Replies: 2 comments 1 reply
-
|
@PolarPeak, you can choose specific type of ciphers to scan for, in this case you are looking for weak. tlsx -h ct
Usage:
tlsx [flags]
Flags:
-ct, -cipher-type value ciphers types to enumerate (all/secure/insecure/weak) (default all) |
Beta Was this translation helpful? Give feedback.
-
|
When I executed "./tlsx -u xxx -ce -ct weak," I did not get the desired result. I was unable to find "TLS_RSA_WITH_RC4_128_SHA." When I execute ./tlsx -u xxx -ce -j, I see related content in insecure, I don’t understand |
Beta Was this translation helpful? Give feedback.
-
|
The To identify weak ciphers from the output: # List all ciphers and flag weak ones
echo "xxx.com" | tlsx -ce -json | jq '.cipher_enum[]' | while read cipher; do
cipher=$(echo $cipher | tr -d '"')
if echo "$cipher" | grep -qiE 'RC4|DES|NULL|EXPORT|anon|MD5'; then
echo "WEAK: $cipher"
elif echo "$cipher" | grep -qiE 'CBC'; then
echo "MODERATE: $cipher (CBC mode - vulnerable to BEAST/Lucky13)"
else
echo "OK: $cipher"
fi
doneQuick weak cipher check: # Just show weak ciphers
echo "xxx.com" | tlsx -ce -json | jq '[.cipher_enum[] | select(test("RC4|DES|NULL|EXPORT|anon"; "i"))]'What's considered weak in 2025+:
Best practice audit: echo "xxx.com" | tlsx -ce -tv -json | jq '{host: .host, tls_versions: .tls_version, total_ciphers: (.cipher_enum | length), weak: [.cipher_enum[] | select(test("RC4|DES|NULL|EXPORT|anon"; "i"))]}' |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
I used TLSx -u xxx.com -ce for detection, and when I saw the returned content, I was unsure if it listed all the encryption suites used by my website or enumerated and displayed the cipher suites supported by my HTTPS website.
Beta Was this translation helpful? Give feedback.
All reactions