- banner (opensssl version build date, platform) slightly changed
- even clearer warning upon old openssl version (MacOSX!) - oparoz hexdump patch - heartbleed doenst do a precheck anymore --> just sockets as it may lead to false negatives if the client was complied with it disabled (FreeBSD)
This commit is contained in:
parent
f2c44803ed
commit
99e472ac01
55
testssl.sh
55
testssl.sh
|
@ -86,6 +86,12 @@ IPS=""
|
|||
# make sure that temporary files are cleaned up after use
|
||||
trap cleanup QUIT EXIT
|
||||
|
||||
# The various hexdump commands we need to replace xxd (BSD compatability))
|
||||
HEXDUMPVIEW=(hexdump -C) # This is used in verbose mode to see what's going on
|
||||
HEXDUMP=(hexdump -ve '16/1 "%02x " " \n"') # This is used to analyse the reply
|
||||
HEXDUMPPLAIN=(hexdump -ve '1/1 "%.2x"') # Replaces both xxd -p and tr -cd '[:print:]'
|
||||
|
||||
|
||||
out() {
|
||||
$ECHO "$1"
|
||||
}
|
||||
|
@ -524,7 +530,7 @@ std_cipherlists() {
|
|||
socksend() {
|
||||
data=`echo $1 | sed 's/tls_version/'"$2"'/g'`
|
||||
[ $VERBOSE -eq 1 ] && echo "\"$data\""
|
||||
out "$data" >&5 2>/dev/null &
|
||||
printf $data >&5 2>/dev/null &
|
||||
sleep $3
|
||||
}
|
||||
|
||||
|
@ -1086,6 +1092,7 @@ ccs_injection(){
|
|||
x00, x07, x00, x06, x00, x05, x00, x04,
|
||||
x00, x03, x00, x02, x00, x01, x01, x00"
|
||||
|
||||
#msg=`echo "$client_hello" | grep -o '\bx[[:xdigit:]]\{2\}\b\|tls_version' | sed -e 's/x/\\\x/g' -e 's/tls_version/\\\tls_version/g' | tr -d '\n'`
|
||||
msg=`echo "$client_hello" | sed -e 's/# .*$//g' -e 's/,/\\\/g' | sed -e 's/ //g' -e 's/[ \t]//g' | tr -d '\n'`
|
||||
|
||||
fd_socket 5 || return 6
|
||||
|
@ -1096,7 +1103,7 @@ ccs_injection(){
|
|||
|
||||
if [ $VERBOSE -eq 1 ]; then
|
||||
outln "\nserver hello:"
|
||||
echo "$SOCKREPLY" | xxd -c32 | head -20
|
||||
echo "$SOCKREPLY" | "${HEXDUMPVIEW[@]}" | head -20
|
||||
outln "[...]"
|
||||
outln "\npayload #1 with TLS version $tls_hexcode:"
|
||||
fi
|
||||
|
@ -1105,7 +1112,7 @@ ccs_injection(){
|
|||
sockread 2048 5 # 5 seconds
|
||||
if [ $VERBOSE -eq 1 ]; then
|
||||
outln "\n1st reply: "
|
||||
out "$SOCKREPLY" | xxd -c32
|
||||
out "$SOCKREPLY" | "${HEXDUMPVIEW[@]}" | head -20
|
||||
# ok: 15 | 0301 | 02 | 02 0a == ALERT | TLS 1.0 | Length=2 | Unexpected Message (0a)
|
||||
outln
|
||||
outln "payload #2 with TLS version $tls_hexcode:"
|
||||
|
@ -1117,14 +1124,14 @@ ccs_injection(){
|
|||
|
||||
if [ $VERBOSE -eq 1 ]; then
|
||||
outln "\n2nd reply: "
|
||||
out "$SOCKREPLY" | xxd -c32
|
||||
out "$SOCKREPLY" | "${HEXDUMPVIEW[@]}"
|
||||
# not ok: 15 | 0301 | 02 | 02 | 15 == ALERT | TLS 1.0 | Length=2 | Decryption failed (21)
|
||||
# ok: 0a or nothing: ==> RST
|
||||
outln
|
||||
fi
|
||||
|
||||
reply_sanitized=`outln "$SOCKREPLY" | xxd -p | tr -cd '[:print:]' | sed 's/^..........//'`
|
||||
lines=`echo "$SOCKREPLY" | xxd -c32 | wc -l`
|
||||
reply_sanitized=`echo "$SOCKREPLY" | "${HEXDUMPPLAIN[@]}" | sed 's/^..........//'`
|
||||
lines=`echo "$SOCKREPLY" | "${HEXDUMP[@]}" | wc -l`
|
||||
|
||||
if [ "$reply_sanitized" == "0a" ] || [ "$lines" -gt 1 ] ; then
|
||||
green "not vulnerable (OK)"
|
||||
|
@ -1143,19 +1150,7 @@ ccs_injection(){
|
|||
|
||||
heartbleed(){
|
||||
bold " Heartbleed\c"; out " (CVE-2014-0160), experimental "
|
||||
# see http://heartbleed.com/
|
||||
$OPENSSL s_client -tlsextdebug 2>&1 | grep -wq '^usage'
|
||||
if [ $? -eq 0 ]; then
|
||||
magenta "Local problem: Your $OPENSSL cannot run the pretest for this - "
|
||||
outln "continuing at your own risks"
|
||||
fi
|
||||
# we don't need SNI here:
|
||||
$OPENSSL s_client $STARTTLS -connect $NODEIP:$PORT -tlsextdebug &>$TMPFILE </dev/null
|
||||
grep "server extension" $TMPFILE | grep -wq heartbeat
|
||||
if [ $? -ne 0 ]; then
|
||||
greenln "No TLS heartbeat extension (OK)"
|
||||
ret=0
|
||||
else
|
||||
|
||||
# mainly adapted from https://gist.github.com/takeshixx/10107280
|
||||
heartbleed_payload="\x18\x03\tls_version\x00\x03\x01\x40\x00"
|
||||
|
||||
|
@ -1214,6 +1209,7 @@ heartbleed(){
|
|||
# Extension: Heartbeat
|
||||
x00, x0f, x00, x01, x01"
|
||||
|
||||
#msg=`echo "$client_hello" | grep -o '\bx[[:xdigit:]]\{2\}\b\|tls_version' | sed -e 's/x/\\\x/g' -e 's/tls_version/\\\tls_version/g' | tr -d '\n'`
|
||||
msg=`echo "$client_hello" | sed -e 's/# .*$//g' -e 's/,/\\\/g' | sed -e 's/ //g' -e 's/[ \t]//g' | tr -d '\n'`
|
||||
|
||||
fd_socket 5 || return 6
|
||||
|
@ -1224,7 +1220,7 @@ heartbleed(){
|
|||
|
||||
if [ $VERBOSE -eq 1 ]; then
|
||||
outln "\nserver hello:"
|
||||
echo "$SOCKREPLY" | xxd -c32 | head -20
|
||||
echo "$SOCKREPLY" | "${HEXDUMPVIEW[@]}" | head -20
|
||||
outln "[...]"
|
||||
outln " sending payload with TLS version $tls_hexcode:"
|
||||
fi
|
||||
|
@ -1235,11 +1231,11 @@ heartbleed(){
|
|||
|
||||
if [ $VERBOSE -eq 1 ]; then
|
||||
outln "\n heartbleed reply: "
|
||||
echo "$SOCKREPLY" | xxd -c32
|
||||
echo "$SOCKREPLY" | "${HEXDUMPVIEW[@]}"
|
||||
outln
|
||||
fi
|
||||
|
||||
lines_returned=`echo "$SOCKREPLY" | xxd | wc -l`
|
||||
lines_returned=`echo "$SOCKREPLY" | "${HEXDUMP[@]}" | wc -l`
|
||||
if [ $lines_returned -gt 1 ]; then
|
||||
red "VULNERABLE"
|
||||
ret=1
|
||||
|
@ -1249,7 +1245,6 @@ heartbleed(){
|
|||
fi
|
||||
[ $retval -eq 3 ] && green ", timed out"
|
||||
outln
|
||||
fi
|
||||
|
||||
close_socket
|
||||
rm $TMPFILE
|
||||
|
@ -1419,9 +1414,10 @@ find_openssl_binary() {
|
|||
OSSL_VER_MAJOR=`echo "$OSSL_VER" | sed 's/\..*$//'`
|
||||
OSSL_VER_MINOR=`echo "$OSSL_VER" | sed -e 's/^.\.//' | sed 's/\..*.//'`
|
||||
OSSL_VER_APPENDIX=`echo "$OSSL_VER" | tr -d '[0-9.]'`
|
||||
OSSL_VER_PLATFORM=`$OPENSSL version -p | sed 's/^platform: //'`
|
||||
OSSL_BUILD_DATE=`$OPENSSL version -a | grep '^built' | sed -e 's/built on//' -e 's/: ... //' -e 's/: //' -e 's/ UTC//' -e 's/ +0000//' -e 's/.000000000//'`
|
||||
echo $OSSL_BUILD_DATE | grep -q "not available" && OSSL_BUILD_DATE=""
|
||||
export OPENSSL OSSL_VER OSSL_BUILD_DATE
|
||||
export OPENSSL OSSL_VER OSSL_BUILD_DATE OSSL_VER_PLATFORM
|
||||
case "$OSSL_VER" in
|
||||
0.9.7*|0.9.6*|0.9.5*)
|
||||
# 0.9.5a was latest in 0.9.5 an released 2000/4/1, that'll NOT suffice for this test
|
||||
|
@ -1429,11 +1425,13 @@ find_openssl_binary() {
|
|||
0.9.8)
|
||||
case $OSSL_VER_APPENDIX in
|
||||
a|b|c|d|e) old_fart;; # no SNI!
|
||||
# other than that we leave this for MacOSX but it's a pain and no guarantees!
|
||||
esac
|
||||
;;
|
||||
esac
|
||||
if [ $OSSL_VER_MAJOR -lt 1 ]; then ## mm: Patch for libressl
|
||||
magentaln "<Enter> at your own risk. $OPENSSL version < 1.0 is too old for this program"
|
||||
outln
|
||||
magentaln " ¡¡¡ <Enter> at your own risk !!!\n $OPENSSL version < 1.0 is too old"
|
||||
read a
|
||||
fi
|
||||
return 0
|
||||
|
@ -1554,8 +1552,9 @@ EOF
|
|||
`
|
||||
bold "$bb"
|
||||
outln "\n"
|
||||
outln "Using \"$osslver\" [$OSSL_BUILD_DATE]
|
||||
on \"$hn:$osslpath\"\n"
|
||||
outln " Using \"$osslver\" from
|
||||
$hn:$osslpath
|
||||
(built: \"$OSSL_BUILD_DATE\", platform: \"$OSSL_VER_PLATFORM\")\n"
|
||||
|
||||
}
|
||||
|
||||
|
@ -1939,7 +1938,7 @@ case "$1" in
|
|||
exit $ret ;;
|
||||
esac
|
||||
|
||||
# $Id: testssl.sh,v 1.141 2014/11/18 22:12:54 dirkw Exp $
|
||||
# $Id: testssl.sh,v 1.142 2014/11/19 12:22:21 dirkw Exp $
|
||||
# vim:ts=5:sw=5
|
||||
|
||||
|
||||
|
|
Loading…
Reference in New Issue