- fixes to changes from Peter's better cmd line parsing

- cosmetc improvements (vulneraibilities)
This commit is contained in:
Dirk 2015-04-09 21:42:52 +02:00
parent cb98920733
commit 5051eb3d5d

View File

@ -93,8 +93,14 @@ OSSL_VER_MAJOR=0
OSSL_VER_MINOR=0 OSSL_VER_MINOR=0
OSSL_VER_APPENDIX="none" OSSL_VER_APPENDIX="none"
NODEIP="" NODEIP=""
VULN_COUNT=0
IPS="" IPS=""
SERVICE="" # is the server running an HTTP server, SMTP, POP or IMAP? SERVICE="" # is the server running an HTTP server, SMTP, POP or IMAP?
URI=""
# Devel stuff, see -q below
TLS_LOW_BYTE=""
HEX_CIPHER=""
# debugging help: # debugging help:
@ -389,6 +395,7 @@ runs_HTTP() {
#problems not handled: chunked #problems not handled: chunked
http_header() { http_header() {
outln; pr_blue "--> Testing HTTP Header response"; outln "\n" outln; pr_blue "--> Testing HTTP Header response"; outln "\n"
[ -z "$1" ] && url="/" || url="$1" [ -z "$1" ] && url="/" || url="$1"
if [ $SNEAKY -eq 0 ] ; then if [ $SNEAKY -eq 0 ] ; then
referer="Referer: http://google.com/" referer="Referer: http://google.com/"
@ -630,7 +637,7 @@ moreflags() {
egrep_pattern=$(echo $flags2test| sed -e 's/ /|\^/g' -e 's/^/\^/g') egrep_pattern=$(echo $flags2test| sed -e 's/ /|\^/g' -e 's/^/\^/g')
egrep -ai $egrep_pattern $HEADERFILE >$TMPFILE egrep -ai $egrep_pattern $HEADERFILE >$TMPFILE
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
outln " (none at \"$url\")" outln "(none at \"$url\")"
ret=1 ret=1
else else
ret=0 ret=0
@ -1450,8 +1457,9 @@ rc4() {
# is agnostic to the version of TLS/SSL, more: http://www.breachattack.com/ # is agnostic to the version of TLS/SSL, more: http://www.breachattack.com/
# foreign referers are the important thing here! # foreign referers are the important thing here!
breach() { breach() {
outln; pr_blue "--> Testing for BREACH (HTTP compression) vulnerability"; outln "\n" [ $VULN_COUNT -le 1 ] && outln && pr_blue "--> Testing for BREACH (HTTP compression) vulnerability" && outln "\n"
pr_bold " BREACH"; out " (CVE-2013-3587) =HTTP Compression " pr_bold " BREACH"; out " (CVE-2013-3587) =HTTP Compression "
url="$1" url="$1"
[ -z "$url" ] && url="/" [ -z "$url" ] && url="/"
if [ $SNEAKY -eq 0 ] ; then if [ $SNEAKY -eq 0 ] ; then
@ -1956,7 +1964,7 @@ ok_ids(){
ccs_injection(){ ccs_injection(){
# see https://www.openssl.org/news/secadv_20140605.txt # see https://www.openssl.org/news/secadv_20140605.txt
# mainly adapted from Ramon de C Valle's C code from https://gist.github.com/rcvalle/71f4b027d61a78c42607 # mainly adapted from Ramon de C Valle's C code from https://gist.github.com/rcvalle/71f4b027d61a78c42607
outln; pr_blue "--> Testing for CCS injection vulnerability"; outln "\n" [ $VULN_COUNT -le 1 ] && outln && pr_blue "--> Testing for CCS injection vulnerability" && outln "\n"
pr_bold " CCS "; out " (CVE-2014-0224), experimental " pr_bold " CCS "; out " (CVE-2014-0224), experimental "
$OPENSSL s_client $STARTTLS -connect $NODEIP:$PORT &>$TMPFILE </dev/null $OPENSSL s_client $STARTTLS -connect $NODEIP:$PORT &>$TMPFILE </dev/null
@ -2054,10 +2062,10 @@ ccs_injection(){
return $ret return $ret
} }
# mainly adapted from https://gist.github.com/takeshixx/10107280
heartbleed(){ heartbleed(){
outln; pr_blue "--> Testing for heartbleed vulnerability"; outln "\n" [ $VULN_COUNT -le 1 ] && outln && pr_blue "--> Testing for heartbleed vulnerability" && outln "\n"
pr_bold " Heartbleed\c"; out " (CVE-2014-0160) " pr_bold " Heartbleed\c"; out " (CVE-2014-0160) "
# mainly adapted from https://gist.github.com/takeshixx/10107280
# determine TLS versions available: # determine TLS versions available:
$OPENSSL s_client $STARTTLS -connect $NODEIP:$PORT -tlsextdebug &>$TMPFILE </dev/null $OPENSSL s_client $STARTTLS -connect $NODEIP:$PORT -tlsextdebug &>$TMPFILE </dev/null
@ -2160,6 +2168,9 @@ heartbleed(){
# This tests for CVE-2009-3555 / RFC5746, OSVDB: 59968-59974 # This tests for CVE-2009-3555 / RFC5746, OSVDB: 59968-59974
renego() { renego() {
[ $VULN_COUNT -le 1 ] && outln && pr_blue "--> Testing for Renegotiation vulnerability" && outln "\n"
pr_bold " Secure Client-Initiated Renegotiation " # RFC 5746, community.qualys.com/blogs/securitylabs/2011/10/31/tls-renegotiation-and-denial-of-service-attacks
ADDCMD="" ADDCMD=""
case "$OSSL_VER" in case "$OSSL_VER" in
0.9.8*) # we need this for Mac OSX unfortunately 0.9.8*) # we need this for Mac OSX unfortunately
@ -2167,17 +2178,16 @@ renego() {
[a-l]) [a-l])
pr_magenta "Your $OPENSSL $OSSL_VER cannot test the secure renegotiation vulnerability" pr_magenta "Your $OPENSSL $OSSL_VER cannot test the secure renegotiation vulnerability"
return 3 ;; return 3 ;;
[m-z]) [m-z]) # all ok
# all ok ;; ;;
esac ;; esac ;;
1.0.1*|1.0.2*) 1.0.1*|1.0.2*)
ADDCMD="-legacy_renegotiation" ;; ADDCMD="-legacy_renegotiation" ;;
0.9.9*|1.0*) 0.9.9*|1.0*)
# all ok ;; # all ok
;;
esac esac
outln; pr_blue "--> Testing for Renegotiation vulnerability"; outln "\n"
pr_bold " Secure Client-Initiated Renegotiation " # RFC 5746, community.qualys.com/blogs/securitylabs/2011/10/31/tls-renegotiation-and-denial-of-service-attacks
echo R | $OPENSSL s_client $ADDCMD $STARTTLS -connect $NODEIP:$PORT $SNI &>$TMPFILE echo R | $OPENSSL s_client $ADDCMD $STARTTLS -connect $NODEIP:$PORT $SNI &>$TMPFILE
reneg_ok=$? # 0=client is renegotiating and does not get an error: vuln to DoS via client initiated renegotiation reneg_ok=$? # 0=client is renegotiating and does not get an error: vuln to DoS via client initiated renegotiation
case $reneg_ok in case $reneg_ok in
@ -2203,24 +2213,19 @@ renego() {
crime() { crime() {
# in a nutshell: don't offer TLS/SPDY compression on the server side # in a nutshell: don't offer TLS/SPDY compression on the server side
#
# This tests for CRIME Vulnerability (www.ekoparty.org/2012/juliano-rizzo.php) on HTTPS, not SPDY (yet) # This tests for CRIME Vulnerability (www.ekoparty.org/2012/juliano-rizzo.php) on HTTPS, not SPDY (yet)
# Please note that it is an attack where you need client side control, so in regular situations this # Please note that it is an attack where you need client side control, so in regular situations this
# means anyway "game over", w/wo CRIME # means anyway "game over", w/wo CRIME
# www.h-online.com/security/news/item/Vulnerability-in-SSL-encryption-is-barely-exploitable-1708604.html # www.h-online.com/security/news/item/Vulnerability-in-SSL-encryption-is-barely-exploitable-1708604.html
#
ADDCMD="" [ $VULN_COUNT -le 1 ] && outln && pr_blue "--> Testing for CRIME vulnerability" && outln "\n"
case "$OSSL_VER" in
# =< 0.9.7 was weeded out before
0.9.8)
ADDCMD="-no_ssl2" ;;
0.9.9*|1.0*)
;;
esac
outln; pr_blue "--> Testing for CRIME vulnerability"; outln "\n"
pr_bold " CRIME, TLS " ; out "(CVE-2012-4929) " pr_bold " CRIME, TLS " ; out "(CVE-2012-4929) "
case "$OSSL_VER" in
0.9.8*) ADDCMD="-no_ssl2" ;;
0.9.9*|1.0*) ADDCMD="" ;;
esac
# first we need to test whether OpenSSL binary has zlib support # first we need to test whether OpenSSL binary has zlib support
$OPENSSL zlib -e -a -in /dev/stdin &>/dev/stdout </dev/null | grep -q zlib $OPENSSL zlib -e -a -in /dev/stdin &>/dev/stdout </dev/null | grep -q zlib
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
@ -2297,7 +2302,8 @@ tls_poodle() {
ssl_poodle() { ssl_poodle() {
local ret local ret
local cbc_ciphers local cbc_ciphers
outln; pr_blue "--> Testing for POODLE (Padding Oracle On Downgraded Legacy Encryption) vulnerability, SSLv3"; outln "\n"
[ $VULN_COUNT -le 1 ] && outln && pr_blue "--> Testing for SSLv3 POODLE (Padding Oracle On Downgraded Legacy Encryption)" && outln "\n"
pr_bold " POODLE, SSL"; out " (CVE-2014-3566), experimental " pr_bold " POODLE, SSL"; out " (CVE-2014-3566), experimental "
cbc_ciphers=$($OPENSSL ciphers -v 'ALL:eNULL' | awk '/CBC/ { print $1 }' | tr '\n' ':') cbc_ciphers=$($OPENSSL ciphers -v 'ALL:eNULL' | awk '/CBC/ { print $1 }' | tr '\n' ':')
debugme echo $cbc_ciphers debugme echo $cbc_ciphers
@ -2321,7 +2327,8 @@ freak() {
local ret local ret
local exportrsa_ciphers local exportrsa_ciphers
local addtl_warning="" local addtl_warning=""
outln; pr_blue "--> Testing for FREAK attack"; outln "\n"
[ $VULN_COUNT -le 1 ] && outln && pr_blue "--> Testing for FREAK attack" && outln "\n"
pr_bold " FREAK "; out " (CVE-2015-0204), experimental " pr_bold " FREAK "; out " (CVE-2015-0204), experimental "
no_exportrsa_ciphers=$($OPENSSL ciphers -v 'ALL:eNULL' | egrep "^EXP.*RSA" | wc -l) no_exportrsa_ciphers=$($OPENSSL ciphers -v 'ALL:eNULL' | egrep "^EXP.*RSA" | wc -l)
exportrsa_ciphers=$($OPENSSL ciphers -v 'ALL:eNULL' | awk '/^EXP.*RSA/ {print $1}' | tr '\n' ':') exportrsa_ciphers=$($OPENSSL ciphers -v 'ALL:eNULL' | awk '/^EXP.*RSA/ {print $1}' | tr '\n' ':')
@ -2365,7 +2372,7 @@ beast(){
local spaces=" " local spaces=" "
local cr=$'\n' local cr=$'\n'
outln; pr_blue "--> Testing for BEAST vulnerability"; outln "\n" [ $VULN_COUNT -le 1 ] && outln && pr_blue "--> Testing for BEAST vulnerability" && outln "\n"
pr_bold " BEAST"; out " (CVE-2011-3389) " pr_bold " BEAST"; out " (CVE-2011-3389) "
# 2) test handfull of common CBC ciphers # 2) test handfull of common CBC ciphers
@ -2554,7 +2561,7 @@ $PRG <options> URI
<-p|--protocols> check TLS/SSL protocols only <-p|--protocols> check TLS/SSL protocols only
<-S|--server_defaults> displays the servers default picks and certificate info <-S|--server_defaults> displays the servers default picks and certificate info
<-P|--preference> displays the servers picks: protocol+cipher <-P|--preference> displays the servers picks: protocol+cipher
<-y|--spdy> checks for SPDY/NPN <-y|--spdy|--npn> checks for SPDY/NPN
<-x|--single-ciphers-test> <pattern> tests matched <pattern> of cipher <-x|--single-ciphers-test> <pattern> tests matched <pattern> of cipher
<-B|--heartbleed> tests only for heartbleed vulnerability <-B|--heartbleed> tests only for heartbleed vulnerability
<-I|--ccs|--ccs_injection> tests only for CCS injection vulnerability <-I|--ccs|--ccs_injection> tests only for CCS injection vulnerability
@ -2913,15 +2920,10 @@ mx_allentries() {
} }
# This function intializes all used global variables # This function intializes all used global variables, meant primarily to keep track of them
# It's primarily meant to keep track of them (quite a lot, you see...) and # (strictly spoken unneccesary_
# strictly spoken unneccesary
initialize_globals() { initialize_globals() {
# variables protocol="" #FIXME
low_byte=""
hex_cipher=""
protocol=""
uri=""
# scan options (BOOLEANS) # scan options (BOOLEANS)
do_allciphers=false do_allciphers=false
@ -2968,8 +2970,9 @@ set_scanning_defaults() {
do_server_defaults=true do_server_defaults=true
do_spdy=true do_spdy=true
do_ssl_poodle=true do_ssl_poodle=true
do_starttls=true do_starttls=false
run_server_preference=true run_server_preference=true
VULN_COUNT=10
} }
@ -3004,43 +3007,56 @@ startup() {
-p|--protocols) -p|--protocols)
do_protocols=true do_protocols=true
do_spdy=true;; do_spdy=true;;
-y|--spdy|--npn)
do_spdy=true;;
-f|--ciphers) -f|--ciphers)
do_run_std_cipherlists=true;; do_run_std_cipherlists=true;;
-S|--server_defaults) -S|--server_defaults)
do_server_defaults=true;; do_server_defaults=true;;
-P|--server_preference) -P|--server_preference)
do_server_preference=true;; do_server_preference=true;;
-y|--spdy|--google) -H|--header|--headers)
do_spdy=true;; do_header=true;;
-B|--heartbleed) -B|--heartbleed)
do_heartbleed=true;; do_heartbleed=true
let "VULN_COUNT++" ;;
-I|--ccs|--ccs_injection) -I|--ccs|--ccs_injection)
do_ccs_injection=true;; do_ccs_injection=true
let "VULN_COUNT++" ;;
-R|--renegotiation) -R|--renegotiation)
do_renego=true;; do_renego=true
let "VULN_COUNT++" ;;
-C|--compression|--crime) -C|--compression|--crime)
do_crime=true;; do_crime=true
let "VULN_COUNT++" ;;
-T|--breach) -T|--breach)
do_breach=true;; do_breach=true
let "VULN_COUNT++" ;;
-O|--poodle) -O|--poodle)
do_ssl_poodle=true;; do_ssl_poodle=true
let "VULN_COUNT++" ;;
-F|--freak) -F|--freak)
do_freak=true;; do_freak=true
let "VULN_COUNT++" ;;
-A|--beast)
do_beast=true
let "VULN_COUNT++" ;;
-4|--rc4|--appelbaum) -4|--rc4|--appelbaum)
do_rc4=true;; do_rc4=true;;
-s|--pfs|--fs|--nsa) -s|--pfs|--fs|--nsa)
do_pfs=true;; do_pfs=true;;
-A|--beast)
do_beast=true;;
-H|--header|--headers)
do_header=true;;
-q) ### following is a development feature and will disappear: -q) ### following is a development feature and will disappear:
# DEBUG=3 ./testssl.sh -q 03 "cc, 13, c0, 13" google.de # DEBUG=3 ./testssl.sh -q 03 "cc, 13, c0, 13" google.de
# DEBUG=3 ./testssl.sh -q 01 yandex.ru # DEBUG=3 ./testssl.sh -q 01 yandex.ru
low_byte=$2 TLS_LOW_BYTE="$2"
hex_cipher=$3 if [ $# -eq 4 ]; then
HEX_CIPHER="$3"
shift
fi
shift
do_tls_sockets=true do_tls_sockets=true
shift 2;; echo $TLS_LOW_BYTE $HEX_CIPHER
;;
(--) shift (--) shift
break;; break;;
(-*) echo "$0: unrecognized option $1" 1>&2; exit 1;; (-*) echo "$0: unrecognized option $1" 1>&2; exit 1;;
@ -3055,17 +3071,17 @@ startup() {
exit 0 exit 0
fi fi
uri=$1 URI=$1
} }
################# main: ################# ################# main: #################
main() { main() {
# auto determine where bins are # auto determine where bins are
find_openssl_binary find_openssl_binary
mybanner mybanner
#PATH_TO_TESTSSL="$(cd "${0%/*}" 2>/dev/null; echo "$PWD"/"${0##*/}")"
PATH_TO_TESTSSL=$(readlink "$BASH_SOURCE") 2>/dev/null PATH_TO_TESTSSL=$(readlink "$BASH_SOURCE") 2>/dev/null
[ -z "$PATH_TO_TESTSSL" ] && PATH_TO_TESTSSL="." [ -z "$PATH_TO_TESTSSL" ] && PATH_TO_TESTSSL="."
@ -3074,18 +3090,17 @@ main() {
[ -r "$(dirname $PATH_TO_TESTSSL)/mapping-rfc.txt" ] && MAP_RFC_FNAME=$(dirname $PATH_TO_TESTSSL)"/mapping-rfc.txt" [ -r "$(dirname $PATH_TO_TESTSSL)/mapping-rfc.txt" ] && MAP_RFC_FNAME=$(dirname $PATH_TO_TESTSSL)"/mapping-rfc.txt"
initialize_globals initialize_globals
# TODO: ret variable could be changed to a global variable
# this would make the code probably a bit cleaner
ret=0 ret=0
startup "$@" startup "$@"
maketempf maketempf
parse_hn_port "${uri}" "${protocol}" parse_hn_port "${URI}" "${protocol}"
# OK, let's roll.. # OK, let's roll..
${do_mx_allentries} && { mx_allentries "${uri}"; ret=$(($? + ret)); } ${do_mx_allentries} && { mx_allentries "${URI}"; ret=$(($? + ret)); }
if ${do_prettyprint_local}; then if ${do_prettyprint_local}; then
initialize_engine # GOST support- initialize_engine # GOST support-
prettyprint_local "${uri}" prettyprint_local "${URI}"
fi fi
${do_test_just_one} && test_just_one ${single_cipher} ${do_test_just_one} && test_just_one ${single_cipher}
@ -3097,26 +3112,7 @@ main() {
${do_run_std_cipherlists} && { run_std_cipherlists; ret=$(($? + ret)); } ${do_run_std_cipherlists} && { run_std_cipherlists; ret=$(($? + ret)); }
${do_server_preference} && { server_preference; ret=$(($? + ret)); } ${do_server_preference} && { server_preference; ret=$(($? + ret)); }
${do_server_defaults} && { server_defaults; ret=$(($? + ret)); } ${do_server_defaults} && { server_defaults; ret=$(($? + ret)); }
${do_heartbleed} && { heartbleed; ret=$(($? + ret)); }
${do_ccs_injection} && { ccs_injection; ret=$(($? + ret)); }
${do_renego} && { renego; ret=$(($? + ret)); }
# if you can't do the time, don't do the crime ;)
${do_crime} && { crime; ret=$(($? + ret)); }
if ${do_breach}; then
#TODO: refactor this into breach()
if [[ $SERVICE != "HTTP" ]] ; then
pr_litemagentaln " Wrong usage: You're not targetting a HTTP service"
ret=$((2 + ret))
else
breach "$URL_PATH"
ret=$(($? + ret))
fi
fi
${do_ssl_poodle} && { ssl_poodle; ret=$(($? + ret)); }
${do_freak} && { freak; ret=$(($? + ret)); }
${do_rc4} && { rc4; ret=$(($? + ret)); }
${do_tls_sockets} && { tls_sockets ${low_byte} ${hex_cipher}; \
ret=$(($? + ret)); }
if ${do_header}; then if ${do_header}; then
#TODO: refactor this into other functions #TODO: refactor this into other functions
if [[ $SERVICE == "HTTP" ]]; then if [[ $SERVICE == "HTTP" ]]; then
@ -3130,6 +3126,34 @@ main() {
ret=$((2 + ret)) ret=$((2 + ret))
fi fi
fi fi
# vulnerabilities
if [ $VULN_COUNT -gt 1 ]; then
outln; pr_blue "--> Testing specific vulnerabilities"
outln "\n"
fi
${do_heartbleed} && { heartbleed; ret=$(($? + ret)); }
${do_ccs_injection} && { ccs_injection; ret=$(($? + ret)); }
${do_renego} && { renego; ret=$(($? + ret)); }
${do_crime} && { crime; ret=$(($? + ret)); }
if ${do_breach}; then
#TODO: refactor this into breach()
if [[ $SERVICE != "HTTP" ]] ; then
pr_litemagentaln " Wrong usage: You're not targetting a HTTP service"
ret=$((2 + ret))
else
breach "$URL_PATH"
ret=$(($? + ret))
fi
fi
${do_ssl_poodle} && { ssl_poodle; ret=$(($? + ret)); }
${do_freak} && { freak; ret=$(($? + ret)); }
${do_beast} && { beast; ret=$(($? + ret)); }
${do_rc4} && { rc4; ret=$(($? + ret)); }
${do_tls_sockets} && { tls_sockets "$TLS_LOW_BYTE" "$HEX_CIPHER"; ret=$(($? + ret)); }
${do_pfs} && { pfs; ret=$(($? + ret)); } ${do_pfs} && { pfs; ret=$(($? + ret)); }
exit $ret exit $ret
@ -3138,5 +3162,5 @@ main() {
main "$@" main "$@"
# $Id: testssl.sh,v 1.220 2015/04/02 11:35:21 dirkw Exp $ # $Id: testssl.sh,v 1.221 2015/04/09 19:42:51 dirkw Exp $
# vim:ts=5:sw=5 # vim:ts=5:sw=5