- banner (opensssl version build date, platform) slightly changed

- even clearer warning upon old openssl version (MacOSX!)
- oparoz hexdump patch
- heartbleed doenst do a precheck anymore --> just sockets as it may lead to false negatives
  if the client was complied with it disabled (FreeBSD)
This commit is contained in:
Dirk 2014-11-19 13:22:22 +01:00
parent f2c44803ed
commit 99e472ac01
1 changed files with 115 additions and 116 deletions

View File

@ -86,6 +86,12 @@ IPS=""
# make sure that temporary files are cleaned up after use
trap cleanup QUIT EXIT
# The various hexdump commands we need to replace xxd (BSD compatability))
HEXDUMPVIEW=(hexdump -C) # This is used in verbose mode to see what's going on
HEXDUMP=(hexdump -ve '16/1 "%02x " " \n"') # This is used to analyse the reply
HEXDUMPPLAIN=(hexdump -ve '1/1 "%.2x"') # Replaces both xxd -p and tr -cd '[:print:]'
out() {
$ECHO "$1"
}
@ -524,7 +530,7 @@ std_cipherlists() {
socksend() {
data=`echo $1 | sed 's/tls_version/'"$2"'/g'`
[ $VERBOSE -eq 1 ] && echo "\"$data\""
out "$data" >&5 2>/dev/null &
printf $data >&5 2>/dev/null &
sleep $3
}
@ -1086,6 +1092,7 @@ ccs_injection(){
x00, x07, x00, x06, x00, x05, x00, x04,
x00, x03, x00, x02, x00, x01, x01, x00"
#msg=`echo "$client_hello" | grep -o '\bx[[:xdigit:]]\{2\}\b\|tls_version' | sed -e 's/x/\\\x/g' -e 's/tls_version/\\\tls_version/g' | tr -d '\n'`
msg=`echo "$client_hello" | sed -e 's/# .*$//g' -e 's/,/\\\/g' | sed -e 's/ //g' -e 's/[ \t]//g' | tr -d '\n'`
fd_socket 5 || return 6
@ -1096,7 +1103,7 @@ ccs_injection(){
if [ $VERBOSE -eq 1 ]; then
outln "\nserver hello:"
echo "$SOCKREPLY" | xxd -c32 | head -20
echo "$SOCKREPLY" | "${HEXDUMPVIEW[@]}" | head -20
outln "[...]"
outln "\npayload #1 with TLS version $tls_hexcode:"
fi
@ -1105,7 +1112,7 @@ ccs_injection(){
sockread 2048 5 # 5 seconds
if [ $VERBOSE -eq 1 ]; then
outln "\n1st reply: "
out "$SOCKREPLY" | xxd -c32
out "$SOCKREPLY" | "${HEXDUMPVIEW[@]}" | head -20
# ok: 15 | 0301 | 02 | 02 0a == ALERT | TLS 1.0 | Length=2 | Unexpected Message (0a)
outln
outln "payload #2 with TLS version $tls_hexcode:"
@ -1117,14 +1124,14 @@ ccs_injection(){
if [ $VERBOSE -eq 1 ]; then
outln "\n2nd reply: "
out "$SOCKREPLY" | xxd -c32
out "$SOCKREPLY" | "${HEXDUMPVIEW[@]}"
# not ok: 15 | 0301 | 02 | 02 | 15 == ALERT | TLS 1.0 | Length=2 | Decryption failed (21)
# ok: 0a or nothing: ==> RST
outln
fi
reply_sanitized=`outln "$SOCKREPLY" | xxd -p | tr -cd '[:print:]' | sed 's/^..........//'`
lines=`echo "$SOCKREPLY" | xxd -c32 | wc -l`
reply_sanitized=`echo "$SOCKREPLY" | "${HEXDUMPPLAIN[@]}" | sed 's/^..........//'`
lines=`echo "$SOCKREPLY" | "${HEXDUMP[@]}" | wc -l`
if [ "$reply_sanitized" == "0a" ] || [ "$lines" -gt 1 ] ; then
green "not vulnerable (OK)"
@ -1143,19 +1150,7 @@ ccs_injection(){
heartbleed(){
bold " Heartbleed\c"; out " (CVE-2014-0160), experimental "
# see http://heartbleed.com/
$OPENSSL s_client -tlsextdebug 2>&1 | grep -wq '^usage'
if [ $? -eq 0 ]; then
magenta "Local problem: Your $OPENSSL cannot run the pretest for this - "
outln "continuing at your own risks"
fi
# we don't need SNI here:
$OPENSSL s_client $STARTTLS -connect $NODEIP:$PORT -tlsextdebug &>$TMPFILE </dev/null
grep "server extension" $TMPFILE | grep -wq heartbeat
if [ $? -ne 0 ]; then
greenln "No TLS heartbeat extension (OK)"
ret=0
else
# mainly adapted from https://gist.github.com/takeshixx/10107280
heartbleed_payload="\x18\x03\tls_version\x00\x03\x01\x40\x00"
@ -1214,6 +1209,7 @@ heartbleed(){
# Extension: Heartbeat
x00, x0f, x00, x01, x01"
#msg=`echo "$client_hello" | grep -o '\bx[[:xdigit:]]\{2\}\b\|tls_version' | sed -e 's/x/\\\x/g' -e 's/tls_version/\\\tls_version/g' | tr -d '\n'`
msg=`echo "$client_hello" | sed -e 's/# .*$//g' -e 's/,/\\\/g' | sed -e 's/ //g' -e 's/[ \t]//g' | tr -d '\n'`
fd_socket 5 || return 6
@ -1224,7 +1220,7 @@ heartbleed(){
if [ $VERBOSE -eq 1 ]; then
outln "\nserver hello:"
echo "$SOCKREPLY" | xxd -c32 | head -20
echo "$SOCKREPLY" | "${HEXDUMPVIEW[@]}" | head -20
outln "[...]"
outln " sending payload with TLS version $tls_hexcode:"
fi
@ -1235,11 +1231,11 @@ heartbleed(){
if [ $VERBOSE -eq 1 ]; then
outln "\n heartbleed reply: "
echo "$SOCKREPLY" | xxd -c32
echo "$SOCKREPLY" | "${HEXDUMPVIEW[@]}"
outln
fi
lines_returned=`echo "$SOCKREPLY" | xxd | wc -l`
lines_returned=`echo "$SOCKREPLY" | "${HEXDUMP[@]}" | wc -l`
if [ $lines_returned -gt 1 ]; then
red "VULNERABLE"
ret=1
@ -1249,7 +1245,6 @@ heartbleed(){
fi
[ $retval -eq 3 ] && green ", timed out"
outln
fi
close_socket
rm $TMPFILE
@ -1419,9 +1414,10 @@ find_openssl_binary() {
OSSL_VER_MAJOR=`echo "$OSSL_VER" | sed 's/\..*$//'`
OSSL_VER_MINOR=`echo "$OSSL_VER" | sed -e 's/^.\.//' | sed 's/\..*.//'`
OSSL_VER_APPENDIX=`echo "$OSSL_VER" | tr -d '[0-9.]'`
OSSL_VER_PLATFORM=`$OPENSSL version -p | sed 's/^platform: //'`
OSSL_BUILD_DATE=`$OPENSSL version -a | grep '^built' | sed -e 's/built on//' -e 's/: ... //' -e 's/: //' -e 's/ UTC//' -e 's/ +0000//' -e 's/.000000000//'`
echo $OSSL_BUILD_DATE | grep -q "not available" && OSSL_BUILD_DATE=""
export OPENSSL OSSL_VER OSSL_BUILD_DATE
export OPENSSL OSSL_VER OSSL_BUILD_DATE OSSL_VER_PLATFORM
case "$OSSL_VER" in
0.9.7*|0.9.6*|0.9.5*)
# 0.9.5a was latest in 0.9.5 an released 2000/4/1, that'll NOT suffice for this test
@ -1429,11 +1425,13 @@ find_openssl_binary() {
0.9.8)
case $OSSL_VER_APPENDIX in
a|b|c|d|e) old_fart;; # no SNI!
# other than that we leave this for MacOSX but it's a pain and no guarantees!
esac
;;
esac
if [ $OSSL_VER_MAJOR -lt 1 ]; then ## mm: Patch for libressl
magentaln "<Enter> at your own risk. $OPENSSL version < 1.0 is too old for this program"
outln
magentaln " ¡¡¡ <Enter> at your own risk !!!\n $OPENSSL version < 1.0 is too old"
read a
fi
return 0
@ -1554,8 +1552,9 @@ EOF
`
bold "$bb"
outln "\n"
outln "Using \"$osslver\" [$OSSL_BUILD_DATE]
on \"$hn:$osslpath\"\n"
outln " Using \"$osslver\" from
$hn:$osslpath
(built: \"$OSSL_BUILD_DATE\", platform: \"$OSSL_VER_PLATFORM\")\n"
}
@ -1939,7 +1938,7 @@ case "$1" in
exit $ret ;;
esac
# $Id: testssl.sh,v 1.141 2014/11/18 22:12:54 dirkw Exp $
# $Id: testssl.sh,v 1.142 2014/11/19 12:22:21 dirkw Exp $
# vim:ts=5:sw=5