mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-07 09:10:57 +01:00
- more robust wrt IIS6 (some stuff better with IIS7)
- X-Powered-By is easy to remove (PHP, ASP.NET), thus labelled as yellow - same X-AspNet-Version (version # itself is brown) - better addressed address resolution failures ;-) - bumped up version to 2.4rc1
This commit is contained in:
parent
f3f3967bd1
commit
0aa8ac7e76
38
testssl.sh
38
testssl.sh
@ -10,7 +10,7 @@
|
|||||||
# Devel version is availabe from https://github.com/drwetter/testssl.sh,
|
# Devel version is availabe from https://github.com/drwetter/testssl.sh,
|
||||||
# stable version from https://testssl.sh
|
# stable version from https://testssl.sh
|
||||||
|
|
||||||
VERSION="2.3dev" # any char suffixes denotes non=stable
|
VERSION="2.4rc1" # any char suffixes denotes non=stable
|
||||||
SWURL="https://testssl.sh"
|
SWURL="https://testssl.sh"
|
||||||
SWCONTACT="dirk aet testssl dot sh"
|
SWCONTACT="dirk aet testssl dot sh"
|
||||||
|
|
||||||
@ -564,7 +564,7 @@ hpkp() {
|
|||||||
return $?
|
return $?
|
||||||
}
|
}
|
||||||
|
|
||||||
emphasize_numbers_in_headers(){
|
emphasize_stuff_in_headers(){
|
||||||
# see http://www.grymoire.com/Unix/Sed.html#uh-3
|
# see http://www.grymoire.com/Unix/Sed.html#uh-3
|
||||||
# outln "$1" | sed "s/[0-9]*/$brown&$off/g"
|
# outln "$1" | sed "s/[0-9]*/$brown&$off/g"
|
||||||
outln "$1" | sed -e "s/\([0-9]\)/$brown\1$off/g" \
|
outln "$1" | sed -e "s/\([0-9]\)/$brown\1$off/g" \
|
||||||
@ -576,7 +576,10 @@ emphasize_numbers_in_headers(){
|
|||||||
-e "s/SUSE/"$yellow"SUSE$off/g" \
|
-e "s/SUSE/"$yellow"SUSE$off/g" \
|
||||||
-e "s/Red Hat Enterprise Linux/"$yellow"Red Hat Enterprise Linux$off/g" \
|
-e "s/Red Hat Enterprise Linux/"$yellow"Red Hat Enterprise Linux$off/g" \
|
||||||
-e "s/Red Hat/"$yellow"Red Hat$off/g" \
|
-e "s/Red Hat/"$yellow"Red Hat$off/g" \
|
||||||
-e "s/CentOS/"$yellow"CentOS$off/g"
|
-e "s/CentOS/"$yellow"CentOS$off/g" \
|
||||||
|
-e "s/X-Powered-By: ASP.NET/"$yellow"X-Powered-By: ASP.NET$off/g" \
|
||||||
|
-e "s/X-Powered-By/"$yellow"X-Powered-By$off/g" \
|
||||||
|
-e "s/X-AspNet-Version/"$yellow"X-AspNet-Version$off/g"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -591,7 +594,7 @@ serverbanner() {
|
|||||||
if [ x"$serverbanner" == "x\n" -o x"$serverbanner" == "x\n\r" -o x"$serverbanner" == "x" ]; then
|
if [ x"$serverbanner" == "x\n" -o x"$serverbanner" == "x\n\r" -o x"$serverbanner" == "x" ]; then
|
||||||
outln "banner exists but empty string"
|
outln "banner exists but empty string"
|
||||||
else
|
else
|
||||||
emphasize_numbers_in_headers "$serverbanner"
|
emphasize_stuff_in_headers "$serverbanner"
|
||||||
fi
|
fi
|
||||||
# mozilla.github.io/server-side-tls/ssl-config-generator/
|
# mozilla.github.io/server-side-tls/ssl-config-generator/
|
||||||
# https://support.microsoft.com/en-us/kb/245030
|
# https://support.microsoft.com/en-us/kb/245030
|
||||||
@ -615,7 +618,7 @@ applicationbanner() {
|
|||||||
else
|
else
|
||||||
#cat $TMPFILE | sed 's/^.*:/:/' | sed -e :a -e '$!N;s/\n:/ \n\ +/;ta' -e 'P;D' | sed 's/://g'
|
#cat $TMPFILE | sed 's/^.*:/:/' | sed -e :a -e '$!N;s/\n:/ \n\ +/;ta' -e 'P;D' | sed 's/://g'
|
||||||
#sed 's/^/ /g' $TMPFILE | tr -t '\n\r' ' ' | sed "s/\([0-9]\)/$pr_red\1$off/g"
|
#sed 's/^/ /g' $TMPFILE | tr -t '\n\r' ' ' | sed "s/\([0-9]\)/$pr_red\1$off/g"
|
||||||
emphasize_numbers_in_headers "$(sed 's/^/ /g' $TMPFILE | tr -t '\n\r' ' ')"
|
emphasize_stuff_in_headers "$(sed 's/^/ /g' $TMPFILE | tr -t '\n\r' ' ')"
|
||||||
#i=0
|
#i=0
|
||||||
#cat $TMPFILE | sed 's/^/ /' | while read line; do
|
#cat $TMPFILE | sed 's/^/ /' | while read line; do
|
||||||
# out "$line"
|
# out "$line"
|
||||||
@ -696,7 +699,7 @@ moreflags() {
|
|||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
#FIXME: I am not testting for the correctness or anything stupid yet, e.g. "X-Frame-Options: allowall"
|
#FIXME: I am not testing for the correctness or anything stupid yet, e.g. "X-Frame-Options: allowall"
|
||||||
|
|
||||||
tmpfile_handle $FUNCNAME.txt
|
tmpfile_handle $FUNCNAME.txt
|
||||||
return $ret
|
return $ret
|
||||||
@ -1273,7 +1276,7 @@ server_defaults() {
|
|||||||
# HTTP date:
|
# HTTP date:
|
||||||
printf "GET / HTTP/1.1\r\nHost: $NODE\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\r\nConnection: Close\r\nAccept: text/*\r\n\r\n" | $OPENSSL s_client -ign_eof -connect $NODE:$PORT $SNI &>$TMPFILE
|
printf "GET / HTTP/1.1\r\nHost: $NODE\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\r\nConnection: Close\r\nAccept: text/*\r\n\r\n" | $OPENSSL s_client -ign_eof -connect $NODE:$PORT $SNI &>$TMPFILE
|
||||||
now=$(date "+%s")
|
now=$(date "+%s")
|
||||||
HTTP_TIME=$(awk -F': ' '/date:/ { print $2 } /Date:/ { print $2 }' $TMPFILE )
|
HTTP_TIME=$(awk -F': ' '/^date:/ { print $2 } /^Date:/ { print $2 }' $TMPFILE )
|
||||||
HTTP_TIME=$(date --date="$HTTP_TIME" "+%s")
|
HTTP_TIME=$(date --date="$HTTP_TIME" "+%s")
|
||||||
difftime=$(($now - $HTTP_TIME))
|
difftime=$(($now - $HTTP_TIME))
|
||||||
[[ $difftime != "-"* ]] && [[ $difftime != "0" ]] && difftime="+$difftime"
|
[[ $difftime != "-"* ]] && [[ $difftime != "0" ]] && difftime="+$difftime"
|
||||||
@ -2248,6 +2251,7 @@ renego() {
|
|||||||
insecure_renogo_str="Secure Renegotiation IS NOT"
|
insecure_renogo_str="Secure Renegotiation IS NOT"
|
||||||
$OPENSSL s_client $STARTTLS -connect $NODEIP:$PORT 2>&1 </dev/null | grep -iaq "$insecure_renogo_str"
|
$OPENSSL s_client $STARTTLS -connect $NODEIP:$PORT 2>&1 </dev/null | grep -iaq "$insecure_renogo_str"
|
||||||
sec_renego=$? # 0= Secure Renegotiation IS NOT supported
|
sec_renego=$? # 0= Secure Renegotiation IS NOT supported
|
||||||
|
#FIXME: didb't occur to me yet but why not also to check on "Secure Renegotiation IS supported"
|
||||||
case $sec_renego in
|
case $sec_renego in
|
||||||
0) pr_redln "VULNERABLE (NOT ok)" ;;
|
0) pr_redln "VULNERABLE (NOT ok)" ;;
|
||||||
1) pr_greenln "not vulnerable (OK)" ;;
|
1) pr_greenln "not vulnerable (OK)" ;;
|
||||||
@ -2376,7 +2380,7 @@ breach() {
|
|||||||
[[ $SERVICE != "HTTP" ]] && return 7
|
[[ $SERVICE != "HTTP" ]] && return 7
|
||||||
|
|
||||||
[ $VULN_COUNT -le $VULN_THRESHLD ] && outln && pr_blue "--> Testing for BREACH (HTTP compression) vulnerability" && outln "\n"
|
[ $VULN_COUNT -le $VULN_THRESHLD ] && outln && pr_blue "--> Testing for BREACH (HTTP compression) vulnerability" && outln "\n"
|
||||||
pr_bold " BREACH"; out " (CVE-2013-3587) =HTTP Compression "
|
pr_bold " BREACH"; out " (CVE-2013-3587) "
|
||||||
|
|
||||||
url="$1"
|
url="$1"
|
||||||
[ -z "$url" ] && url="/"
|
[ -z "$url" ] && url="/"
|
||||||
@ -2413,7 +2417,7 @@ EOF
|
|||||||
pr_green "no HTTP compression (OK) "
|
pr_green "no HTTP compression (OK) "
|
||||||
ret=0
|
ret=0
|
||||||
else
|
else
|
||||||
pr_litered "NOT ok: uses $result compression "
|
pr_litered "NOT ok: uses $result HTTP compression "
|
||||||
ret=1
|
ret=1
|
||||||
fi
|
fi
|
||||||
# Catch: any URL can be vulnerable. I am testing now only the root. URL!
|
# Catch: any URL can be vulnerable. I am testing now only the root. URL!
|
||||||
@ -2527,6 +2531,7 @@ beast(){
|
|||||||
|
|
||||||
#detected_cbc_cipher=$(echo $detected_cbc_cipher | sed 's/ //g')
|
#detected_cbc_cipher=$(echo $detected_cbc_cipher | sed 's/ //g')
|
||||||
if [ -z "$detected_cbc_cipher" ]; then
|
if [ -z "$detected_cbc_cipher" ]; then
|
||||||
|
[[ $proto == "tls1" ]] && printf "$spaces"
|
||||||
pr_litegreenln "no CBC ciphers for $(echo $proto | tr '[a-z]' '[A-Z]') (OK)"
|
pr_litegreenln "no CBC ciphers for $(echo $proto | tr '[a-z]' '[A-Z]') (OK)"
|
||||||
else
|
else
|
||||||
detected_cbc_cipher=$(echo "$detected_cbc_cipher" | sed -e "s/ /\\${cr} ${spaces}/9" -e "s/ /\\${cr} ${spaces}/6" -e "s/ /\\${cr} ${spaces}/3")
|
detected_cbc_cipher=$(echo "$detected_cbc_cipher" | sed -e "s/ /\\${cr} ${spaces}/9" -e "s/ /\\${cr} ${spaces}/6" -e "s/ /\\${cr} ${spaces}/3")
|
||||||
@ -2845,7 +2850,9 @@ CCS_MAX_WAITSOCK: $CCS_MAX_WAITSOCK
|
|||||||
USLEEP_SND $USLEEP_SND
|
USLEEP_SND $USLEEP_SND
|
||||||
USLEEP_REC $USLEEP_REC
|
USLEEP_REC $USLEEP_REC
|
||||||
|
|
||||||
|
|
||||||
EOF
|
EOF
|
||||||
|
which locale &>/dev/null && locale >>$TEMPDIR/environment.txt || echo "locale doesn't exist" >>$TEMPDIR/environment.txt
|
||||||
$OPENSSL ciphers -V $1 &>$TEMPDIR/all_local_ciphers.txt
|
$OPENSSL ciphers -V $1 &>$TEMPDIR/all_local_ciphers.txt
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -2948,7 +2955,10 @@ parse_hn_port() {
|
|||||||
URL_PATH=$(echo $URL_PATH | sed 's/\/\//\//g') # we rather want // -> /
|
URL_PATH=$(echo $URL_PATH | sed 's/\/\//\//g') # we rather want // -> /
|
||||||
|
|
||||||
# now get NODEIP
|
# now get NODEIP
|
||||||
get_dns_entries
|
if ! get_dns_entries ; then
|
||||||
|
pr_magenta "Can't proceed: No IP address for \"$NODE\" available"; outln "\n"
|
||||||
|
exit -1
|
||||||
|
fi
|
||||||
|
|
||||||
# check if we can connect to port
|
# check if we can connect to port
|
||||||
if ! fd_socket; then
|
if ! fd_socket; then
|
||||||
@ -3011,13 +3021,13 @@ get_dns_entries() {
|
|||||||
if which host &> /dev/null && [ -z "$IP4" ] ; then
|
if which host &> /dev/null && [ -z "$IP4" ] ; then
|
||||||
IP4=$(host -t a $NODE 2>/dev/null | grep -v alias | sed 's/^.*address //')
|
IP4=$(host -t a $NODE 2>/dev/null | grep -v alias | sed 's/^.*address //')
|
||||||
if echo "$IP4" | grep -q NXDOMAIN || echo "$IP4" | grep -q "no A record"; then
|
if echo "$IP4" | grep -q NXDOMAIN || echo "$IP4" | grep -q "no A record"; then
|
||||||
pr_magenta "Can't proceed: No IP address for \"$NODE\" available"; outln "\n"
|
return 1
|
||||||
exit 1
|
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
# MSYS2 has no host or getent, so we do this
|
# MSYS2 has no host or getent, so we do this
|
||||||
if [ -z "$IP4" ] ; then
|
if [ -z "$IP4" ] ; then
|
||||||
IP4=$(nslookup $NODE 2>/dev/null | grep -A10 Name | grep -v Name | sed 's/^Address.*: .//')
|
IP4=$(nslookup $NODE 2>/dev/null | grep -A10 Name | grep -v Name | sed 's/^Address.*: .//')
|
||||||
|
[ -z "$IP4" ] && return 2
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# for IPv6 we often get this :ffff:IPV4 address which isn't of any use
|
# for IPv6 we often get this :ffff:IPV4 address which isn't of any use
|
||||||
@ -3041,6 +3051,7 @@ get_dns_entries() {
|
|||||||
|
|
||||||
# FIXME: we could/should test more than one IPv4 addresses if available, same IPv6. For now we test the first IPv4:
|
# FIXME: we could/should test more than one IPv4 addresses if available, same IPv6. For now we test the first IPv4:
|
||||||
NODEIP=$(echo "$IP4" | head -1)
|
NODEIP=$(echo "$IP4" | head -1)
|
||||||
|
[ -z "$NODEIP" ] && return 3
|
||||||
|
|
||||||
# we can't do this as some checks and even openssl are not yet IPv6 safe. BTW: bash sockets do IPv6 transparently!
|
# we can't do this as some checks and even openssl are not yet IPv6 safe. BTW: bash sockets do IPv6 transparently!
|
||||||
#NODEIP=$(echo "$IP6" | head -1)
|
#NODEIP=$(echo "$IP6" | head -1)
|
||||||
@ -3051,6 +3062,7 @@ get_dns_entries() {
|
|||||||
rDNS=$(nslookup -type=PTR $NODEIP 2> /dev/null | grep -v 'canonical name =' | grep 'name = ' | awk '{ print $NF }' | sed 's/\.$//')
|
rDNS=$(nslookup -type=PTR $NODEIP 2> /dev/null | grep -v 'canonical name =' | grep 'name = ' | awk '{ print $NF }' | sed 's/\.$//')
|
||||||
fi
|
fi
|
||||||
[ -z "$rDNS" ] && rDNS="--"
|
[ -z "$rDNS" ] && rDNS="--"
|
||||||
|
return 0
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -3416,6 +3428,6 @@ fi
|
|||||||
|
|
||||||
exit $ret
|
exit $ret
|
||||||
|
|
||||||
# $Id: testssl.sh,v 1.240 2015/05/02 13:01:01 dirkw Exp $
|
# $Id: testssl.sh,v 1.242 2015/05/06 16:48:50 dirkw Exp $
|
||||||
# vim:ts=5:sw=5
|
# vim:ts=5:sw=5
|
||||||
# ^^^ FYI: use vim and you will see everything beautifully indented with a 5 char tab
|
# ^^^ FYI: use vim and you will see everything beautifully indented with a 5 char tab
|
||||||
|
Loading…
Reference in New Issue
Block a user