several improvements

timeout: the TLS ticket check has a timeout, so that early on non-reachable hosts are determined. If it is running into the timeout, it quits early. The timeout is configurable via environment e.g. TIMEOUT=16 ./ticketbleed.bash <host> Also other ports are allowed albeit it probably it is of limited use Supplying no arg is now more user-friendly
2024-12-29 04:49:44 +01:00 · 2017-06-09 12:45:22 +02:00 · 2017-06-09 12:45:22 +02:00 · 69fa8ca378
commit 69fa8ca378
parent 15219475e9
1 changed files with 41 additions and 9 deletions
--- a/utils/ticketbleed.bash
+++ b/utils/ticketbleed.bash
@ -8,19 +8,22 @@
 #
 ###### DON'T DO EVIL! USAGE AT YOUR OWN RISK. DON'T VIOLATE LAWS! #######

-readonly PS4='${LINENO}: ${FUNCNAME[0]:+${FUNCNAME[0]}(): }'
-trap "cleanup" QUIT EXIT
+[[ -z "$1" ]] && echo "IP is missing" && exit 1

-[[ -z "$1" ]] && exit 1
+readonly PS4='${LINENO}: ${FUNCNAME[0]:+${FUNCNAME[0]}(): }'
+
+OPENSSL=${OPENSSL:-$(type -p openssl)}
+TIMEOUT=${TIMEOUT:-20}

 # insert some hexspeak here :-)
 SID="x00,x00,x0B,xAD,xC0,xDE,"               # don't forget the trailing comma

 NODE="$1"
-NODE="${NODE%:*}"			     # strip port if supplied
-PORT="443"				     # we curently support 443 only
+PORT="${NODE#*:}"
+PORT="${PORT-443}"                           # probably this doesn't make sense
+NODE="${NODE%:*}"                            # strip port if supplied
 TLSV=${2:-01}                                # TLS 1.0=x01  1.1=0x02, 1.2=0x3
-MAXSLEEP=10
+MAXSLEEP=$TIMEOUT
 SOCKREPLY=""
 COL_WIDTH=32
 DEBUG=${DEBUG:-"false"}
@ -215,10 +218,17 @@ cleanup() {

 get_sessticket() {
     local sessticket_str
+     local output

-     sessticket_str="$(openssl s_client -connect $NODE:$PORT </dev/null 2>/dev/null | awk '/TLS session ticket:/,/^$/' | awk '!/TLS session ticket/')"
-     sessticket_str="$(sed -e 's/^.* - /x/g' -e 's/  .*$//g' <<< "$sessticket_str" | tr '\n' ',')"
-     sed -e 's/ /,x/g' -e 's/-/,x/g' <<< "$sessticket_str"
+     output="$($OPENSSL s_client -connect $NODE:$PORT </dev/null 2>/dev/null)"
+     if ! grep -qw CONNECTED <<< "$output"; then
+        return 1
+     else
+        sessticket_str="$(awk '/TLS session ticket:/,/^$/' <<< "$output" | awk '!/TLS session ticket/')"
+        sessticket_str="$(sed -e 's/^.* - /x/g' -e 's/  .*$//g' <<< "$sessticket_str" | tr '\n' ',')"
+        sed -e 's/ /,x/g' -e 's/-/,x/g' <<< "$sessticket_str"
+        return 0
+    fi
 }

 #### main
@ -229,13 +239,33 @@ early_exit=true
 declare -a memory sid_detected
 nr_sid_detected=0

+
+# there are different "timeout". Check whether --preserve-status is supported
+if type -p timeout &>/dev/null ; then
+        if timeout --help 2>/dev/null | grep -q 'preserve-status'; then
+            OPENSSL="timeout --preserve-status $TIMEOUT $OPENSSL"
+        else
+            OPENSSL="timeout $TIMEOUT $OPENSSL"
+        fi
+else
+        echo " binary \"timeout\" not found. Continuing without it"
+        unset TIMEOUT
+fi
+
+
 echo
 "$DEBUG" && ( echo )
 echo "##### 1) Connect to determine 1x session ticket TLS"
 # attn! neither here nor in the following client hello we do SNI. Assuming this is a vulnebilty of the TLS implementation
 SESS_TICKET_TLS="$(get_sessticket)"
+if [[ $? -ne 0 ]]; then
+        echo >&2
+        echo -e "$NODE:$PORT ${magenta}not reachable / no TLS${normal}\n " >&2
+        exit 0
+fi
 [[ "$SESS_TICKET_TLS" == "," ]] && echo -e "${green}OK, not vulnerable${normal}, no session tickets\n" && exit 0

+trap "cleanup" QUIT EXIT
 "$DEBUG" && ( echo; echo )
 echo "##### 2) Sending 1 to 3 ClientHello(s) (TLS version 03,$TLSV) with this ticket and a made up SessionID"

@ -318,3 +348,5 @@ fi

 exit 0

+#  vim:ts=5:sw=5
+