mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-22 08:29:31 +01:00
Merge branch '2.9dev' into negotiated_cipher
This commit is contained in:
commit
2e76dff0ea
57
testssl.sh
57
testssl.sh
@ -126,10 +126,12 @@ tty -s && \
|
|||||||
readonly INTERACTIVE=true || \
|
readonly INTERACTIVE=true || \
|
||||||
readonly INTERACTIVE=false
|
readonly INTERACTIVE=false
|
||||||
|
|
||||||
if ! tput cols &>/dev/null || ! $INTERACTIVE; then # Prevent tput errors if running non interactive
|
if [[ -z $TERM_WIDTH ]]; then # no batch file and no otherwise predefined TERM_WIDTH
|
||||||
TERM_WIDTH=${COLUMNS:-80}
|
if ! tput cols &>/dev/null || ! "$INTERACTIVE";then # Prevent tput errors if running non interactive
|
||||||
|
export TERM_WIDTH=${COLUMNS:-80}
|
||||||
else
|
else
|
||||||
TERM_WIDTH=${COLUMNS:-$(tput cols)} # for custom line wrapping and dashes
|
export TERM_WIDTH=${COLUMNS:-$(tput cols)} # for custom line wrapping and dashes
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
TERM_CURRPOS=0 # custom line wrapping needs alter the current horizontal cursor pos
|
TERM_CURRPOS=0 # custom line wrapping needs alter the current horizontal cursor pos
|
||||||
|
|
||||||
@ -182,9 +184,6 @@ DAYS2WARN2=${DAYS2WARN2:-30} # days to warn before cert expires, thre
|
|||||||
VULN_THRESHLD=${VULN_THRESHLD:-1} # if vulnerabilities to check >$VULN_THRESHLD we DON'T show a separate header line in the output each vuln. check
|
VULN_THRESHLD=${VULN_THRESHLD:-1} # if vulnerabilities to check >$VULN_THRESHLD we DON'T show a separate header line in the output each vuln. check
|
||||||
NODNS=${NODNS:-false} # always do DNS lookups per default. For some pentests it might save time to set this to true
|
NODNS=${NODNS:-false} # always do DNS lookups per default. For some pentests it might save time to set this to true
|
||||||
readonly CLIENT_MIN_PFS=5 # number of ciphers needed to run a test for PFS
|
readonly CLIENT_MIN_PFS=5 # number of ciphers needed to run a test for PFS
|
||||||
# generated from 'kEECDH:kEDH:!aNULL:!eNULL:!DES:!3DES:!RC4' with openssl 1.0.2i and openssl 1.1.0
|
|
||||||
readonly ROBUST_PFS_CIPHERS="DHE-DSS-AES128-GCM-SHA256:DHE-DSS-AES128-SHA256:DHE-DSS-AES128-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-DSS-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-DSS-CAMELLIA128-SHA256:DHE-DSS-CAMELLIA128-SHA:DHE-DSS-CAMELLIA256-SHA256:DHE-DSS-CAMELLIA256-SHA:DHE-DSS-SEED-SHA:DHE-RSA-AES128-CCM8:DHE-RSA-AES128-CCM:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-CCM8:DHE-RSA-AES256-CCM:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA256:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-CHACHA20-POLY1305-OLD:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-SEED-SHA:ECDHE-ECDSA-AES128-CCM8:ECDHE-ECDSA-AES128-CCM:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-CAMELLIA128-SHA256:ECDHE-ECDSA-CAMELLIA256-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305-OLD:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-CAMELLIA128-SHA256:ECDHE-RSA-CAMELLIA256-SHA384:ECDHE-RSA-CHACHA20-POLY1305-OLD:ECDHE-RSA-CHACHA20-POLY1305"
|
|
||||||
|
|
||||||
HAD_SLEPT=0
|
HAD_SLEPT=0
|
||||||
CAPATH="${CAPATH:-/etc/ssl/certs/}" # Does nothing yet (FC has only a CA bundle per default, ==> openssl version -d)
|
CAPATH="${CAPATH:-/etc/ssl/certs/}" # Does nothing yet (FC has only a CA bundle per default, ==> openssl version -d)
|
||||||
FNAME=${FNAME:-""} # file name to read commands from
|
FNAME=${FNAME:-""} # file name to read commands from
|
||||||
@ -6648,7 +6647,9 @@ run_pfs() {
|
|||||||
local pfs_offered=false ecdhe_offered=false ffdhe_offered=false
|
local pfs_offered=false ecdhe_offered=false ffdhe_offered=false
|
||||||
local hexc dash pfs_cipher sslvers auth mac export curve dhlen
|
local hexc dash pfs_cipher sslvers auth mac export curve dhlen
|
||||||
local -a hexcode normalized_hexcode ciph rfc_ciph kx enc ciphers_found sigalg ossl_supported
|
local -a hexcode normalized_hexcode ciph rfc_ciph kx enc ciphers_found sigalg ossl_supported
|
||||||
local pfs_cipher_list="$ROBUST_PFS_CIPHERS" pfs_hex_cipher_list="" ciphers_to_test
|
# generated from 'kEECDH:kEDH:!aNULL:!eNULL:!DES:!3DES:!RC4' with openssl 1.0.2i and openssl 1.1.0
|
||||||
|
local pfs_cipher_list="DHE-DSS-AES128-GCM-SHA256:DHE-DSS-AES128-SHA256:DHE-DSS-AES128-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-DSS-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-DSS-CAMELLIA128-SHA256:DHE-DSS-CAMELLIA128-SHA:DHE-DSS-CAMELLIA256-SHA256:DHE-DSS-CAMELLIA256-SHA:DHE-DSS-SEED-SHA:DHE-RSA-AES128-CCM8:DHE-RSA-AES128-CCM:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-CCM8:DHE-RSA-AES256-CCM:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA256:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-CHACHA20-POLY1305-OLD:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-SEED-SHA:ECDHE-ECDSA-AES128-CCM8:ECDHE-ECDSA-AES128-CCM:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-CAMELLIA128-SHA256:ECDHE-ECDSA-CAMELLIA256-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305-OLD:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-CAMELLIA128-SHA256:ECDHE-RSA-CAMELLIA256-SHA384:ECDHE-RSA-CHACHA20-POLY1305-OLD:ECDHE-RSA-CHACHA20-POLY1305"
|
||||||
|
local pfs_hex_cipher_list="" ciphers_to_test
|
||||||
local ecdhe_cipher_list="" ecdhe_cipher_list_hex="" ffdhe_cipher_list_hex=""
|
local ecdhe_cipher_list="" ecdhe_cipher_list_hex="" ffdhe_cipher_list_hex=""
|
||||||
local curves_hex=("00,01" "00,02" "00,03" "00,04" "00,05" "00,06" "00,07" "00,08" "00,09" "00,0a" "00,0b" "00,0c" "00,0d" "00,0e" "00,0f" "00,10" "00,11" "00,12" "00,13" "00,14" "00,15" "00,16" "00,17" "00,18" "00,19" "00,1a" "00,1b" "00,1c" "00,1d" "00,1e")
|
local curves_hex=("00,01" "00,02" "00,03" "00,04" "00,05" "00,06" "00,07" "00,08" "00,09" "00,0a" "00,0b" "00,0c" "00,0d" "00,0e" "00,0f" "00,10" "00,11" "00,12" "00,13" "00,14" "00,15" "00,16" "00,17" "00,18" "00,19" "00,1a" "00,1b" "00,1c" "00,1d" "00,1e")
|
||||||
local -a curves_ossl=("sect163k1" "sect163r1" "sect163r2" "sect193r1" "sect193r2" "sect233k1" "sect233r1" "sect239k1" "sect283k1" "sect283r1" "sect409k1" "sect409r1" "sect571k1" "sect571r1" "secp160k1" "secp160r1" "secp160r2" "secp192k1" "prime192v1" "secp224k1" "secp224r1" "secp256k1" "prime256v1" "secp384r1" "secp521r1" "brainpoolP256r1" "brainpoolP384r1" "brainpoolP512r1" "X25519" "X448")
|
local -a curves_ossl=("sect163k1" "sect163r1" "sect163r2" "sect193r1" "sect193r2" "sect233k1" "sect233r1" "sect239k1" "sect283k1" "sect283r1" "sect409k1" "sect409r1" "sect571k1" "sect571r1" "secp160k1" "secp160r1" "secp160r2" "secp192k1" "prime192v1" "secp224k1" "secp224r1" "secp256k1" "prime256v1" "secp384r1" "secp521r1" "brainpoolP256r1" "brainpoolP384r1" "brainpoolP512r1" "X25519" "X448")
|
||||||
@ -9264,7 +9265,7 @@ ok_ids(){
|
|||||||
#FIXME: At a certain point heartbleed and ccs needs to be changed and make use of code2network using a file, then tls_sockets
|
#FIXME: At a certain point heartbleed and ccs needs to be changed and make use of code2network using a file, then tls_sockets
|
||||||
run_ccs_injection(){
|
run_ccs_injection(){
|
||||||
local tls_proto_offered tls_hexcode ccs_message client_hello byte6 sockreply
|
local tls_proto_offered tls_hexcode ccs_message client_hello byte6 sockreply
|
||||||
local -i retval ret lines_returned
|
local -i retval ret
|
||||||
local tls_hello_ascii=""
|
local tls_hello_ascii=""
|
||||||
local cve="CVE-2014-0224"
|
local cve="CVE-2014-0224"
|
||||||
local cwe="CWE-310"
|
local cwe="CWE-310"
|
||||||
@ -9333,13 +9334,12 @@ run_ccs_injection(){
|
|||||||
if [[ $DEBUG -ge 4 ]]; then
|
if [[ $DEBUG -ge 4 ]]; then
|
||||||
hexdump -C "$SOCK_REPLY_FILE" | head -20
|
hexdump -C "$SOCK_REPLY_FILE" | head -20
|
||||||
outln "[...]"
|
outln "[...]"
|
||||||
outln "\npayload #1 with TLS version $tls_hexcode:"
|
out "\nsending payload #1 with TLS version $tls_hexcode: "
|
||||||
fi
|
fi
|
||||||
rm "$SOCK_REPLY_FILE"
|
rm "$SOCK_REPLY_FILE"
|
||||||
|
|
||||||
# ... and then send the a change cipher spec message
|
# ... and then send the a change cipher spec message
|
||||||
socksend "$ccs_message" 1 || ok_ids
|
socksend "$ccs_message" 1 || ok_ids
|
||||||
sockread_serverhello 2048 $CCS_MAX_WAITSOCK
|
sockread_serverhello 4096 $CCS_MAX_WAITSOCK
|
||||||
if [[ $DEBUG -ge 3 ]]; then
|
if [[ $DEBUG -ge 3 ]]; then
|
||||||
outln "\n1st reply: "
|
outln "\n1st reply: "
|
||||||
hexdump -C "$SOCK_REPLY_FILE" | head -20
|
hexdump -C "$SOCK_REPLY_FILE" | head -20
|
||||||
@ -9347,43 +9347,40 @@ run_ccs_injection(){
|
|||||||
# ALERT | TLS 1.0 | Length=2 | Unexpected Message (0a)
|
# ALERT | TLS 1.0 | Length=2 | Unexpected Message (0a)
|
||||||
# or just timed out
|
# or just timed out
|
||||||
outln
|
outln
|
||||||
outln "payload #2 with TLS version $tls_hexcode:"
|
out "sending payload #2 with TLS version $tls_hexcode: "
|
||||||
fi
|
fi
|
||||||
rm "$SOCK_REPLY_FILE"
|
rm "$SOCK_REPLY_FILE"
|
||||||
|
|
||||||
socksend "$ccs_message" 2 || ok_ids
|
socksend "$ccs_message" 2 || ok_ids
|
||||||
sockread_serverhello 2048 $CCS_MAX_WAITSOCK
|
sockread_serverhello 4096 $CCS_MAX_WAITSOCK
|
||||||
retval=$?
|
retval=$?
|
||||||
|
|
||||||
tls_hello_ascii=$(hexdump -v -e '16/1 "%02X"' "$SOCK_REPLY_FILE")
|
tls_hello_ascii=$(hexdump -v -e '16/1 "%02X"' "$SOCK_REPLY_FILE")
|
||||||
debugme echo "tls_content_type: ${tls_hello_ascii:0:2}"
|
byte6="${tls_hello_ascii:12:2}"
|
||||||
debugme echo "tls_protocol: ${tls_hello_ascii:2:4}"
|
debugme echo "tls_content_type: ${tls_hello_ascii:0:2} | tls_protocol: ${tls_hello_ascii:2:4} | byte6: $byte6"
|
||||||
lines_returned=$(count_lines "$(hexdump -ve '16/1 "%02x " " \n"' "$SOCK_REPLY_FILE")")
|
|
||||||
debugme echo "lines new: $lines_returned, byte6: ${tls_hello_ascii:12:2}"
|
|
||||||
|
|
||||||
if [[ $DEBUG -ge 3 ]]; then
|
if [[ $DEBUG -ge 3 ]]; then
|
||||||
outln "\n2nd reply: "
|
outln "\n2nd reply: "
|
||||||
hexdump -C "$SOCK_REPLY_FILE"
|
hexdump -C "$SOCK_REPLY_FILE"
|
||||||
outln
|
outln
|
||||||
fi
|
fi
|
||||||
sockreply=$(cat "$SOCK_REPLY_FILE" 2>/dev/null)
|
|
||||||
|
|
||||||
byte6=$(echo "$sockreply" | "${HEXDUMPPLAIN[@]}" | sed 's/^..........//')
|
|
||||||
debugme echo "lines: $lines_returned, byte6: $byte6"
|
|
||||||
# not ok: 15 | 0301 | 02 | 02 | 15
|
# not ok: 15 | 0301 | 02 | 02 | 15
|
||||||
# ALERT | TLS 1.0 | Length=2 | Decryption failed (21)
|
# ALERT | TLS 1.0 | Length=2 | Decryption failed (21)
|
||||||
#
|
#
|
||||||
# ok: 0a or nothing: ==> RST
|
# ok: 0a or nothing: ==> RST
|
||||||
|
|
||||||
if [[ "$byte6" == "0a" ]] || [[ "$lines_returned" -gt 1 ]]; then
|
if [[ -z "${tls_hello_ascii:0:12}" ]]; then
|
||||||
|
# empty reply
|
||||||
pr_done_best "not vulnerable (OK)"
|
pr_done_best "not vulnerable (OK)"
|
||||||
if [[ $retval -eq 3 ]]; then
|
if [[ $retval -eq 3 ]]; then
|
||||||
|
### what?
|
||||||
fileout "ccs" "OK" "CCS: not vulnerable (timed out)" "$cve" "$cwe"
|
fileout "ccs" "OK" "CCS: not vulnerable (timed out)" "$cve" "$cwe"
|
||||||
else
|
else
|
||||||
fileout "ccs" "OK" "CCS: not vulnerable" "$cve" "$cwe"
|
fileout "ccs" "OK" "CCS: not vulnerable" "$cve" "$cwe"
|
||||||
fi
|
fi
|
||||||
ret=0
|
ret=0
|
||||||
else
|
elif [[ "$byte6" == "15" ]] && [[ "${tls_hello_ascii:0:4}" == "1503" ]]; then
|
||||||
pr_svrty_critical "VULNERABLE (NOT ok)"
|
pr_svrty_critical "VULNERABLE (NOT ok)"
|
||||||
if [[ $retval -eq 3 ]]; then
|
if [[ $retval -eq 3 ]]; then
|
||||||
fileout "ccs" "CRITICAL" "CCS: VULNERABLE (timed out)" "$cve" "$cwe" "$hint"
|
fileout "ccs" "CRITICAL" "CCS: VULNERABLE (timed out)" "$cve" "$cwe" "$hint"
|
||||||
@ -9391,8 +9388,17 @@ run_ccs_injection(){
|
|||||||
fileout "ccs" "CRITICAL" "CCS: VULNERABLE" "$cve" "$cwe" "$hint"
|
fileout "ccs" "CRITICAL" "CCS: VULNERABLE" "$cve" "$cwe" "$hint"
|
||||||
fi
|
fi
|
||||||
ret=1
|
ret=1
|
||||||
|
elif [[ "$byte6" == [0-9a-f][0-9a-f] ]] && [[ "${tls_hello_ascii:2:2}" != "03" ]]; then
|
||||||
|
pr_warning "test failed"
|
||||||
|
out ", probably read buffer too small (${tls_hello_ascii:0:14})"
|
||||||
|
fileout "ccs" "WARN" "CCS: test failed, probably read buffer too small (${tls_hello_ascii:0:14})" "$cve" "$cwe" "$hint"
|
||||||
|
ret=7
|
||||||
|
else
|
||||||
|
pr_warning "test failed "
|
||||||
|
out "around line $LINENO (debug info: ${tls_hello_ascii:0:14})"
|
||||||
|
fileout "ccs" "WARN" "CCS: test failed, around line $LINENO, debug info (${tls_hello_ascii:0:14})" "$cve" "$cwe" "$hint"
|
||||||
|
ret=7
|
||||||
fi
|
fi
|
||||||
[[ $retval -eq 3 ]] && out ", timed out"
|
|
||||||
outln
|
outln
|
||||||
|
|
||||||
TMPFILE="$SOCK_REPLY_FILE"
|
TMPFILE="$SOCK_REPLY_FILE"
|
||||||
@ -12105,8 +12111,7 @@ run_mass_testing_parallel() {
|
|||||||
fi
|
fi
|
||||||
pr_reverse "====== Running in parallel file batch mode with file=\"$FNAME\" ======"; outln
|
pr_reverse "====== Running in parallel file batch mode with file=\"$FNAME\" ======"; outln
|
||||||
outln "(output is in ....\n)"
|
outln "(output is in ....\n)"
|
||||||
#FIXME: once this function is being called we need a handler which does the right thing
|
#FIXME: once this function is being called we need a handler which does the right thing, i.e. ==> not to overwrite
|
||||||
# ==> not overwrite
|
|
||||||
while read cmdline; do
|
while read cmdline; do
|
||||||
cmdline=$(filter_input "$cmdline")
|
cmdline=$(filter_input "$cmdline")
|
||||||
[[ -z "$cmdline" ]] && continue
|
[[ -z "$cmdline" ]] && continue
|
||||||
@ -12600,7 +12605,7 @@ parse_cmd_line() {
|
|||||||
|
|
||||||
# Show usage if no options were specified
|
# Show usage if no options were specified
|
||||||
if [[ -z "$1" ]] && [[ -z "$FNAME" ]] && ! $do_display_only; then
|
if [[ -z "$1" ]] && [[ -z "$FNAME" ]] && ! $do_display_only; then
|
||||||
help 0
|
echo && fatal "URI missing" "1"
|
||||||
else
|
else
|
||||||
# left off here is the URI
|
# left off here is the URI
|
||||||
URI="$1"
|
URI="$1"
|
||||||
|
Loading…
Reference in New Issue
Block a user