Commit Graph

3810 Commits

Author SHA1 Message Date
Dirk 53bef583c6 add GCM in cipher description (debug info) 2020-09-14 19:33:07 +02:00
Dirk 772420cb42 Add two ECDHE_RSA GCM ciphersuites to prevent FPs for winshock
... they appeared later in SChannel, see

https://docs.microsoft.com/en-us/windows/win32/secauthn/cipher-suites-in-schannel
https://notsomany.com/2016/08/26/achieve-a-on-sslabs-iis-8-5-windows-2012-r2/

On famous false positive I discovered by accident was nvd.nist.gov (sigh).
2020-09-14 19:26:18 +02:00
Vitalii Tverdokhlib 6fe8764f8d
upd alpine to 3.12
because error with libuv required for other packages. For example: 
Error relocating /usr/bin/node: uv_fs_lutime
2020-09-12 18:04:33 +03:00
Dirk Wetter e62a9b8446
Merge pull request #1721 from drwetter/run_ws_default_fix
Winshock should now run also per default
2020-09-09 15:30:05 +02:00
Dirk Wetter 2bdcdd5371 Winshock should now run also per default 2020-09-09 15:29:12 +02:00
Dirk Wetter 4a120d9a45
Merge pull request #1720 from drwetter/winshock_fingerprint_improvements
Remove false positive for winshock bc of wrong protocol
2020-09-09 13:22:07 +02:00
Dirk Wetter 023005f011 remove false positive for winshock bc of wrong protocol
Also a cipher exclusion list was added, see #1719
2020-09-09 12:15:23 +02:00
Dirk Wetter edf669711f
Merge pull request #1718 from drwetter/winshock
New feature: winshock
2020-09-08 22:11:36 +02:00
Dirk Wetter 0e54075a6a Reverse double dash option for vulnerabilities (cmd line) 2020-09-08 22:09:57 +02:00
Dirk Wetter 1f8e65104c Add winshock to documentation 2020-09-08 22:08:05 +02:00
Dirk Wetter 794bbe30af
Merge pull request #1710 from tosticated/3.1dev
Added check for certificate validity longer than 398 days
2020-09-08 15:37:07 +02:00
tosticated ad8a52ec4f Updated changelog and credits 2020-09-08 15:34:30 +02:00
Dirk Wetter fe7b51a3e2 remove hint in winshock 2020-09-08 13:42:50 +02:00
Dirk Wetter a1a0605082 add winshock 2020-09-08 13:42:33 +02:00
Dirk Wetter a511da4ce8 New feature: winshock
This commit implements a detection of Winshock from 2014 (aka MS14-066, CVE-2014-6321).

It does that by analyzing
* the ciphers supported -- MS' rollup patch introduced new GCM ciphers
* AND grabbing the server banner which should match IIS 8.0 oder IIS 8.5

Admittedly this is not a strong detection. But it worked in the cases I tested
(no RDP  yet). The other known method remotely testing for it against IIS is
using a patched openssl binary (see https://github.com/drwetter/testssl.sh/issues/331#issuecomment-211534954)
-- the diff "jules" (hi) provided a while back. That seems to stem from securitysift
albeit his decription was not complete and he didn't provide a PoC (I've
seen also polarssl +  a little bit of python here: https://vimeo.com/112089813

The catch is securitysift's method, is not as trivial to implement and it dosses the
sass.exe process, see: http://www.securitysift.com/exploiting-ms14-066-cve-2014-6321-aka-winshock/.

* Todo: man page

This commit also removes -BB from the help. We haven't settled yet finally
where we go with short options for the cmd line for vulnerabilities. One
is for sure though: Using one letter uppercase doesn't scale. As winshock
can be executed with --WS and --winshock --BB brings that in line. For now
also -BB works (as -WS) but it isn't advertised anymore.
2020-09-08 12:37:50 +02:00
Dirk Wetter b6bab1e1b5
Merge pull request #1715 from drwetter/not_run_allciphers_et_al
Modify default for full 9 yrds run
2020-09-07 21:17:01 +02:00
Dirk Wetter e5d0b3eeac Modify default for full 9 yrds run
We don't need to execute run_cipher_per_proto() in addition here
2020-09-07 09:54:34 +02:00
Dirk Wetter eafeb904f4 Fix emptying of SERVICE variable in determine_service()
SERVICE global was previously set to $protocol which was
meant to set this for STARTTLS services. However it
was executes outside the corresponding if-statement.

This commit moves the statement where it belongs.
2020-09-03 14:22:53 +02:00
Dirk Wetter 35b79f65ee Add documentation for STARTTLS injection's cmd line flag
and also the modified one for ROBOT
2020-09-02 18:23:11 +02:00
Dirk Wetter 4a167f6ac5 Add openssl 1.1.1g into alpine docker image for STARTTLS injection 2020-09-02 17:44:11 +02:00
Dirk Wetter 3e6b1b971a Make Travis work again (STARTTLS injection)
For not vulnerable hosts the low level starttls_* functions
returned an error when the STARTTLS injection was tested which
confused Travis/CI ( "Oops: STARTTLS handshake failed (code: 2)" )
2020-09-02 17:35:42 +02:00
Dirk Wetter 1912230173 Show that we need socat for this check
but still do a soft fail here, also no warning, as we do not expect
to have everybody have socat installed
2020-08-31 18:29:59 +02:00
Dirk Wetter 7f4cf42ff4 Works now also for POP3 / IMAP
* Ensured the random char generation worked under every OS supported
* Got POP3 and IMAP working
* always define SERVICE so that we can us it also for SMTP starttls injection
* fixed error in starttls_smtp_dialog where arg1 was taken as payload instead of arg2
* squashed error msg when killed socat or openssl process to avoid mess on screen
  when processes already terminated
(* removed some redundant quotes at RHS if [[]] expressions)

todo:
* more tests for positives
* are tests for negatives sufficent? ("prove" is happy except one issue which
  is probably not related but still need to understand)
  For the record: t/25_baseline_starttls.t line 50 and 67:
   "Oops: STARTTLS handshake failed (code: 2)"
2020-08-31 17:14:56 +02:00
Dirk Wetter d424b0c649
Merge pull request #1711 from dcooper16/fix1699
Fix #1699
2020-08-31 17:08:10 +02:00
David Cooper 3973bc3364 Fix #1699
This commit fixes #1699 by setting FIRST_FINDING to true in fileout_banner() if $do_json_pretty is true.

When $do_json_pretty is true, fileout_banner() calls fileout_pretty_json_banner(), which starts a new sectio in the JSON file. Setting FIRST_FINDING to true ensures that a comma is not placed before the first entry in this new section. This is the same as is done in other places when a new section is stated: fileout_section_header() and fileout_insert_warning().
2020-08-31 10:35:19 -04:00
tosticated 47e9814baa Added check for certificate validity longer than 398 days 2020-08-31 16:21:32 +02:00
tosticated e3b62341ba Merge branch '3.1dev' of https://github.com/tosticated/testssl.sh into 3.1dev 2020-08-31 16:20:59 +02:00
tosticated 63620276cd Added check for certificate validity longer than 398 days 2020-08-31 16:20:27 +02:00
tosticated b315f5ac03 Added check for certificate validity longer than 398 days 2020-08-31 16:11:30 +02:00
Dirk Wetter a65e55522f Add sending payloads for POP and IMAP for starttls injection
* todo: parse the return strings for detection
* test ;-)
* check whether the random char thing works under every OS supported
* definition of five_random var
2020-08-29 10:20:35 +02:00
Dirk Wetter 5560e17b01 Cleanup stuff in run_starttls_injection() and more
run_starttls_injection():
* kill background openssl process when not needed anymore
* kill background socat process when not needed anymore
* close socket

add line in help() for STARTTLS injection

Furthermore:
* for close_socket() calls always add the fd (atm not needed)
* in help() rather advertise --BB instead of -BB
2020-08-29 09:17:17 +02:00
Dirk Wetter 32b5219206 Finalized SMTP
* addressed open issues from previous commit
* defined a cmd line switch

ToDos:
* help()
* POP
* IMAP
2020-08-28 18:25:51 +02:00
Dirk Wetter 6c966a5a7f Implementation of STARTTLS injection fo smtp
It's more a PoC style and needs some work
* use $OPENSSL or $OPENSSL2
* remove exit 0
* put run_starttls_injection below run_rc4
* test with more vulnerable servers

debugme1() was defined
2020-08-28 00:50:06 +02:00
Dirk Wetter 4f8fe42f0c Prepared smtp/lmtp to prepare for addition commands after STARTTLS 2020-08-27 23:03:05 +02:00
Dirk Wetter 09fb279510
Merge pull request #1707 from geert-hendrickx-be/3.1dev
`hostname` is not defined by POSIX, use portable `uname -n` instead.
2020-08-26 18:59:43 +02:00
Geert Hendrickx 09c276ffa2 `hostname` is not defined by POSIX, use portable `uname -n` instead. 2020-08-26 18:40:47 +02:00
Dirk Wetter af5cad9183 Additions to find_openssl_binary() for a new openssl version / cleanup()
This is a small cleanup of find_openssl_binary(). It tries also
to find a newer openssl version which we could need for any
new features. As stated in the comment at some point we should
decide whether we stick with our old version or rather supply
a new one. (xmpp-server is also not builtin for our 1.0.2) or
maybe find a good way (code) how to use both.

Also it looks for socat and if found it populates the according
global var.

It does a minor resort of global vars in the beginning.
2020-08-24 16:22:04 +02:00
Dirk Wetter b4cbe7674a
Merge pull request #1704 from drwetter/add_ca_dir
Allow dir with PEM files for --add-CA
2020-08-20 09:19:25 +02:00
Dirk Wetter ecc6cd8160 Allow dir with PEM files for --add-CA
Idea which popped up while following #1700
2020-08-18 21:52:59 +02:00
Dirk Wetter 565c93e53b
Merge pull request #1703 from drwetter/rapydblok
Add https://inspect.rapydblok.com
2020-08-14 10:21:36 +02:00
Dirk Wetter 7830a22b27
Merge pull request #1702 from drwetter/unrecognized_option--version
Phrase cmd line option "--version" & friends as standalone
2020-08-14 10:20:48 +02:00
Dirk e76de12047 Add https://inspect.rapydblok.com
Fixes #1689
2020-08-13 20:58:15 +02:00
Dirk Wetter 1d954233bd Document is in utf-8
See #1701
2020-08-13 20:43:54 +02:00
Dirk Wetter 953e1bd0ff Phrase --version & friends as standalone
This PR fixes #1671.

Primarily there's now an additional case statement in the main while loop
which just calls fatal() when it detects --help -b --banner -v or --version.

The documentation was also updated to reflect that.

(Some grammar and other errors which I stumbled over were corrected too)
2020-08-13 20:41:57 +02:00
Dirk Wetter a2929211b2
Merge pull request #1697 from drwetter/no_starttls_detection2
Trying to address no STARTTLS offerings (2)
2020-08-11 16:27:24 +02:00
Dirk Wetter ee7a21ef76
Merge pull request #1698 from drwetter/mitigate_javastore4rating
Don't penalize rating for CAs which aren't in the Java store
2020-08-11 16:25:25 +02:00
Dirk Wetter 1915a7b624 STARTTLS 2020-08-11 15:41:20 +02:00
Dirk Wetter 4653613211 Add mitigate_javastore4rating 2020-08-11 15:36:43 +02:00
Dirk Wetter c4841c83eb Don't penalize rating for CAs which aren't in the Java store
This fixes #1648.

Java store doesn't seem to be as complete. No downgrading of trust rating
to T but we still need to raise a red flag for some Java clients
2020-08-11 15:30:53 +02:00
Dirk Wetter ac6b64ce36 Trying to address no STARTTLS offerings (2)
This PR will replace #1566. It addresses that if the server side doesn't show STARTTLS
testssl.sh should exit and label it accordingly (see #1536).

For this to achieve starttls_just_send() was were changed so that a return value from of 3
signals the STARTTLS pattern wasn't found is passed back to the parent fd_socket() whcih
will then act accordingly.

Also:
  * starttls_full_read() + starttls_just_send() were improved for readability and debugging.
  * The caller of starttls_full_read() + starttls_just_send() had redundant indentations which were moved to the callee
  * minor bugs were squashed (e.g. ``fd_socket()``'s return values =!0 always  were referring to STARTTLS also when no STARTTLS was requested)

This was tested (negative + test and positive) for FTP and SMTP which worked as expected. For POP, IMAP and NNTP it should work
accordingly but I had trouble finding a server whcih DID NOT support STARTTLS.

All other protocols basically should also cause testssl.sh to bail out but haven't been tested either. However
here starttls_io() won't return 3. It returns 1 in a case of problems. It uses NR_STARTTLS_FAIL. If it's encountered 2+
times that STARTTLS fails it early exists using fatal(). So we maybe want to consider changing starttls_io() in the future
to also use return 3 in the case STARTTLS is not offered.
2020-08-11 12:01:28 +02:00