Features¶

SSH¶

Differentiators¶

checks supported Diffie-Hellman (group exchange) key sizes
checks supported host certificates, X.509 certificates and chains
analyzes server protocol version string to identify application server vendor and version

Versions¶

SSH 2.0

Analyzers¶

Supported analyzers by cryptographic protocol versions

Analyzers	SSH 2.0
Cipher Suites (`ciphers`)	✓
Diffie-Hellman parameters (`dhparams`)	✓
Host Keys, Host/X.509 Certificates and Chains (`pubkeys`) \| ✓
Vulnerabilities (`vulns`) \| ✓

Vulnerabilities¶

SSL/TLS¶

Differentiators¶

checks 10+ application layer protocols with opportunistic TLS capability
checks 400+ cipher suites, more than discussed on ciphersuite.info, or supported by GnuTls, LibreSSL, OpenSSL, or wolfSSL
checks GOST (national standards of the Russian Federation and CIS countries) cipher suites
checks post-quantum elliptic curves (Kyber)
checks TLS 1.3 draft versions, not just finnal version
checks whether Diffie-Hellman
- public parameter is a safe prime
- public parameter is defined in an RFC (e.g., FFDHE, MODP) or used by an application server as a builtin parameter
- key exchange supports RFC 7919 (FFDHE)
- key is reused

Analyzers¶

Supported analyzers by cryptographic protocol versions

Analyzers	SSL		TLS
	2.0	3.0	1.0	1.1	1.2	1.3
Cipher Suites (`ciphers`)	✓	✓	✓	✓	✓	✓
X.509 Public Keys (`pubkeys`)	✓	✓	✓	✓	✓	✗
X.509 Public Keys Request (`pubkeyreq`)	n/a	✓	✓	✓	✓	✗
Elliptic-Curves (`curves`)	n/a	n/a	✓	✓	✓	✓
Diffie-Hellman parameters (`dhparams`)	n/a	n/a	✓	✓	✓	✓
Signature Algorithms (`sigalgos`)	n/a	n/a	n/a	✓	✓	✓
Extensions (`extensions`)	n/a	n/a	n/a	n/a	✓	✓
Vulnerabilities (`vulns`)	n/a	n/a	n/a	n/a	n/a	n/a
Simulations (`simulations`)	n/a	n/a	n/a	n/a	n/a	n/a

Versions¶

Transport Layer
- Secure Socket Layer (SSL)
  - SSL 2.0
  - SSL 3.0
- Transport Layer Security (TLS)
  - TLS 1.0
  - TLS 1.1
  - TLS 1.2
  - TLS 1.3
Application Layer
- FTP
- IMAP
- LDAP
- LMTP
- MySQL
- NNTP
- OpenVPN
- POP3
- PostgreSQL
- RDP
- Sieve
- SMTP
- XMPP (Jabber)

Opportunistic TLS or STARTTLS) is an extension of an application layer protocol, whichs offer a way to upgrade a plain text connection to an encrypted ione without using a separate port.

Extensions¶

Public Keys¶

validation against notable trusted root CA certificates stores
- Apple
- Google
- Microsoft
- Mozilla
revocation check
- certificate Revocation List (CRL)
- certificate status (OCSP, OCSP stapling)
extensions
- TLS feature (e.g. OCSP must staple)
- extended validation
certificate transparency (CT)
- timestamp information
- transparency log information

Vulnerabilities¶

Simulated Clients¶

TLS
- Chromium
- Firefox
- Opera

Fingerprinting¶

generates JA3 tag of any connecting TLS client independently from its type (graphical/cli, browser/email client/…)
- FTP
- LDAP
- LMTP
- MySQL
- NNTP
- OpenVPN
- POP3
- PostgreSQL
- RDP
- Sieve
- SMTP
decodes existing JA3 tags by showing human-readable format of the TLS parameters represented by the tag
generates HASSH tag) of SSH clients

Hypertext Transfer Protocol (HTTP)¶

Analyzers¶

Headers¶

generic headers
- Content-Type
- NEL (Network Error Logging)
- Server
- Set-Cookie
caching headers
- Age
- Cache-Control
- Date
- ETag
- Expires
- Last-Modified
- Pragma
security headers

DNS¶

Differentiators¶

extract (public key) and analyze (key type, size) DNSSEC signing keys

Analyzers¶

e-mail authentication, reporting related records
- Domain-based Message Authentication, Reporting, and Conformance (DMARC)
- Sender Policy Framework (SPF)
- SMTP MTA Strict Transport Security (MTA-STS)
- SMTP TLS Reporting (TLSRPT)
DNSSEC records
- DNSKEY
- DS
- RRSIG

CryptoLyzer

Navigation

Related Topics

Features¶

SSH¶

Differentiators¶

Versions¶

Analyzers¶

Vulnerabilities¶

SSL/TLS¶

Differentiators¶

Analyzers¶

Versions¶

Extensions¶

Public Keys¶

Vulnerabilities¶

Simulated Clients¶

Fingerprinting¶

Hypertext Transfer Protocol (HTTP)¶

Analyzers¶

Headers¶

DNS¶

Differentiators¶

Analyzers¶