Fine tuning if Jac2NL's commit of IDS evasion

Reduce the offensive tests to 4: the others are "just" / mostly cipher based checks which should not cause an IDS to block. (This maybe subject to reconsider at a later time.) Added a switch --ids-friendly Updated VULN_COUNT accordingly Added this (including PHONE_OUT to env debugging output) Added help() Manual section added
2025-01-01 06:19:44 +01:00 · 2018-06-26 13:04:30 +02:00 · 2018-06-26 13:04:30 +02:00 · 33cf1d524c
commit 33cf1d524c
parent 01f177199c
4 changed files with 48 additions and 27 deletions
--- a/doc/testssl.1
+++ b/doc/testssl.1
@ -152,7 +152,10 @@ Please note that the content of \fBfname\fR has to be in Unix format\. DOS carri
 \fB\-n, \-\-nodns <min|none>\fR tells testssl\.sh which DNS lookups should be performed\. \fBmin\fR uses only forward DNS resolution (A and AAAA record or MX record) and skips CAA lookups and PTR records from the IP address back to a DNS name\. \fBnone\fR performs no DNS lookups at all\. For the latter you either have to supply the IP address as a target, to use \fB\-\-ip\fR or have the IP address in /etc/hosts\. The use of the switch is only useful if you either can\'t or are not willing to perform DNS lookups\. The latter can apply e\.g\. to some pentestsi\. In general this option could e\.g\. help you to avoid timeouts by DNS lookups\. \fBNODNS\fR is the enviroment variable for this\.
 .
 .P
-\fB\-\-sneaky\fR as a friendly feature for the server side testssl\.sh uses a HTTP user agent \fBTLS tester from ${URL}\fR\. With this option your traces are less verbose and a Firefox user agent is being used\. Be aware that it doesn\'t hide your activities\. That is just not possible (environment preset via \fBSNEAKY=true\fR)\.
+\fB\-\-sneaky\fR is a friendly feature for the server side testssl\.sh uses a HTTP user agent \fBTLS tester from ${URL}\fR\. With this option your traces are less verbose and a Firefox user agent is being used\. Be aware that it doesn\'t hide your activities\. That is just not possible (environment preset via \fBSNEAKY=true\fR)\.
+.
+.P
+\fB\-\-ids\-friendly\fR is a switch which may help to get a scan finished which otherwise will be blocked by a server side IDS\. This switch skips tests for the following vulnerabilities:heartbleed, CCS injection, ticketbleed and ROBOT\. The environment variable OFFENSIVE set to false will achieve the same result\. Please be advised that as an alternative or as a general approach you can try to apply evasion techniques by changing the variables USLEEP_SND and / or USLEEP_REC and maybe *MAX_WAITSOCK\.
 .
 .P
 \fB\-\-phone\-out\fR instructs testssl\.sh to query external \-\- in a sense of the current run \-\- URLs or URIs\. This is needed for checking revoked certificates via CRL and OCSP\. By using this switch you acknowledge that the check might could have privacy issues, a download of several megabytes (CRL file) may happen and there may be network connectivity problems while contacting CA which testssl\.sh doesn\'t handle\. PHONE_OUT is the environment variable for this which needs to be set to true if you want this\.
--- a/doc/testssl.1.html
+++ b/doc/testssl.1.html
@ -200,9 +200,11 @@ host.example.com:631
 DNS lookups at all. For the latter you either have to supply the IP address as a target, to use <code>--ip</code> or have the IP address
 in /etc/hosts.  The use of the switch is only useful if you either can't or are not willing to perform DNS lookups. The latter can apply e.g. to some pentestsi. In general this option could e.g. help you to avoid timeouts by DNS lookups. <code>NODNS</code> is the enviroment variable for this.</p>

-<p><code>--sneaky</code> as a friendly feature for the server side testssl.sh uses a HTTP user agent <code>TLS tester from ${URL}</code>. With this option your traces are less verbose and a Firefox user agent is being used. Be aware that it doesn't hide your activities. That is just not possible (environment preset via <code>SNEAKY=true</code>).</p>
+<p><code>--sneaky</code> is a friendly feature for the server side testssl.sh uses a HTTP user agent <code>TLS tester from ${URL}</code>. With this option your traces are less verbose and a Firefox user agent is being used. Be aware that it doesn't hide your activities. That is just not possible (environment preset via <code>SNEAKY=true</code>).</p>

-<p><code>--phone-out</code>    instructs testssl.sh to query external -- in a sense of the current run -- URLs or URIs. This is needed for checking revoked certificates via CRL and OCSP. By using this switch you acknowledge that the check might could have privacy issues, a download of several megabytes (CRL file) may happen and there may be network connectivity problems while contacting CA which testssl.sh doesn't handle. PHONE_OUT is the environment variable for this which needs to be set to true if you want this.</p>
+<p><code>--ids-friendly</code> is a switch which may help to get a scan finished which otherwise will be blocked by a server side IDS. This switch skips tests for the following vulnerabilities:heartbleed, CCS injection, ticketbleed and ROBOT. The environment variable OFFENSIVE set to false will achieve the same result. Please be advised that as an alternative or as a general approach you can try to apply evasion techniques by changing the variables USLEEP_SND and / or USLEEP_REC and maybe *MAX_WAITSOCK.</p>
+
+<p><code>--phone-out</code> instructs testssl.sh to query external -- in a sense of the current run -- URLs or URIs. This is needed for checking revoked certificates via CRL and OCSP. By using this switch you acknowledge that the check might could have privacy issues, a download of several megabytes (CRL file) may happen and there may be network connectivity problems while contacting CA which testssl.sh doesn't handle. PHONE_OUT is the environment variable for this which needs to be set to true if you want this.</p>

 <h3 id="SINGLE-CHECK-OPTIONS">SINGLE CHECK OPTIONS</h3>

--- a/doc/testssl.1.md
+++ b/doc/testssl.1.md
@ -123,9 +123,11 @@ Please note that the content of `fname` has to be in Unix format. DOS carriage r
 DNS lookups at all. For the latter you either have to supply the IP address as a target, to use `--ip` or have the IP address
 in /etc/hosts.  The use of the switch is only useful if you either can't or are not willing to perform DNS lookups. The latter can apply e.g. to some pentestsi. In general this option could e.g. help you to avoid timeouts by DNS lookups. `NODNS` is the enviroment variable for this.

-`--sneaky` as a friendly feature for the server side testssl.sh uses a HTTP user agent `TLS tester from ${URL}`. With this option your traces are less verbose and a Firefox user agent is being used. Be aware that it doesn't hide your activities. That is just not possible (environment preset via `SNEAKY=true`).
+`--sneaky` is a friendly feature for the server side testssl.sh uses a HTTP user agent `TLS tester from ${URL}`. With this option your traces are less verbose and a Firefox user agent is being used. Be aware that it doesn't hide your activities. That is just not possible (environment preset via `SNEAKY=true`).

-`--phone-out`    instructs testssl.sh to query external -- in a sense of the current run -- URLs or URIs. This is needed for checking revoked certificates via CRL and OCSP. By using this switch you acknowledge that the check might could have privacy issues, a download of several megabytes (CRL file) may happen and there may be network connectivity problems while contacting CA which testssl.sh doesn't handle. PHONE_OUT is the environment variable for this which needs to be set to true if you want this.
+`--ids-friendly` is a switch which may help to get a scan finished which otherwise will be blocked by a server side IDS. This switch skips tests for the following vulnerabilities:heartbleed, CCS injection, ticketbleed and ROBOT. The environment variable OFFENSIVE set to false will achieve the same result. Please be advised that as an alternative or as a general approach you can try to apply evasion techniques by changing the variables USLEEP_SND and / or USLEEP_REC and maybe *MAX_WAITSOCK.
+
+`--phone-out` instructs testssl.sh to query external -- in a sense of the current run -- URLs or URIs. This is needed for checking revoked certificates via CRL and OCSP. By using this switch you acknowledge that the check might could have privacy issues, a download of several megabytes (CRL file) may happen and there may be network connectivity problems while contacting CA which testssl.sh doesn't handle. PHONE_OUT is the environment variable for this which needs to be set to true if you want this.


 ### SINGLE CHECK OPTIONS
--- a/testssl.sh
+++ b/testssl.sh
@ -220,7 +220,7 @@ APPEND=${APPEND:-false}                 # append to csv/json file instead of ove
 [[ -z "$NODNS" ]] && declare NODNS      # If unset it does all DNS lookups per default. "min" only for hosts or "none" at all
 HAS_IPv6=${HAS_IPv6:-false}             # if you have OpenSSL with IPv6 support AND IPv6 networking set it to yes
 ALL_CLIENTS=${ALL_CLIENTS:-false}       # do you want to run all client simulation form all clients supplied by SSLlabs?
-OFFENSIVE=${OFFENSIVE:-true}            # do you want to include offensive vulnerability tests?
+OFFENSIVE=${OFFENSIVE:-true}            # do you want to include offensive vulnerability tests which may cause blocking by an IDS?

 ########### Tuning vars which cannot be set by a cmd line switch. Use instead e.g "HEADER_MAXSLEEP=10 ./testssl.sh <your_args_here>"
 #
@ -15235,7 +15235,6 @@ help() {
                                   Alternatively: nmap output in greppable format (-oG) (1x port per line allowed)
     --mode <serial|parallel>      Mass testing to be done serial (default) or parallel (--parallel is shortcut for the latter)
     --add-ca <cafile>             <cafile> or a comma separated list of CA files will be added during runtime to all CA stores
-     --phone-out                   Allow to contact external servers for CRL download and querying OCSP responder

 single check as <options>  ("$PROG_NAME URI" does everything except -E and -g):
     -e, --each-cipher             checks each local cipher remotely
@ -15282,6 +15281,8 @@ tuning / connect options (most also can be preset via environment variables):
                                   b) arg "one" means: just test the first DNS returns (useful for multiple IPs)
     -n, --nodns <min|none>        if "none": do not try any DNS lookups, "min" queries A, AAAA and MX records
     --sneaky                      leave less traces in target logs: user agent, referer
+     --ids-friendly                skips a few vulnerablity checks which may cause IDSs to block the scanning IP
+     --phone-out                   allow to contact external servers for CRL download and querying OCSP responder

 output options (can also be preset via environment variables):
     --warnings <batch|off|false>  "batch" doesn't ask for a confirmation, "off" or "false" skips connection warnings
@ -15401,6 +15402,8 @@ SHOW_EACH_C: $SHOW_EACH_C
 SSL_NATIVE: $SSL_NATIVE
 ASSUME_HTTP $ASSUME_HTTP
 SNEAKY: $SNEAKY
+OFFENSIVE: $OFFENSIVE
+PHONE_OUT: $PHONE_OUT

 DEBUG: $DEBUG

@ -16832,19 +16835,19 @@ initialize_globals() {
 set_scanning_defaults() {
     do_allciphers=true
     do_vulnerabilities=true
-     do_beast="$OFFENSIVE" 
-     do_lucky13="$OFFENSIVE"
-     do_breach="$OFFENSIVE"
+     do_beast=true
+     do_lucky13=true
+     do_breach=true
     do_heartbleed="$OFFENSIVE"
     do_ccs_injection="$OFFENSIVE"
     do_ticketbleed="$OFFENSIVE"
     do_robot="$OFFENSIVE"
-     do_crime="$OFFENSIVE"
-     do_freak="$OFFENSIVE"
-     do_logjam="$OFFENSIVE"
-     do_drown="$OFFENSIVE"
-     do_ssl_poodle="$OFFENSIVE"
-     do_sweet32="$OFFENSIVE"
+     do_crime=true
+     do_freak=true
+     do_logjam=true
+     do_drown=true
+     do_ssl_poodle=true
+     do_sweet32=true
     do_header=true
     do_pfs=true
     do_rc4=true
@ -16855,7 +16858,11 @@ set_scanning_defaults() {
     do_server_preference=true
     do_tls_fallback_scsv=true
     do_client_simulation=true
-     VULN_COUNT=16
+     if "$OFFENSIVE"; then
+          VULN_COUNT=16
+     else
+          VULN_COUNT=12
+     fi
 }

 # returns number of $do variables set = number of run_funcs() to perform
@ -17032,18 +17039,25 @@ parse_cmd_line() {
                    do_ticketbleed="$OFFENSIVE"
                    do_robot="$OFFENSIVE"
                    do_renego=true
-                    do_crime="$OFFENSIVE"
-                    do_breach="$OFFENSIVE"
-                    do_ssl_poodle="$OFFENSIVE"
+                    do_crime=true
+                    do_breach=true
+                    do_ssl_poodle=true
                    do_tls_fallback_scsv=true
-                    do_sweet32="$OFFENSIVE"
-                    do_freak="$OFFENSIVE"
-                    do_drown="$OFFENSIVE"
-                    do_logjam="$OFFENSIVE"
-                    do_beast="$OFFENSIVE"
-                    do_lucky13="$OFFENSIVE"
+                    do_sweet32=true
+                    do_freak=true
+                    do_drown=true
+                    do_logjam=true
+                    do_beast=true
+                    do_lucky13=true
                    do_rc4=true
-                    VULN_COUNT=16
+                    if "$OFFENSIVE"; then
+                         VULN_COUNT=16
+                    else
+                         VULN_COUNT=12
+                    fi
+                    ;;
+               --ids-friendly)
+                    OFFENSIVE=false
                    ;;
               -H|--heartbleed)
                    do_heartbleed=true