#!/usr/bin/env bash # bash socket implementation of checking the availability of SSLv2 protocol # and ciphers on a remote server (loosely based on my bash-heartbleed implementation). # # Author: Dirk Wetter, GPLv2 see https://testssl.sh/LICENSE.txt # it helps to wireshark: # //openssl s_client -state -ssl2 -connect AA.BB.YYY.XXX:443 /openssl s_client -state -debug -ssl2 -connect AA.BB.YYY.XXX:443 " echo exit 1 } parse_hn_port() { PORT=443 # unless otherwise auto-determined, see below NODE="$1" # strip "https", supposed it was supplied additionally echo $NODE | grep -q 'https://' && NODE=`echo $NODE | sed -e 's/https\:\/\///' ` # strip trailing urlpath NODE=`echo $NODE | sed -e 's/\/.*$//'` # determine port, supposed it was supplied additionally echo $NODE | grep -q ':' && PORT=`echo $NODE | sed 's/^.*\://'` && NODE=`echo $NODE | sed 's/\:.*$//'` } # arg1: formatted string here in the code code2network() { NW_STR=`echo "$1" | sed -e 's/,/\\\x/g' | sed -e 's/# .*$//g' -e 's/ //g' -e '/^$/d' | tr -d '\n' | tr -d '\t'` } socksend_clienthello() { code2network "$SSLv2_CLIENT_HELLO" data=`echo $NW_STR` [[ "$DEBUG" -ge 3 ]] && echo "\"$data\"" printf -- "$data" >&5 2>/dev/null & sleep $USLEEP_SND } sockread_serverhello() { [[ "x$2" = "x" ]] && maxsleep=$MAX_WAITSOCK || maxsleep=$2 ret=0 SOCK_REPLY_FILE=`mktemp /tmp/ddreply.XXXXXX` || exit 7 dd bs=$1 of=$SOCK_REPLY_FILE count=1 <&5 2>/dev/null & pid=$! while true; do if ! ps ax | grep -v grep | grep -q $pid; then break # didn't reach maxsleep yet kill $pid >&2 2>/dev/null fi sleep $USLEEP_REC maxsleep=$(($maxsleep - 1)) [[ $maxsleep -le 0 ]] && break done if ps ax | grep -v grep | grep -q $pid; then # time's up and dd is still alive --> timeout kill $pid >&2 2>/dev/null wait $pid 2>/dev/null ret=3 # means killed fi return $ret } display_sslv2serverhello() { # server hello: in hex representation, see below # byte 1+2: length of server hello 0123 # 3: 04=Handshake message, server hello 45 # 4: session id hit or not (boolean: 00=false, this 67 # is the normal case) # 5: certificate type, 01 = x509 89 # 6+7 version (00 02 = SSLv2) 10-13 # 8+9 certificate length 14-17 # 10+11 cipher spec length 17-20 # 12+13 connection id length # [certificate length] ==> certificate # [cipher spec length] ==> ciphers GOOD: HERE ARE ALL CIPHERS ALREADY! v2_hello_ascii=`hexdump -v -e '16/1 "%02X"' $1` [[ "$DEBUG" -eq 4 ]] && echo $v2_hello_ascii # one line without any blanks [[ -z $v2_hello_ascii ]] && return 0 # no server hello received # now scrape two bytes out of the reply per byte v2_hello_initbyte="${v2_hello_ascii:0:1}" # normally this belongs to the next, should be 8! v2_hello_length="${v2_hello_ascii:1:3}" # + 0x8000 see above v2_hello_handshake="${v2_hello_ascii:4:2}" v2_hello_cert_length="${v2_hello_ascii:14:4}" v2_hello_cipherspec_length="${v2_hello_ascii:18:4}" V2_HELLO_CIPHERSPEC_LENGTH=`printf "%d\n" "0x$v2_hello_cipherspec_length"` if [[ $v2_hello_initbyte != "8" ]] || [[ $v2_hello_handshake != "04" ]]; then [[ $DEBUG -ge 1 ]] && echo "$v2_hello_initbyte / $v2_hello_handshake" return 1 fi if [[ $DEBUG -ge 2 ]]; then echo "SSLv2 server hello length: 0x0$v2_hello_length" echo "SSLv2 certificate length: 0x$v2_hello_cert_length" echo "SSLv2 cipher spec length: 0x$v2_hello_cipherspec_length" fi return 0 } #### main [[ -z "$1" ]] && help # hostname echo parse_hn_port "$1" if ! exec 5<> /dev/tcp/$NODE/$PORT; then echo "`basename $0`: unable to connect to $NODE:$PORT" exit 2 fi # socket is now open with fd 5 [[ "$DEBUG" -ge 1 ]] && printf "sending client hello...\n\n" socksend_clienthello sockread_serverhello 32768 0 [[ "$DEBUG" -ge 1 ]] && printf "\nreading server hello...\n\n" if [[ "$DEBUG" -eq 3 ]]; then #xxd -c$COL_WIDTH $SOCK_REPLY_FILE | head -3 #hexdump -v -e '"%04_ax: " 16/1 "%02X " "\n"' $SOCK_REPLY_FILE | head -6 hexdump -C $SOCK_REPLY_FILE | head -6 echo fi display_sslv2serverhello "$SOCK_REPLY_FILE" # see https://secure.wand.net.nz/trac/libprotoident/wiki/SSL lines=`cat "$SOCK_REPLY_FILE" 2>/dev/null | hexdump -C | wc -l` printf "Protocol: "; tput bold if [[ "$lines" -gt 1 ]] ;then tput setaf 1; printf "available with $(($V2_HELLO_CIPHERSPEC_LENGTH / 3 )) ciphers" ret=0 else tput setaf 2; printf "NOT available" ret=1 fi tput sgr0 [[ "$DEBUG" -ge 2 ]] && printf " ($lines lines)" echo # closing fd: exec 5<&- exec 5>&- rm $SOCK_REPLY_FILE echo exit 0 #test: dragon, simhq.com=gryphon1.gryphoninternet.com misim.gov.il, shop4-heating.co.uk, service.hamburgwasser.de # 74.116.0.167 147.237.80.2 85.92.77.27 # vim:tw=110:ts=5:sw=5 # $Id: prototype.ssl2proto-check.bash,v 1.10 2015/09/25 19:02:24 dirkw Exp $