Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-09-10 05:52:53 +02:00
Code Issues Packages Projects Releases Wiki Activity

Change logic and add conservative value for -n/--nodns (#935)

Browse Source 
This PR changes the logic the no-DNS switch works. The switch
now expects a value. "min" does minimum lookups, "none" does
no lookups at all (details see testssl.sh(1) ). "none" is
equivalent to the paranoid (boolean) value "true" before.
This commit is contained in:
Dirk
2018-04-12 00:19:52 +02:00
parent 1984d7fc90
commit 557942cb0a
4 changed files with 57 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

71
testssl.sh
View File

@ -194,7 +194,7 @@ HTMLFILE="${HTMLFILE:-""}" # HTML if used
FNAME=${FNAME:-""} # file name to read commands from
FNAME_PREFIX=${FNAME_PREFIX:-""} # output filename prefix, see --outprefix
APPEND=${APPEND:-false} # append to csv/json file instead of overwriting it
NODNS=${NODNS:-false} # always do DNS lookups per default. For some pentests it might save time to set this to true
# NODNS=${NODNS:-"no"} # if unset it does all DNS lookups per default. "min" only for hosts or "none" at all
HAS_IPv6=${HAS_IPv6:-false} # if you have OpenSSL with IPv6 support AND IPv6 networking set it to yes
ALL_CLIENTS=${ALL_CLIENTS:-false} # do you want to run all client simulation form all clients supplied by SSLlabs?
@ -6945,8 +6945,8 @@ certificate_info() {
all_caa=${all_caa%, } # strip trailing comma
pr_italic "$(out_row_aligned_max_width "$all_caa" "$indent " $TERM_WIDTH)"
fileout "${json_prefix}CAA_record" "OK" "DNS Certification Authority Authorization (CAA) Resource Record / RFC6844 (check for match): \"$all_caa\" "
elif "$NODNS"; then
pr_warning "(was instructed to not use DNS)"
elif [[ -n "$NODNS" ]]; then
pr_warning "(instructed to minimize DNS queries)"
fileout "${json_prefix}CAA_record" "WARN" "DNS Certification Authority Authorization (CAA) Resource Record / RFC6844 : test skipped as instructed"
else
pr_svrty_low "not offered"
@ -13470,7 +13470,7 @@ tuning / connect options (most also can be preset via environment variables):
-6 also use IPv6. Works only with supporting OpenSSL version and IPv6 connectivity
--ip <ip> a) tests the supplied <ip> v4 or v6 address instead of resolving host(s) in URI
b) arg "one" means: just test the first DNS returns (useful for multiple IPs)
-n, --nodns do not try any DNS lookup
-n, --nodns [min|none] if "none": do not try any DNS lookups, "min" queries A, AAAA and MX records
--sneaky leave less traces in target logs: user agent, referer
output options (can also be preset via environment variables):
@ -13956,7 +13956,7 @@ get_a_record() {
local ip4=""
local saved_openssl_conf="$OPENSSL_CONF"
"$NODNS" && return 0 # if no DNS lookup was instructed, leave here
[[ "$NODNS" == none ]] && return 0 # if no DNS lookup was instructed, leave here
OPENSSL_CONF="" # see https://github.com/drwetter/testssl.sh/issues/134
check_resolver_bins
if [[ "$NODE" == *.local ]]; then
@ -13996,7 +13996,7 @@ get_aaaa_record() {
local ip6=""
local saved_openssl_conf="$OPENSSL_CONF"
"$NODNS" && return 0 # if no DNS lookup was instructed, leave here
[[ "$NODNS" == none ]] && return 0 # if no DNS lookup was instructed, leave here
OPENSSL_CONF="" # see https://github.com/drwetter/testssl.sh/issues/134
check_resolver_bins
if [[ -z "$ip6" ]]; then
@ -14033,7 +14033,7 @@ get_caa_rr_record() {
local saved_openssl_conf="$OPENSSL_CONF"
local all_caa=""
"$NODNS" && return 0 # if no DNS lookup was instructed, leave here
[[ -n "$NODNS" ]] && return 0 # if minimum DNS lookup was instructed, leave here
# if there's a type257 record there are two output formats here, mostly depending on age of distribution
# rougly that's the difference between text and binary format
# 1) 'google.com has CAA record 0 issue "symantec.com"'
@ -14134,7 +14134,19 @@ determine_ip_addresses() {
local ip6=""
ip4=$(get_a_record $NODE)
ip6=$(get_aaaa_record $NODE)
# Get_a_record / get_aaaa_record returns immediately if NODNS is "none",
# however there are edge case we want to consider to avoid an unnecessary lookup.
# If we have an IPv4 record already and minimum DNS lookups were requested the IPv6 lookup can be skipped.
# It needs to be done though if an IPv6 check was requested and the IPv4 lookup failed.
if [[ -n "$ip4" ]] && [[ -n "$NODNS" ]]; then
:
elif [[ -z "$NODNS" ]]; then
ip6=$(get_aaaa_record $NODE)
elif [[ -z "$ip4" ]] && [[ "$NODNS" == min ]] && "$HAS_IPv6"; then
ip6=$(get_aaaa_record $NODE)
else
outln "fixme"
fi
IP46ADDRs=$(newline_to_spaces "$ip4 $ip6")
if [[ -n "$CMDLINE_IP" ]]; then
@ -14195,9 +14207,10 @@ determine_ip_addresses() {
determine_rdns() {
local saved_openssl_conf="$OPENSSL_CONF"
local nodeip="$(tr -d '[]' <<< $NODEIP)" # for DNS we do not need the square brackets of IPv6 addresses
local nodeip=""
"$NODNS" && rDNS="--" && return 0
[[ -n "$NODNS" ]] && rDNS="(instructed to minimize DNS queries)" && return 0 # PTR records were not asked for
local nodeip="$(tr -d '[]' <<< $NODEIP)" # for DNS we do not need the square brackets of IPv6 addresses
OPENSSL_CONF="" # see https://github.com/drwetter/testssl.sh/issues/134
check_resolver_bins
if [[ "$NODE" == *.local ]]; then
@ -14459,22 +14472,29 @@ display_rdns_etc() {
outln "$PROXYIP:$PROXYPORT "
fi
if [[ $(count_words "$IP46ADDRs") -gt 1 ]]; then
out " further IP addresses: $CORRECT_SPACES"
for ip in $IP46ADDRs; do
if [[ "$ip" == "$NODEIP" ]] || [[ "[$ip]" == "$NODEIP" ]]; then
continue
else
further_ip_addrs+="$ip "
fi
done
outln "$(out_row_aligned_max_width "$further_ip_addrs" " $CORRECT_SPACES" $TERM_WIDTH)"
out " Further IP addresses: $CORRECT_SPACES"
if [[ -n "$NODNS" ]]; then
prln_warning "(instructed to minimize DNS queries)"
else
for ip in $IP46ADDRs; do
if [[ "$ip" == "$NODEIP" ]] || [[ "[$ip]" == "$NODEIP" ]]; then
continue
else
further_ip_addrs+="$ip "
fi
done
outln "$(out_row_aligned_max_width "$further_ip_addrs" " $CORRECT_SPACES" $TERM_WIDTH)"
fi
fi
if "$LOCAL_A"; then
outln " A record via $CORRECT_SPACES /etc/hosts "
elif [[ -n "$CMDLINE_IP" ]]; then
outln " A record via $CORRECT_SPACES supplied IP \"$CMDLINE_IP\""
fi
if [[ -n "$rDNS" ]]; then
if [[ "$rDNS" =~ instructed ]]; then
out "$(printf " %-23s %s" "rDNS ($nodeip):")"
pr_warning "$rDNS"
elif [[ -n "$rDNS" ]]; then
out "$(printf " %-23s %s" "rDNS ($nodeip):")"
out "$(out_row_aligned_max_width "$rDNS" " $CORRECT_SPACES" $TERM_WIDTH)"
fi
@ -15145,7 +15165,11 @@ parse_cmd_line() {
fi
;;
-n|--nodns)
NODNS=true
NODNS="$(parse_opt_equal_sign "$1" "$2")"
[[ $? -eq 0 ]] && shift
if [[ "$NODNS" != none ]] && [[ "$NODNS" != min ]]; then
fatal "Value for nodns switch can be either \"min\" or \"none\""
fi
;;
-V|-V=*|--local|--local=*) # attention, this could have a value or not!
do_display_only=true
@ -15519,7 +15543,7 @@ parse_cmd_line() {
done
# Show usage if no further options were specified
if [[ -z "$1" ]] && [[ -z "$FNAME" ]] && ! $do_display_only; then
if [[ -z "$1" ]] && [[ -z "$FNAME" ]] && ! "$do_display_only"; then
fatal "URI missing" "1"
else
# left off here is the URI
@ -15527,7 +15551,8 @@ parse_cmd_line() {
# parameter after URI supplied:
[[ -n "$2" ]] && fatal "URI comes last" "1"
fi
[[ $CMDLINE_IP == "one" ]] && "$NODNS" && fatal "\"--ip=one\" and \"--nodns\" doesn't work together"
[[ $CMDLINE_IP == one ]] && [[ "$NODNS" == none ]] && fatal "\"--ip=one\" and \"--nodns=none\" don't work together" 2
"$do_mx_all_ips" && [[ "$NODNS" == none ]] && fatal "\"--mx\" and \"--nodns=none\" don't work together" 2
[[ "$DEBUG" -ge 5 ]] && debug_globals
# if we have no "do_*" set here --> query_globals: we do a standard run -- otherwise just the one specified