mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-22 08:29:31 +01:00
- RC4 has now 2 CVEs and cipher per default are displayed short
- introducng a variable name LONG which for certain funcs shows broad output with hexc, cipher, KX, etc. - FIX: regression not showing security headers - introducing VULN_THRESHLD
This commit is contained in:
parent
3891f5b13b
commit
1ea7a0947f
69
testssl.sh
69
testssl.sh
@ -59,6 +59,7 @@ DEBUG=${DEBUG:-0} # if 1 the temp files won't be erased. 2: list more what's
|
|||||||
#FIXME: still to be filled with (more) sense or following to be included:
|
#FIXME: still to be filled with (more) sense or following to be included:
|
||||||
VERBERR=${VERBERR:-1} # 0 means to be more verbose (handshake errors to be displayed so that one can tell better
|
VERBERR=${VERBERR:-1} # 0 means to be more verbose (handshake errors to be displayed so that one can tell better
|
||||||
# whether handshake succeeded or not. While testing individual ciphers you also need to have SHOW_EACH_C=1
|
# whether handshake succeeded or not. While testing individual ciphers you also need to have SHOW_EACH_C=1
|
||||||
|
LONG=${LONG:-1} # whether to display for some options the cipher or the table with hexcode/KX,Enc,strength etc.
|
||||||
|
|
||||||
HEADER_MAXSLEEP=${HEADER_MAXSLEEP:-3} # we wait this long before killing the process to retrieve a service banner / http header
|
HEADER_MAXSLEEP=${HEADER_MAXSLEEP:-3} # we wait this long before killing the process to retrieve a service banner / http header
|
||||||
MAX_WAITSOCK=10 # waiting at max 10 seconds for socket reply
|
MAX_WAITSOCK=10 # waiting at max 10 seconds for socket reply
|
||||||
@ -98,6 +99,7 @@ OSSL_VER_MINOR=0
|
|||||||
OSSL_VER_APPENDIX="none"
|
OSSL_VER_APPENDIX="none"
|
||||||
NODEIP=""
|
NODEIP=""
|
||||||
VULN_COUNT=0
|
VULN_COUNT=0
|
||||||
|
VULN_THRESHLD=1 # if bigger than this no we show a separate header in blue
|
||||||
IPS=""
|
IPS=""
|
||||||
SERVICE="" # is the server running an HTTP server, SMTP, POP or IMAP?
|
SERVICE="" # is the server running an HTTP server, SMTP, POP or IMAP?
|
||||||
URI=""
|
URI=""
|
||||||
@ -669,7 +671,7 @@ moreflags() {
|
|||||||
http_header "$1" || return 3
|
http_header "$1" || return 3
|
||||||
fi
|
fi
|
||||||
pr_bold " Security headers "
|
pr_bold " Security headers "
|
||||||
egrep_pattern=$(echo $good_flags2test| sed -e 's/ /|\^/g' -e 's/^/\^/g')
|
egrep_pattern=$(echo $good_flags2test| sed -e 's/ /|\^/g' -e 's/^/\^/g') # space -> |^
|
||||||
egrep -ai $egrep_pattern $HEADERFILE >$TMPFILE
|
egrep -ai $egrep_pattern $HEADERFILE >$TMPFILE
|
||||||
if [ $? -ne 0 ]; then
|
if [ $? -ne 0 ]; then
|
||||||
outln "(none at \"$url\")"
|
outln "(none at \"$url\")"
|
||||||
@ -677,7 +679,7 @@ moreflags() {
|
|||||||
else
|
else
|
||||||
ret=0
|
ret=0
|
||||||
first=true
|
first=true
|
||||||
for f2t in $flags2test; do
|
for f2t in $good_flags2test; do
|
||||||
result_str=$(grep -i "^$f2t" $TMPFILE)
|
result_str=$(grep -i "^$f2t" $TMPFILE)
|
||||||
[ -z "$result_str" ] && continue
|
[ -z "$result_str" ] && continue
|
||||||
if $first; then
|
if $first; then
|
||||||
@ -688,6 +690,7 @@ moreflags() {
|
|||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
|
#FIXME: I am not testting for the correctness or anything stupid yet, e.g. "X-Frame-Options: allowall"
|
||||||
|
|
||||||
tmpfile_handle $FUNCNAME.txt
|
tmpfile_handle $FUNCNAME.txt
|
||||||
return $ret
|
return $ret
|
||||||
@ -1950,7 +1953,7 @@ tls_sockets() {
|
|||||||
|
|
||||||
# mainly adapted from https://gist.github.com/takeshixx/10107280
|
# mainly adapted from https://gist.github.com/takeshixx/10107280
|
||||||
heartbleed(){
|
heartbleed(){
|
||||||
[ $VULN_COUNT -le 1 ] && outln && pr_blue "--> Testing for heartbleed vulnerability" && outln "\n"
|
[ $VULN_COUNT -le $VULN_THRESHLD ] && outln && pr_blue "--> Testing for heartbleed vulnerability" && outln "\n"
|
||||||
pr_bold " Heartbleed\c"; out " (CVE-2014-0160) "
|
pr_bold " Heartbleed\c"; out " (CVE-2014-0160) "
|
||||||
|
|
||||||
if [ ! -z "$STARTTLS" ] ; then
|
if [ ! -z "$STARTTLS" ] ; then
|
||||||
@ -2066,7 +2069,7 @@ ok_ids(){
|
|||||||
ccs_injection(){
|
ccs_injection(){
|
||||||
# see https://www.openssl.org/news/secadv_20140605.txt
|
# see https://www.openssl.org/news/secadv_20140605.txt
|
||||||
# mainly adapted from Ramon de C Valle's C code from https://gist.github.com/rcvalle/71f4b027d61a78c42607
|
# mainly adapted from Ramon de C Valle's C code from https://gist.github.com/rcvalle/71f4b027d61a78c42607
|
||||||
[ $VULN_COUNT -le 1 ] && outln && pr_blue "--> Testing for CCS injection vulnerability" && outln "\n"
|
[ $VULN_COUNT -le $VULN_THRESHLD ] && outln && pr_blue "--> Testing for CCS injection vulnerability" && outln "\n"
|
||||||
pr_bold " CCS "; out " (CVE-2014-0224), experimental "
|
pr_bold " CCS "; out " (CVE-2014-0224), experimental "
|
||||||
|
|
||||||
if [ ! -z "$STARTTLS" ] ; then
|
if [ ! -z "$STARTTLS" ] ; then
|
||||||
@ -2169,7 +2172,7 @@ ccs_injection(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
renego() {
|
renego() {
|
||||||
[ $VULN_COUNT -le 1 ] && outln && pr_blue "--> Testing for Renegotiation vulnerability" && outln "\n"
|
[ $VULN_COUNT -le $VULN_THRESHLD ] && outln && pr_blue "--> Testing for Renegotiation vulnerability" && outln "\n"
|
||||||
pr_bold " Secure Client-Initiated Renegotiation " # RFC 5746, community.qualys.com/blogs/securitylabs/2011/10/31/tls-renegotiation-and-denial-of-service-attacks
|
pr_bold " Secure Client-Initiated Renegotiation " # RFC 5746, community.qualys.com/blogs/securitylabs/2011/10/31/tls-renegotiation-and-denial-of-service-attacks
|
||||||
|
|
||||||
ADDCMD=""
|
ADDCMD=""
|
||||||
@ -2219,7 +2222,7 @@ crime() {
|
|||||||
# means anyway "game over", w/wo CRIME
|
# means anyway "game over", w/wo CRIME
|
||||||
# www.h-online.com/security/news/item/Vulnerability-in-SSL-encryption-is-barely-exploitable-1708604.html
|
# www.h-online.com/security/news/item/Vulnerability-in-SSL-encryption-is-barely-exploitable-1708604.html
|
||||||
|
|
||||||
[ $VULN_COUNT -le 1 ] && outln && pr_blue "--> Testing for CRIME vulnerability" && outln "\n"
|
[ $VULN_COUNT -le $VULN_THRESHLD ] && outln && pr_blue "--> Testing for CRIME vulnerability" && outln "\n"
|
||||||
pr_bold " CRIME, TLS " ; out "(CVE-2012-4929) "
|
pr_bold " CRIME, TLS " ; out "(CVE-2012-4929) "
|
||||||
|
|
||||||
case "$OSSL_VER" in
|
case "$OSSL_VER" in
|
||||||
@ -2295,7 +2298,7 @@ crime() {
|
|||||||
breach() {
|
breach() {
|
||||||
[[ $SERVICE != "HTTP" ]] && return 7
|
[[ $SERVICE != "HTTP" ]] && return 7
|
||||||
|
|
||||||
[ $VULN_COUNT -le 1 ] && outln && pr_blue "--> Testing for BREACH (HTTP compression) vulnerability" && outln "\n"
|
[ $VULN_COUNT -le $VULN_THRESHLD ] && outln && pr_blue "--> Testing for BREACH (HTTP compression) vulnerability" && outln "\n"
|
||||||
pr_bold " BREACH"; out " (CVE-2013-3587) =HTTP Compression "
|
pr_bold " BREACH"; out " (CVE-2013-3587) =HTTP Compression "
|
||||||
|
|
||||||
url="$1"
|
url="$1"
|
||||||
@ -2351,7 +2354,7 @@ ssl_poodle() {
|
|||||||
local ret
|
local ret
|
||||||
local cbc_ciphers
|
local cbc_ciphers
|
||||||
|
|
||||||
[ $VULN_COUNT -le 1 ] && outln && pr_blue "--> Testing for SSLv3 POODLE (Padding Oracle On Downgraded Legacy Encryption)" && outln "\n"
|
[ $VULN_COUNT -le $VULN_THRESHLD ] && outln && pr_blue "--> Testing for SSLv3 POODLE (Padding Oracle On Downgraded Legacy Encryption)" && outln "\n"
|
||||||
pr_bold " POODLE, SSL"; out " (CVE-2014-3566) "
|
pr_bold " POODLE, SSL"; out " (CVE-2014-3566) "
|
||||||
cbc_ciphers=$($OPENSSL ciphers -v 'ALL:eNULL' | awk '/CBC/ { print $1 }' | tr '\n' ':')
|
cbc_ciphers=$($OPENSSL ciphers -v 'ALL:eNULL' | awk '/CBC/ { print $1 }' | tr '\n' ':')
|
||||||
debugme echo $cbc_ciphers
|
debugme echo $cbc_ciphers
|
||||||
@ -2384,7 +2387,7 @@ freak() {
|
|||||||
local exportrsa_ciphers
|
local exportrsa_ciphers
|
||||||
local addtl_warning=""
|
local addtl_warning=""
|
||||||
|
|
||||||
[ $VULN_COUNT -le 1 ] && outln && pr_blue "--> Testing for FREAK attack" && outln "\n"
|
[ $VULN_COUNT -le $VULN_THRESHLD ] && outln && pr_blue "--> Testing for FREAK attack" && outln "\n"
|
||||||
pr_bold " FREAK "; out " (CVE-2015-0204), experimental "
|
pr_bold " FREAK "; out " (CVE-2015-0204), experimental "
|
||||||
no_exportrsa_ciphers=$($OPENSSL ciphers -v 'ALL:eNULL' | egrep -a "^EXP.*RSA" | wc -l)
|
no_exportrsa_ciphers=$($OPENSSL ciphers -v 'ALL:eNULL' | egrep -a "^EXP.*RSA" | wc -l)
|
||||||
exportrsa_ciphers=$($OPENSSL ciphers -v 'ALL:eNULL' | awk '/^EXP.*RSA/ {print $1}' | tr '\n' ':')
|
exportrsa_ciphers=$($OPENSSL ciphers -v 'ALL:eNULL' | awk '/^EXP.*RSA/ {print $1}' | tr '\n' ':')
|
||||||
@ -2426,7 +2429,7 @@ beast(){
|
|||||||
local spaces=" "
|
local spaces=" "
|
||||||
local cr=$'\n'
|
local cr=$'\n'
|
||||||
|
|
||||||
[ $VULN_COUNT -le 1 ] && outln && pr_blue "--> Testing for BEAST vulnerability" && outln "\n"
|
[ $VULN_COUNT -le $VULN_THRESHLD ] && outln && pr_blue "--> Testing for BEAST vulnerability" && outln "\n"
|
||||||
pr_bold " BEAST"; out " (CVE-2011-3389) "
|
pr_bold " BEAST"; out " (CVE-2011-3389) "
|
||||||
|
|
||||||
# 2) test handfull of common CBC ciphers
|
# 2) test handfull of common CBC ciphers
|
||||||
@ -2465,7 +2468,7 @@ beast(){
|
|||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
if [ $ret -eq 1 ] ; then
|
if [ $ret -eq 1 ] ; then
|
||||||
[ ! -z "$higher_proto_supported" ] && outln "${spaces}but also supports higher protocols (possible mitigation):$higher_proto_supported"
|
[ ! -z "$higher_proto_supported" ] && outln "${spaces}-- but also supports higher protocols (possible mitigation):$higher_proto_supported"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# printf "For a full individual test of each CBC cipher suites support by your $OPENSSL run \"$0 -x CBC $NODE\"\n"
|
# printf "For a full individual test of each CBC cipher suites support by your $OPENSSL run \"$0 -x CBC $NODE\"\n"
|
||||||
@ -2486,35 +2489,46 @@ lucky13() {
|
|||||||
# https://en.wikipedia.org/wiki/Transport_Layer_Security#RC4_attacks
|
# https://en.wikipedia.org/wiki/Transport_Layer_Security#RC4_attacks
|
||||||
# http://blog.cryptographyengineering.com/2013/03/attack-of-week-rc4-is-kind-of-broken-in.html
|
# http://blog.cryptographyengineering.com/2013/03/attack-of-week-rc4-is-kind-of-broken-in.html
|
||||||
rc4() {
|
rc4() {
|
||||||
outln
|
local ret
|
||||||
pr_blue "--> Checking RC4 Ciphers" ; outln
|
local hexcode n ciph sslvers kx auth enc mac strength
|
||||||
|
|
||||||
|
if [ $VULN_COUNT -le $VULN_THRESHLD ] || [ $LONG -eq 0 ] ; then
|
||||||
|
outln
|
||||||
|
pr_blue "--> Checking for vulnerable RC4 Ciphers" ; outln "\n"
|
||||||
|
fi
|
||||||
|
pr_bold " RC4"; out " (CVE-2013-2566, CVE-2015-2808) "
|
||||||
|
|
||||||
$OPENSSL ciphers -V 'RC4:@STRENGTH' >$TMPFILE
|
$OPENSSL ciphers -V 'RC4:@STRENGTH' >$TMPFILE
|
||||||
[ $SHOW_LOC_CIPH -eq 0 ] && echo "local ciphers available for testing RC4:" && echo $(cat $TMPFILE)
|
[ $LONG -eq 0 ] && [ $SHOW_LOC_CIPH -eq 0 ] && echo "local ciphers available for testing RC4:" && echo $(cat $TMPFILE)
|
||||||
$OPENSSL s_client -cipher $($OPENSSL ciphers RC4) $STARTTLS -connect $NODEIP:$PORT $SNI &>/dev/null </dev/null
|
$OPENSSL s_client -cipher $($OPENSSL ciphers RC4) $STARTTLS -connect $NODEIP:$PORT $SNI &>/dev/null </dev/null
|
||||||
if [ $? -eq 0 ]; then
|
if [ $? -eq 0 ]; then
|
||||||
pr_litered "\nNOT ok: borken RC4 is being offered!"
|
pr_litered "VULNERABLE (NOT ok):"
|
||||||
outln " Now testing specific ciphers...\n"
|
[[ $LONG -eq 0 ]] && outln "\n"
|
||||||
rc4_offered=1
|
rc4_offered=1
|
||||||
neat_header
|
[[ $LONG -eq 0 ]] && neat_header
|
||||||
while read hexcode n ciph sslvers kx auth enc mac; do
|
while read hexcode n ciph sslvers kx auth enc mac; do
|
||||||
$OPENSSL s_client -cipher $ciph $STARTTLS -connect $NODEIP:$PORT $SNI </dev/null &>/dev/null
|
$OPENSSL s_client -cipher $ciph $STARTTLS -connect $NODEIP:$PORT $SNI </dev/null &>/dev/null
|
||||||
ret=$?
|
ret=$?
|
||||||
if [[ $ret -ne 0 ]] && [[ "$SHOW_EACH_C" -eq 0 ]] ; then
|
if [[ $ret -ne 0 ]] && [[ "$SHOW_EACH_C" -eq 0 ]] ; then
|
||||||
continue # no successful connect AND not verbose displaying each cipher
|
continue # no successful connect AND not verbose displaying each cipher
|
||||||
fi
|
fi
|
||||||
normalize_ciphercode $hexcode
|
if [ $LONG -eq 0 ]; then
|
||||||
neat_list $HEXC $ciph $kx $enc $strength
|
normalize_ciphercode $hexcode
|
||||||
if [[ "$SHOW_EACH_C" -ne 0 ]]; then
|
neat_list $HEXC $ciph $kx $enc $strength
|
||||||
if [[ $ret -eq 0 ]]; then
|
if [[ "$SHOW_EACH_C" -ne 0 ]]; then
|
||||||
pr_litered "available"
|
if [[ $ret -eq 0 ]]; then
|
||||||
|
pr_litered "available"
|
||||||
|
else
|
||||||
|
out "not a/v"
|
||||||
|
fi
|
||||||
else
|
else
|
||||||
out "not a/v"
|
rc4_offered=1
|
||||||
|
out
|
||||||
fi
|
fi
|
||||||
|
outln
|
||||||
else
|
else
|
||||||
rc4_offered=1
|
pr_litered "$ciph "
|
||||||
out
|
|
||||||
fi
|
fi
|
||||||
outln
|
|
||||||
done < $TMPFILE
|
done < $TMPFILE
|
||||||
# ^^^^^ posix redirect as shopt will either segfault or doesn't work with old bash versions
|
# ^^^^^ posix redirect as shopt will either segfault or doesn't work with old bash versions
|
||||||
outln
|
outln
|
||||||
@ -3177,6 +3191,7 @@ startup() {
|
|||||||
shift
|
shift
|
||||||
do_tls_sockets=true
|
do_tls_sockets=true
|
||||||
outln "TLS_LOW_BYTE/HEX_CIPHER: ${TLS_LOW_BYTE}/${HEX_CIPHER}" ;;
|
outln "TLS_LOW_BYTE/HEX_CIPHER: ${TLS_LOW_BYTE}/${HEX_CIPHER}" ;;
|
||||||
|
--long) LONG=0 ;;
|
||||||
--assuming-http|--assuming_http|--assume_http|--assume-http)
|
--assuming-http|--assuming_http|--assume_http|--assume-http)
|
||||||
ASSUMING_HTTP=0 ;;
|
ASSUMING_HTTP=0 ;;
|
||||||
--sneaky)
|
--sneaky)
|
||||||
@ -3301,6 +3316,6 @@ fi
|
|||||||
|
|
||||||
exit $ret
|
exit $ret
|
||||||
|
|
||||||
# $Id: testssl.sh,v 1.234 2015/04/22 13:22:52 dirkw Exp $
|
# $Id: testssl.sh,v 1.235 2015/04/22 16:24:38 dirkw Exp $
|
||||||
# vim:ts=5:sw=5
|
# vim:ts=5:sw=5
|
||||||
# ^^^ FYI: use vim and you will see everything beautifully indented with a 5 char tab
|
# ^^^ FYI: use vim and you will see everything beautifully indented with a 5 char tab
|
||||||
|
Loading…
Reference in New Issue
Block a user