drown additions

* also provide links to censys.io if there's drown detected
* remove SHOW_CENSYS_LINK variable
* calculate fingerprint upfront (if not done yet)
This commit is contained in:
Dirk 2017-07-20 17:44:00 +02:00
parent ad1dd01466
commit baeca77021
1 changed files with 25 additions and 26 deletions

View File

@ -232,7 +232,6 @@ else
MEASURE_TIME=${MEASURE_TIME:-false} MEASURE_TIME=${MEASURE_TIME:-false}
fi fi
DISPLAY_CIPHERNAMES="openssl" # display OpenSSL ciphername (but both OpenSSL and RFC ciphernames in wide mode) DISPLAY_CIPHERNAMES="openssl" # display OpenSSL ciphername (but both OpenSSL and RFC ciphernames in wide mode)
SHOW_CENSYS_LINK=${SHOW_CENSYS_LINK:-true}
readonly UA_STD="TLS tester from $SWURL" readonly UA_STD="TLS tester from $SWURL"
readonly UA_SNEAKY="Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0" readonly UA_SNEAKY="Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0"
@ -10281,8 +10280,19 @@ run_drown() {
fi fi
# if we want to use OPENSSL: check for < openssl 1.0.2g, openssl 1.0.1s if native openssl # if we want to use OPENSSL: check for < openssl 1.0.2g, openssl 1.0.1s if native openssl
pr_bold " DROWN"; out " ($cve) " pr_bold " DROWN"; out " ($cve) "
sslv2_sockets
# Any fingerprint that is placed in $RSA_CERT_FINGERPRINT_SHA2 is also added to
# to $CERT_FINGERPRINT_SHA2, so if $CERT_FINGERPRINT_SHA2 is not empty, but
# $RSA_CERT_FINGERPRINT_SHA2 is empty, then the server doesn't have an RSA certificate.
if [[ -z "$CERT_FINGERPRINT_SHA2" ]]; then
get_host_cert "-cipher aRSA"
[[ $? -eq 0 ]] && cert_fingerprint_sha2="$($OPENSSL x509 -noout -in $HOSTCERT -fingerprint -sha256 2>>$ERRFILE | sed -e 's/^.*Fingerprint=//' -e 's/://g' )"
else
cert_fingerprint_sha2="$RSA_CERT_FINGERPRINT_SHA2"
# cert_fingerprint_sha2=${cert_fingerprint_sha2/SHA256 /}
fi
sslv2_sockets
case $? in case $? in
7) # strange reply, couldn't convert the cipher spec length to a hex number 7) # strange reply, couldn't convert the cipher spec length to a hex number
pr_fixme "strange v2 reply " pr_fixme "strange v2 reply "
@ -10291,43 +10301,32 @@ run_drown() {
ret=7 ret=7
fileout "drown" "WARN" "SSLv2: received a strange SSLv2 reply (rerun with DEBUG>=2)" "$cve" "$cwe" fileout "drown" "WARN" "SSLv2: received a strange SSLv2 reply (rerun with DEBUG>=2)" "$cve" "$cwe"
;; ;;
3) # vulnerable 3) # vulnerable, [[ -n "$cert_fingerprint_sha2" ]] test is not needed as we should have RSA certificate here
lines=$(count_lines "$(hexdump -C "$TEMPDIR/$NODEIP.sslv2_sockets.dd" 2>/dev/null)") lines=$(count_lines "$(hexdump -C "$TEMPDIR/$NODEIP.sslv2_sockets.dd" 2>/dev/null)")
debugme tm_out " ($lines lines) " debugme tm_out " ($lines lines) "
if [[ "$lines" -gt 1 ]]; then if [[ "$lines" -gt 1 ]]; then
nr_ciphers_detected=$((V2_HELLO_CIPHERSPEC_LENGTH / 3)) nr_ciphers_detected=$((V2_HELLO_CIPHERSPEC_LENGTH / 3))
if [[ 0 -eq "$nr_ciphers_detected" ]]; then if [[ 0 -eq "$nr_ciphers_detected" ]]; then
prln_svrty_high "SSLv2 is supported but couldn't detect a cipher (NOT ok)"; fileout "drown" "HIGH" "SSLv2 is offered, but could not detect a cipher, Make sure you don't use this certificate elsewhere, see https://censys.io/ipv4?q=$cert_fingerprint_sha2" "$cve" "$cwe" "$hint"
fileout "drown" "HIGH" "SSLv2 is offered, but could not detect a cipher" "$cve" "$cwe" "$hint"
else else
prln_svrty_critical "VULNERABLE (NOT ok), SSLv2 offered with $nr_ciphers_detected ciphers"; prln_svrty_critical "VULNERABLE (NOT ok), SSLv2 offered with $nr_ciphers_detected ciphers";
fileout "drown" "CRITICAL" "VULNERABLE, SSLv2 offered with $nr_ciphers_detected ciphers" "$cve" "$cwe" "$hint" fileout "drown" "CRITICAL" "VULNERABLE, SSLv2 offered with $nr_ciphers_detected ciphers. Make sure you don't use this certificate elsewhere, see https://censys.io/ipv4?q=$cert_fingerprint_sha2" "$cve" "$cwe" "$hint"
fi fi
outln "$spaces Make sure you don't use this certificate elsewhere, see:"
out "$spaces "
pr_url "https://censys.io/ipv4?q=$cert_fingerprint_sha2"
outln
fi fi
ret=1 ret=1
;; ;;
*) prln_done_best "not vulnerable on this port (OK)" *) prln_done_best "not vulnerable on this host and port (OK)"
fileout "drown" "OK" "not vulnerable to DROWN" "$cve" "$cwe" fileout "drown" "OK" "not vulnerable to DROWN on this host and port" "$cve" "$cwe"
# Any fingerprint that is placed in $RSA_CERT_FINGERPRINT_SHA2 is
# also added to $CERT_FINGERPRINT_SHA2, so if $CERT_FINGERPRINT_SHA2
# is not empty, but $RSA_CERT_FINGERPRINT_SHA2 is empty, then the server
# doesn't have an RSA certificate.
if [[ -z "$CERT_FINGERPRINT_SHA2" ]]; then
get_host_cert "-cipher aRSA"
[[ $? -eq 0 ]] && cert_fingerprint_sha2="$($OPENSSL x509 -noout -in $HOSTCERT -fingerprint -sha256 2>>$ERRFILE | sed -e 's/^.*Fingerprint=//' -e 's/://g' )"
else
cert_fingerprint_sha2="$RSA_CERT_FINGERPRINT_SHA2"
fi
if [[ -n "$cert_fingerprint_sha2" ]]; then if [[ -n "$cert_fingerprint_sha2" ]]; then
outln "$spaces make sure you don't use this certificate elsewhere with SSLv2 enabled services" outln "$spaces make sure you don't use this certificate elsewhere with SSLv2 enabled services"
if [[ "$DEBUG" -ge 1 ]] || "$SHOW_CENSYS_LINK"; then out "$spaces "
# not advertising it as it after 5 tries and account is needed pr_url "https://censys.io/ipv4?q=$cert_fingerprint_sha2"
cert_fingerprint_sha2=${cert_fingerprint_sha2/SHA256 /} outln " could help you to find out"
out "$spaces " fileout "drown" "INFO" "make sure you don't use this certificate elsewhere with SSLv2 enabled services, see https://censys.io/ipv4?q=$cert_fingerprint_sha2"
pr_url "https://censys.io/ipv4?q=$cert_fingerprint_sha2"
outln " could help you to find out"
fileout "drown" "INFO" "make sure you don't use this certificate elsewhere with SSLv2 enabled services, see https://censys.io/ipv4?q=$cert_fingerprint_sha2"
fi
else else
outln "$spaces no RSA certificate, thus certificate can't be used with SSLv2 elsewhere" outln "$spaces no RSA certificate, thus certificate can't be used with SSLv2 elsewhere"
fileout "drown" "INFO" "no RSA certificate, thus certificate can't be used with SSLv2 elsewhere" fileout "drown" "INFO" "no RSA certificate, thus certificate can't be used with SSLv2 elsewhere"