From 69fa8ca3786492d2415b7a89fe4ab5fcd17ef85e Mon Sep 17 00:00:00 2001 From: Dirk Date: Fri, 9 Jun 2017 12:45:22 +0200 Subject: [PATCH] several improvements timeout: the TLS ticket check has a timeout, so that early on non-reachable hosts are determined. If it is running into the timeout, it quits early. The timeout is configurable via environment e.g. TIMEOUT=16 ./ticketbleed.bash Also other ports are allowed albeit it probably it is of limited use Supplying no arg is now more user-friendly --- utils/ticketbleed.bash | 50 ++++++++++++++++++++++++++++++++++-------- 1 file changed, 41 insertions(+), 9 deletions(-) diff --git a/utils/ticketbleed.bash b/utils/ticketbleed.bash index 3db93d9..b223e1e 100755 --- a/utils/ticketbleed.bash +++ b/utils/ticketbleed.bash @@ -8,19 +8,22 @@ # ###### DON'T DO EVIL! USAGE AT YOUR OWN RISK. DON'T VIOLATE LAWS! ####### -readonly PS4='${LINENO}: ${FUNCNAME[0]:+${FUNCNAME[0]}(): }' -trap "cleanup" QUIT EXIT +[[ -z "$1" ]] && echo "IP is missing" && exit 1 -[[ -z "$1" ]] && exit 1 +readonly PS4='${LINENO}: ${FUNCNAME[0]:+${FUNCNAME[0]}(): }' + +OPENSSL=${OPENSSL:-$(type -p openssl)} +TIMEOUT=${TIMEOUT:-20} # insert some hexspeak here :-) SID="x00,x00,x0B,xAD,xC0,xDE," # don't forget the trailing comma NODE="$1" -NODE="${NODE%:*}" # strip port if supplied -PORT="443" # we curently support 443 only +PORT="${NODE#*:}" +PORT="${PORT-443}" # probably this doesn't make sense +NODE="${NODE%:*}" # strip port if supplied TLSV=${2:-01} # TLS 1.0=x01 1.1=0x02, 1.2=0x3 -MAXSLEEP=10 +MAXSLEEP=$TIMEOUT SOCKREPLY="" COL_WIDTH=32 DEBUG=${DEBUG:-"false"} @@ -215,10 +218,17 @@ cleanup() { get_sessticket() { local sessticket_str + local output - sessticket_str="$(openssl s_client -connect $NODE:$PORT /dev/null | awk '/TLS session ticket:/,/^$/' | awk '!/TLS session ticket/')" - sessticket_str="$(sed -e 's/^.* - /x/g' -e 's/ .*$//g' <<< "$sessticket_str" | tr '\n' ',')" - sed -e 's/ /,x/g' -e 's/-/,x/g' <<< "$sessticket_str" + output="$($OPENSSL s_client -connect $NODE:$PORT /dev/null)" + if ! grep -qw CONNECTED <<< "$output"; then + return 1 + else + sessticket_str="$(awk '/TLS session ticket:/,/^$/' <<< "$output" | awk '!/TLS session ticket/')" + sessticket_str="$(sed -e 's/^.* - /x/g' -e 's/ .*$//g' <<< "$sessticket_str" | tr '\n' ',')" + sed -e 's/ /,x/g' -e 's/-/,x/g' <<< "$sessticket_str" + return 0 + fi } #### main @@ -229,13 +239,33 @@ early_exit=true declare -a memory sid_detected nr_sid_detected=0 + +# there are different "timeout". Check whether --preserve-status is supported +if type -p timeout &>/dev/null ; then + if timeout --help 2>/dev/null | grep -q 'preserve-status'; then + OPENSSL="timeout --preserve-status $TIMEOUT $OPENSSL" + else + OPENSSL="timeout $TIMEOUT $OPENSSL" + fi +else + echo " binary \"timeout\" not found. Continuing without it" + unset TIMEOUT +fi + + echo "$DEBUG" && ( echo ) echo "##### 1) Connect to determine 1x session ticket TLS" # attn! neither here nor in the following client hello we do SNI. Assuming this is a vulnebilty of the TLS implementation SESS_TICKET_TLS="$(get_sessticket)" +if [[ $? -ne 0 ]]; then + echo >&2 + echo -e "$NODE:$PORT ${magenta}not reachable / no TLS${normal}\n " >&2 + exit 0 +fi [[ "$SESS_TICKET_TLS" == "," ]] && echo -e "${green}OK, not vulnerable${normal}, no session tickets\n" && exit 0 +trap "cleanup" QUIT EXIT "$DEBUG" && ( echo; echo ) echo "##### 2) Sending 1 to 3 ClientHello(s) (TLS version 03,$TLSV) with this ticket and a made up SessionID" @@ -318,3 +348,5 @@ fi exit 0 +# vim:ts=5:sw=5 +