prbinu
commented
5 years ago tls-scan is designed to scan thousands of servers concurrently, but that been said, it can also use to scan a single server. For single server scans, the tool attempts to make large number of concurrent connections (no of conn == total no of ciphers). Here are few CLI options you can enable to control the speed (but takes more time to complete):
--sleep=<number>
Add milliseconds delay between the connection. Only for --cipher-enum and --version-enumoptions. Useful to manage server rate-limits. The max sleep value is 60000 (1 minute). Default: 0.
--no-parallel-enum
Disable parallel cipher and tls version enumeration. Parallel scan is performed only with --connect option. This will serialize the cipher scan and takes more time to complete.
In addition you can also scan ciphers selectively using --ciphers option.
PS: the server you are scanning seems vulnerable to DOS attacks.
rrioux
I ran a full test (all cipher/protocols) against some of my company's domains, and they said it brought down one of their repo servers. Apparently it made enough calls to kill the service.
Question - does tls-scan iterate through all the cipher suites to enumerate the supported ones? If so, is there another way that such data could be retrieved?
I find it hard to believe it is that hard on the target. I haven't done a packet capture or examined http/s logs yet, just wanted to get a high level understanding first.
Thanks!