diff --git a/doc/testssl.1 b/doc/testssl.1 index f9a1e1e..7262870 100644 --- a/doc/testssl.1 +++ b/doc/testssl.1 @@ -152,7 +152,10 @@ Please note that the content of \fBfname\fR has to be in Unix format\. DOS carri \fB\-n, \-\-nodns \fR tells testssl\.sh which DNS lookups should be performed\. \fBmin\fR uses only forward DNS resolution (A and AAAA record or MX record) and skips CAA lookups and PTR records from the IP address back to a DNS name\. \fBnone\fR performs no DNS lookups at all\. For the latter you either have to supply the IP address as a target, to use \fB\-\-ip\fR or have the IP address in /etc/hosts\. The use of the switch is only useful if you either can\'t or are not willing to perform DNS lookups\. The latter can apply e\.g\. to some pentestsi\. In general this option could e\.g\. help you to avoid timeouts by DNS lookups\. \fBNODNS\fR is the enviroment variable for this\. . .P -\fB\-\-sneaky\fR as a friendly feature for the server side testssl\.sh uses a HTTP user agent \fBTLS tester from ${URL}\fR\. With this option your traces are less verbose and a Firefox user agent is being used\. Be aware that it doesn\'t hide your activities\. That is just not possible (environment preset via \fBSNEAKY=true\fR)\. +\fB\-\-sneaky\fR is a friendly feature for the server side testssl\.sh uses a HTTP user agent \fBTLS tester from ${URL}\fR\. With this option your traces are less verbose and a Firefox user agent is being used\. Be aware that it doesn\'t hide your activities\. That is just not possible (environment preset via \fBSNEAKY=true\fR)\. +. +.P +\fB\-\-ids\-friendly\fR is a switch which may help to get a scan finished which otherwise will be blocked by a server side IDS\. This switch skips tests for the following vulnerabilities:heartbleed, CCS injection, ticketbleed and ROBOT\. The environment variable OFFENSIVE set to false will achieve the same result\. Please be advised that as an alternative or as a general approach you can try to apply evasion techniques by changing the variables USLEEP_SND and / or USLEEP_REC and maybe *MAX_WAITSOCK\. . .P \fB\-\-phone\-out\fR instructs testssl\.sh to query external \-\- in a sense of the current run \-\- URLs or URIs\. This is needed for checking revoked certificates via CRL and OCSP\. By using this switch you acknowledge that the check might could have privacy issues, a download of several megabytes (CRL file) may happen and there may be network connectivity problems while contacting CA which testssl\.sh doesn\'t handle\. PHONE_OUT is the environment variable for this which needs to be set to true if you want this\. diff --git a/doc/testssl.1.html b/doc/testssl.1.html index 45f04d3..dbba727 100644 --- a/doc/testssl.1.html +++ b/doc/testssl.1.html @@ -200,9 +200,11 @@ host.example.com:631 DNS lookups at all. For the latter you either have to supply the IP address as a target, to use --ip or have the IP address in /etc/hosts. The use of the switch is only useful if you either can't or are not willing to perform DNS lookups. The latter can apply e.g. to some pentestsi. In general this option could e.g. help you to avoid timeouts by DNS lookups. NODNS is the enviroment variable for this.

-

--sneaky as a friendly feature for the server side testssl.sh uses a HTTP user agent TLS tester from ${URL}. With this option your traces are less verbose and a Firefox user agent is being used. Be aware that it doesn't hide your activities. That is just not possible (environment preset via SNEAKY=true).

+

--sneaky is a friendly feature for the server side testssl.sh uses a HTTP user agent TLS tester from ${URL}. With this option your traces are less verbose and a Firefox user agent is being used. Be aware that it doesn't hide your activities. That is just not possible (environment preset via SNEAKY=true).

-

--phone-out instructs testssl.sh to query external -- in a sense of the current run -- URLs or URIs. This is needed for checking revoked certificates via CRL and OCSP. By using this switch you acknowledge that the check might could have privacy issues, a download of several megabytes (CRL file) may happen and there may be network connectivity problems while contacting CA which testssl.sh doesn't handle. PHONE_OUT is the environment variable for this which needs to be set to true if you want this.

+

--ids-friendly is a switch which may help to get a scan finished which otherwise will be blocked by a server side IDS. This switch skips tests for the following vulnerabilities:heartbleed, CCS injection, ticketbleed and ROBOT. The environment variable OFFENSIVE set to false will achieve the same result. Please be advised that as an alternative or as a general approach you can try to apply evasion techniques by changing the variables USLEEP_SND and / or USLEEP_REC and maybe *MAX_WAITSOCK.

+ +

--phone-out instructs testssl.sh to query external -- in a sense of the current run -- URLs or URIs. This is needed for checking revoked certificates via CRL and OCSP. By using this switch you acknowledge that the check might could have privacy issues, a download of several megabytes (CRL file) may happen and there may be network connectivity problems while contacting CA which testssl.sh doesn't handle. PHONE_OUT is the environment variable for this which needs to be set to true if you want this.

SINGLE CHECK OPTIONS

diff --git a/doc/testssl.1.md b/doc/testssl.1.md index b796972..7a68587 100644 --- a/doc/testssl.1.md +++ b/doc/testssl.1.md @@ -123,9 +123,11 @@ Please note that the content of `fname` has to be in Unix format. DOS carriage r DNS lookups at all. For the latter you either have to supply the IP address as a target, to use `--ip` or have the IP address in /etc/hosts. The use of the switch is only useful if you either can't or are not willing to perform DNS lookups. The latter can apply e.g. to some pentestsi. In general this option could e.g. help you to avoid timeouts by DNS lookups. `NODNS` is the enviroment variable for this. -`--sneaky` as a friendly feature for the server side testssl.sh uses a HTTP user agent `TLS tester from ${URL}`. With this option your traces are less verbose and a Firefox user agent is being used. Be aware that it doesn't hide your activities. That is just not possible (environment preset via `SNEAKY=true`). +`--sneaky` is a friendly feature for the server side testssl.sh uses a HTTP user agent `TLS tester from ${URL}`. With this option your traces are less verbose and a Firefox user agent is being used. Be aware that it doesn't hide your activities. That is just not possible (environment preset via `SNEAKY=true`). -`--phone-out` instructs testssl.sh to query external -- in a sense of the current run -- URLs or URIs. This is needed for checking revoked certificates via CRL and OCSP. By using this switch you acknowledge that the check might could have privacy issues, a download of several megabytes (CRL file) may happen and there may be network connectivity problems while contacting CA which testssl.sh doesn't handle. PHONE_OUT is the environment variable for this which needs to be set to true if you want this. +`--ids-friendly` is a switch which may help to get a scan finished which otherwise will be blocked by a server side IDS. This switch skips tests for the following vulnerabilities:heartbleed, CCS injection, ticketbleed and ROBOT. The environment variable OFFENSIVE set to false will achieve the same result. Please be advised that as an alternative or as a general approach you can try to apply evasion techniques by changing the variables USLEEP_SND and / or USLEEP_REC and maybe *MAX_WAITSOCK. + +`--phone-out` instructs testssl.sh to query external -- in a sense of the current run -- URLs or URIs. This is needed for checking revoked certificates via CRL and OCSP. By using this switch you acknowledge that the check might could have privacy issues, a download of several megabytes (CRL file) may happen and there may be network connectivity problems while contacting CA which testssl.sh doesn't handle. PHONE_OUT is the environment variable for this which needs to be set to true if you want this. ### SINGLE CHECK OPTIONS diff --git a/testssl.sh b/testssl.sh index 53b690c..09a0040 100755 --- a/testssl.sh +++ b/testssl.sh @@ -220,6 +220,7 @@ APPEND=${APPEND:-false} # append to csv/json file instead of ove [[ -z "$NODNS" ]] && declare NODNS # If unset it does all DNS lookups per default. "min" only for hosts or "none" at all HAS_IPv6=${HAS_IPv6:-false} # if you have OpenSSL with IPv6 support AND IPv6 networking set it to yes ALL_CLIENTS=${ALL_CLIENTS:-false} # do you want to run all client simulation form all clients supplied by SSLlabs? +OFFENSIVE=${OFFENSIVE:-true} # do you want to include offensive vulnerability tests which may cause blocking by an IDS? ########### Tuning vars which cannot be set by a cmd line switch. Use instead e.g "HEADER_MAXSLEEP=10 ./testssl.sh " # @@ -15234,7 +15235,6 @@ help() { Alternatively: nmap output in greppable format (-oG) (1x port per line allowed) --mode Mass testing to be done serial (default) or parallel (--parallel is shortcut for the latter) --add-ca or a comma separated list of CA files will be added during runtime to all CA stores - --phone-out Allow to contact external servers for CRL download and querying OCSP responder single check as ("$PROG_NAME URI" does everything except -E and -g): -e, --each-cipher checks each local cipher remotely @@ -15281,6 +15281,8 @@ tuning / connect options (most also can be preset via environment variables): b) arg "one" means: just test the first DNS returns (useful for multiple IPs) -n, --nodns if "none": do not try any DNS lookups, "min" queries A, AAAA and MX records --sneaky leave less traces in target logs: user agent, referer + --ids-friendly skips a few vulnerablity checks which may cause IDSs to block the scanning IP + --phone-out allow to contact external servers for CRL download and querying OCSP responder output options (can also be preset via environment variables): --warnings "batch" doesn't ask for a confirmation, "off" or "false" skips connection warnings @@ -15400,6 +15402,8 @@ SHOW_EACH_C: $SHOW_EACH_C SSL_NATIVE: $SSL_NATIVE ASSUME_HTTP $ASSUME_HTTP SNEAKY: $SNEAKY +OFFENSIVE: $OFFENSIVE +PHONE_OUT: $PHONE_OUT DEBUG: $DEBUG @@ -16834,10 +16838,10 @@ set_scanning_defaults() { do_beast=true do_lucky13=true do_breach=true - do_heartbleed=true - do_ccs_injection=true - do_ticketbleed=true - do_robot=true + do_heartbleed="$OFFENSIVE" + do_ccs_injection="$OFFENSIVE" + do_ticketbleed="$OFFENSIVE" + do_robot="$OFFENSIVE" do_crime=true do_freak=true do_logjam=true @@ -16854,7 +16858,11 @@ set_scanning_defaults() { do_server_preference=true do_tls_fallback_scsv=true do_client_simulation=true - VULN_COUNT=16 + if "$OFFENSIVE"; then + VULN_COUNT=16 + else + VULN_COUNT=12 + fi } # returns number of $do variables set = number of run_funcs() to perform @@ -17026,10 +17034,10 @@ parse_cmd_line() { ;; -U|--vulnerable) do_vulnerabilities=true - do_heartbleed=true - do_ccs_injection=true - do_ticketbleed=true - do_robot=true + do_heartbleed="$OFFENSIVE" + do_ccs_injection="$OFFENSIVE" + do_ticketbleed="$OFFENSIVE" + do_robot="$OFFENSIVE" do_renego=true do_crime=true do_breach=true @@ -17042,7 +17050,14 @@ parse_cmd_line() { do_beast=true do_lucky13=true do_rc4=true - VULN_COUNT=16 + if "$OFFENSIVE"; then + VULN_COUNT=16 + else + VULN_COUNT=12 + fi + ;; + --ids-friendly) + OFFENSIVE=false ;; -H|--heartbleed) do_heartbleed=true