Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-03 23:39:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

first prototype BEAST | FIX: maketempf in initialize_engine | FIX: exit statements in main w/ more meaning/shorter

Browse Source
This commit is contained in:
Dirk 2015-01-20 21:51:49 +01:00
parent 5853202efd
commit 28330dc6fc
1 changed files with 51 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

83
testssl.sh
View File

@ -913,7 +913,7 @@ server_preference() {
out " Has server cipher order? " out " Has server cipher order? "
if [[ "$cipher1" != "$cipher2" ]]; then if [[ "$cipher1" != "$cipher2" ]]; then
red "nope (NOT ok)" litered "nope (NOT ok)"
remark4default_cipher=" (limited sense as client will pick)" remark4default_cipher=" (limited sense as client will pick)"
else else
green "yes (OK)" green "yes (OK)"
@ -1683,11 +1683,40 @@ crime() {
return $ret return $ret
} }
# Browser Exploit Against SSL/TLS
beast(){ beast(){
#FIXME: to do local cbc_ciphers
#in a nutshell: don't use CBC Ciphers in TLSv1.0 local detected_proto
# need to provide a list with bad ciphers. Not sure though whether local detected_cbc
# it can be fixed in the OpenSSL/NSS/whatsover stack local higher_proto_supported=""
#in a nutshell: don't use CBC Ciphers in SSLv3 TLSv1.0
#
bold " BEAST"; out " (CVE-2011-3389) "
# 1) support for TLS 1.1+1.2?
for proto in tls1_1 tls1_2; do
$OPENSSL s_client -state -"$proto" $STARTTLS -connect $NODEIP:$PORT $SNI 2>/dev/null >$TMPFILE </dev/null
if [ $? -eq 0 ]; then
higher_proto_supported="$higher_proto_supported ""$(grep -w "Protocol" $TMPFILE | sed -e 's/^.*Protocol .*://' -e 's/ //g')"
fi
done
[ ! -z "$higher_proto_supported" ] && outln "supports also higher protocols: $higher_proto_supported"
# 2) test handfull of common CBC ciphers
cbc_ciphers=`$OPENSSL ciphers 'ALL:eNULL' | grep CBC`
for proto in ssl3 tls1; do
$OPENSSL s_client -cipher "$cbc_ciphers" -"$proto" $STARTTLS -connect $NODEIP:$PORT $SNI >$TMPFILE 2>/dev/null </dev/null
ret=$?
if [ $ret -ne 0 ] && [ "$SHOW_EACH_C" -eq 0 ]; then
continue # no successful connect AND not verbose displaying each cipher
else
detected_cbc_cipher=`grep -w "Cipher" $TMPFILE | egrep -vw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g'`
echo "$proto: $detected_cbc_cipher"
fi
done
printf "For a full individual test of each CBC cipher suites support by your $OPENSSL run \"$0 -x CBC $NODE\"\n"
return 0 return 0
} }
@ -1910,6 +1939,7 @@ initialize_engine(){
if [ ! -z "$OPENSSL_CONF" ]; then if [ ! -z "$OPENSSL_CONF" ]; then
litemagenta "For now I am providing the config file in to have GOST support"; outln litemagenta "For now I am providing the config file in to have GOST support"; outln
else else
[ -z "$TEMPDIR" ] && maketempf
OPENSSL_CONF=$TEMPDIR/gost.conf || exit 6 OPENSSL_CONF=$TEMPDIR/gost.conf || exit 6
# see https://www.mail-archive.com/openssl-users@openssl.org/msg65395.html # see https://www.mail-archive.com/openssl-users@openssl.org/msg65395.html
cat >$OPENSSL_CONF << EOF cat >$OPENSSL_CONF << EOF
@ -2118,26 +2148,22 @@ case "$1" in
maketempf maketempf
parse_hn_port "$3" parse_hn_port "$3"
test_just_one $2 test_just_one $2
ret=$? exit $? ;;
exit $ret ;;
-t|--starttls) -t|--starttls)
maketempf maketempf
parse_hn_port "$3" "$2" # here comes protocol to signal starttls and hostname:port parse_hn_port "$3" "$2" # here comes protocol to signal starttls and hostname:port
starttls "$2" # protocol starttls "$2" # protocol
ret=$? exit $? ;;
exit $ret ;;
-e|--each-cipher) -e|--each-cipher)
maketempf maketempf
parse_hn_port "$2" parse_hn_port "$2"
allciphers allciphers
ret=$? exit $? ;;
exit $ret ;;
-E|-ee|--cipher-per-proto) -E|-ee|--cipher-per-proto)
maketempf maketempf
parse_hn_port "$2" parse_hn_port "$2"
cipher_per_proto cipher_per_proto
ret=$? exit $? ;;
exit $ret ;;
-p|--protocols) -p|--protocols)
maketempf maketempf
parse_hn_port "$2" parse_hn_port "$2"
@ -2148,54 +2174,46 @@ case "$1" in
maketempf maketempf
parse_hn_port "$2" parse_hn_port "$2"
run_std_cipherlists run_std_cipherlists
ret=$? exit $? ;;
exit $ret ;;
-S|--server_defaults) -S|--server_defaults)
maketempf maketempf
parse_hn_port "$2" parse_hn_port "$2"
server_defaults server_defaults
ret=$? exit $? ;;
exit $ret ;;
-P|--server_preference) -P|--server_preference)
maketempf maketempf
parse_hn_port "$2" parse_hn_port "$2"
server_preference server_preference
ret=$? exit $? ;;
exit $ret ;;
-y|--spdy|--google) -y|--spdy|--google)
maketempf maketempf
parse_hn_port "$2" parse_hn_port "$2"
spdy spdy
ret=$?
exit $? ;; exit $? ;;
-B|--heartbleet) -B|--heartbleet)
maketempf maketempf
parse_hn_port "$2" parse_hn_port "$2"
outln; blue "--> Testing for heartbleed vulnerability"; outln "\n" outln; blue "--> Testing for heartbleed vulnerability"; outln "\n"
heartbleed heartbleed
ret=$?
exit $? ;; exit $? ;;
-I|--ccs|--ccs_injection) -I|--ccs|--ccs_injection)
maketempf maketempf
parse_hn_port "$2" parse_hn_port "$2"
outln; blue "--> Testing for CCS injection vulnerability"; outln "\n" outln; blue "--> Testing for CCS injection vulnerability"; outln "\n"
ccs_injection ccs_injection
ret=$?
exit $? ;; exit $? ;;
-R|--renegotiation) -R|--renegotiation)
maketempf maketempf
parse_hn_port "$2" parse_hn_port "$2"
outln; blue "--> Testing for Renegotiation vulnerability"; outln "\n" outln; blue "--> Testing for Renegotiation vulnerability"; outln "\n"
renego renego
ret=$?
exit $? ;; exit $? ;;
-C|--compression|--crime) -C|--compression|--crime)
maketempf maketempf
parse_hn_port "$2" parse_hn_port "$2"
outln; blue "--> Testing for CRIME vulnerability"; outln "\n" outln; blue "--> Testing for CRIME vulnerability"; outln "\n"
crime crime
ret=$? exit $? ;;
exit $? ;;
-T|--breach) -T|--breach)
maketempf maketempf
parse_hn_port "$2" parse_hn_port "$2"
@ -2214,21 +2232,22 @@ case "$1" in
parse_hn_port "$2" parse_hn_port "$2"
outln; blue "--> Testing for POODLE (Padding Oracle On Downgraded Legacy Encryption) vulnerability"; outln "\n" outln; blue "--> Testing for POODLE (Padding Oracle On Downgraded Legacy Encryption) vulnerability"; outln "\n"
poodle poodle
ret=$? exit $? ;;
ret=`expr $? + $ret`
exit $ret ;;
-4|--rc4|--appelbaum) -4|--rc4|--appelbaum)
maketempf maketempf
parse_hn_port "$2" parse_hn_port "$2"
rc4 rc4
ret=$? exit $? ;;
exit $? ;;
-s|--pfs|--fs|--nsa) -s|--pfs|--fs|--nsa)
maketempf maketempf
parse_hn_port "$2" parse_hn_port "$2"
pfs pfs
ret=$? exit $? ;;
exit $ret ;; -q|--beast)
maketempf
parse_hn_port "$2"
beast
exit $? ;;
-H|--header|--headers) -H|--header|--headers)
maketempf maketempf
parse_hn_port "$2" parse_hn_port "$2"