:

Different server behaves differently depending on requirement when it comes to SNI value to use with tls connection when connecting to IP directly.

echo 45.60.13.153 | go run  . -json -tps | jq . # requires empty SNI
echo 142.251.42.110 | go run  . -json -tps | jq . # requires random SNI

As of #123, empty SNI is used when connecting to IP and random SNI can be passed using -random-sni option following the default behavior of curl when it comes to TLS connection with IP input.

As the purpose of tlsx to connect all possible hosts as possible, we need to implement a fallback mechanism to use appreciated SNI value which requires further research to collect all the possible errors to implement the fallback mechanism effectively.

Wrong IP reported in case of custom IP provided

tlsx version:

main|master and dev

Current Behavior:

TLSX as a library reports wrong dialed ip (fastdialer lookup is performed on the domain name and will report always the first dialed ip)

Expected Behavior:

Custom ip should be used if provided at the following locations:

https://github.com/projectdiscovery/tlsx/blob/3d5172c6c493efcab4efb836e374a2b5d432e9fc/pkg/tlsx/tls/tls.go#L120
https://github.com/projectdiscovery/tlsx/blob/3d5172c6c493efcab4efb836e374a2b5d432e9fc/pkg/tlsx/ztls/ztls.go#L135
https://github.com/projectdiscovery/tlsx/blob/3d5172c6c493efcab4efb836e374a2b5d432e9fc/pkg/tlsx/openssl/openssl.go#L95

How to reproduce

Using issue-2141-scan-all-ips branch in nuclei

$ echo https://hackerone.com | go run . -id tls-version -sa -iv 4 -json -rl 1 -c 1 -bs 1 -v
...
[VER] Sent SSL request to hackerone.com:443
{"template":"\\ssl\\tls-version.yaml","template-url":"https://github.com/projectdiscovery/nuclei-templates/blob/master/\\ssl\\tls-version.yaml","template-id":"tls-version","info":{"name":"TLS Version","author":["pdteam"],"tags":["ssl"],"reference":null,"severity":"info"},"type":"ssl","host":"hackerone.com","matched-at":"hackerone.com","extracted-results":["tls13"],"ip":"104.16.100.52","timestamp":"2022-11-04T21:30:04.673107+01:00","matcher-status":true,"matched-line":null}
[VER] Sent SSL request to hackerone.com:443
{"template":"\\ssl\\tls-version.yaml","template-url":"https://github.com/projectdiscovery/nuclei-templates/blob/master/\\ssl\\tls-version.yaml","template-id":"tls-version","info":{"name":"TLS Version","author":["pdteam"],"tags":["ssl"],"reference":null,"severity":"info"},"type":"ssl","host":"hackerone.com","matched-at":"hackerone.com","extracted-results":["tls13"],"ip":"104.16.100.52","timestamp":"2022-11-04T21:30:04.7559573+01:00","matcher-status":true,"matched-line":null}