-
Notifications
You must be signed in to change notification settings - Fork 0
/
TLSSLed.sh
executable file
·321 lines (273 loc) · 10.1 KB
/
TLSSLed.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
#!/usr/bin/env bash
#
# Tool: TLSSLed.sh
#
# Description:
# Script to extract the most relevant security details from a
# target SSL/TLS HTTPS implementation by using sslscan & openssl.
#
# Author: Raul Siles (raul _AT_ taddong _DOT_ com)
# Taddong SL (www.taddong.com)
# Date: 2011-10-18
# Version: 1.2
#
# - New in version 1.2:
# - Mac OS X support: sed regex switch changed - by [ anonymous ].
# - Test if target service speaks SSL/TLS - by Abraham Aranguren (AA).
# For performance reasons, this test has been merged with the SSL/TLS
# renegotiation test.
# - Optimizations by removing cat usage in grepping for findings - by AA.
# - New initial tests to check for the tool prerequisites: openssl & sslscan.
# - Test for TLS v1.1 and v1.2 support (CVE-2011-3389 aka BEAST).
# The tests also include checking for SSLv3 and TLSv1 support.
# - Log files names changed from host:port to host_port and ":" removed
# from the time portion of the date command, to be able to copy them
# to Windows based file systems:
# (In Windows ":" is not allowed in a filename, while "_" is).
#
# - New in version 1.1:
# - Cert public key length, subject, issuer, and validiy period.
# - Test HTTP(S) secure headers: Strict-Transport-Security (STS), and
# cookies with and without the secure flag.
# - NOTE: openssl output is now saved to files too.
#
# - Current SSL/TLS tests: (version 1.0)
# SSLv2, NULL cipher, weak ciphers -key length-, strong ciphers -AES-,
# MD5 signed cert, and SSL/TLS renegotiation.
#
#
# Requires:
# - sslscan
# https://sourceforge.net/projects/sslscan/
# - openssl
# http://www.openssl.org
#
# Credits:
# - Version 1.0 based on ssl_test.sh by Aung Khant, http://yehg.net.
# - Abraham Aranguren (AA) - http://securityconscious.blogspot.com (v1.2)
#
#
# /**************************************************************************
# * Copyright 2011 by Taddong SL (Raul Siles) *
# * *
# * This program is free software; you can redistribute it and/or modify *
# * it under the terms of the GNU General Public License as published by *
# * the Free Software Foundation; either version 3 of the License, or *
# * (at your option) any later version. *
# * *
# * This program is distributed in the hope that it will be useful, *
# * but WITHOUT ANY WARRANTY; without even the implied warranty of *
# * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
# * GNU General Public License for more details. *
# * *
# * You should have received a copy of the GNU General Public License *
# * along with this program. If not, see <http://www.gnu.org/licenses/>. *
# * *
# **************************************************************************/
#
VERSION=1.2
# This script does not filter the input from certain commands, hence it might
# be vulnerable to local input command manipulation, such as in uname.
# v1.2: Mac OS X (Darwin) support.
# sed regexes in Linux use the -r switch, and in non-GNU systems the -E switch.
SED_ARG_REGEX=-r
if [ "$(uname)" == "Darwin" ] ; then
SED_ARG_REGEX=-E
fi
echo ------------------------------------------------------
echo " TLSSLed - ($VERSION) based on sslscan and openssl"
echo " by Raul Siles (www.taddong.com)"
echo ------------------------------------------------------
if [ -z `which openssl` ] ;then echo; echo "ERROR: openssl command not found!"; exit; fi
if [ -z `which sslscan` ] ;then echo; echo "ERROR: sslscan command not found!"; exit; fi
OPENSSLVERSION=$(openssl version)
SSLSCANVERSION=$(sslscan --version | grep version | sed ${SED_ARG_REGEX} "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g")
echo + openssl version: $OPENSSLVERSION
echo + $SSLSCANVERSION
echo ------------------------------------------------------
echo
if [ $# -ne 2 ]; then
echo Usage: $0 HOSTNAME_or_IP PORT
exit
fi
HOST=$1
PORT=$2
echo [-] Analyzing SSL/TLS on $HOST:$PORT ..
echo
# Run sslcan once, store the results to a log file and
# analyze that file for all the different tests:
DATE=$(date +%F_%R:%S | sed 's/://g')
TARGET=$HOST\_$PORT
LOGFILE=sslscan\_$TARGET\_$DATE.log
ERRFILE=sslscan\_$TARGET\_$DATE.err
RENEGLOGFILE=openssl\_RENEG\_$TARGET\_$DATE.log
RENEGERRFILE=openssl\_RENEG\_$TARGET\_$DATE.err
HEADLOGFILE=openssl\_HEAD\_$TARGET\_$DATE.log
HEADERRFILE=openssl\_HEAD\_$TARGET\_$DATE.err
# Check if the target service speaks SSL/TLS (& check renegotiation)
(echo R; sleep 5) | openssl s_client -connect $HOST:$PORT > $RENEGLOGFILE 2> $RENEGERRFILE &
pid=$!
sleep 5
SSL_HANDSHAKE_LINES=$(cat $RENEGLOGFILE | wc -l)
if [ $SSL_HANDSHAKE_LINES -lt 5 ] ; then
# SSL handshake failed - Non SSL/TLS service
# If the target service does not speak SSL/TLS, openssl does not
# terminate
kill -s SIGINT ${pid}
echo "[+] ERROR: The target service $HOST:$PORT does not seem"
echo " to speak SSL/TLS or is not available!!"
echo
exit
else
# SSL handshake succeded - Continue
echo "[*] The target service $HOST:$PORT seems to speak SSL/TLS..."
echo
fi
echo
echo [-] Running sslscan on $HOST:$PORT...
sslscan $HOST:$PORT > $LOGFILE 2> $ERRFILE
echo
echo [*] Testing for SSLv2 ...
grep "Accepted SSLv2" $LOGFILE
echo
echo [*] Testing for NULL cipher ...
grep "NULL" $LOGFILE | grep Accepted
echo
echo [*] Testing for weak ciphers \(based on key length\) ...
grep " 40 bits" $LOGFILE | grep Accepted
echo
grep " 56 bits" $LOGFILE | grep Accepted
echo
echo [*] Testing for strong ciphers \(AES\) ...
grep "AES" $LOGFILE | grep Accepted
echo
echo [*] Testing for MD5 signed certificate ...
#cat $LOGFILE | grep -E 'MD5WithRSAEncryption|md5WithRSAEncryption'
grep -i 'MD5WithRSAEncryption' $LOGFILE
echo
echo [*] Testing for certificate public key length ...
grep -i 'RSA Public Key' $LOGFILE
echo
echo [*] Testing for certificate subject ...
grep -i 'Subject:' $LOGFILE
echo
echo [*] Testing for certificate CA issuer ...
grep -i 'Issuer:' $LOGFILE
echo
echo [*] Testing for certificate validity period ...
NOW=$(date -u)
echo " Today: $NOW"
grep -i 'Not valid' $LOGFILE
echo
echo [*] Checking preferred server ciphers ...
# v1.1:
# cat $LOGFILE | sed '/Prefered Server Cipher(s):/,/^$/!d' | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g"
#
cat $LOGFILE | sed '/Prefered Server Cipher(s):/,/^$/!d' | sed ${SED_ARG_REGEX} "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g"
echo
echo
echo [-] Testing for SSLv3/TLSv1 renegotiation vuln. \(CVE-2009-3555\) ...
#echo [*] echo R \| openssl s_client -connect $HOST:$PORT \| grep "DONE"
#
# Renegotiation details go to stderr (2>)
#
# if $OPENSSLVERSION is updated (version?) it supports RFC5746 and will print:
# Secure Renegotiation IS NOT supported
# Secure Renegotiation IS supported
#
# Executed as the first step to check if target service supports SSL/TLS:
#
# (echo R; sleep 5) | openssl s_client -connect $HOST:$PORT > $RENEGLOGFILE 2> $RENEGERRFILE
echo
echo [*] Testing for secure renegotiation ...
grep -E "Secure Renegotiation IS" $RENEGLOGFILE
echo
echo
echo [-] Testing for TLS v1.1 and v1.2 \(CVE-2011-3389 aka BEAST\) ...
# Test for SSLv3 and TLSv1 support first (from sslscan)
echo
echo [*] Testing for SSLv3 and TLSv1 support first ...
grep "Accepted SSLv3" $LOGFILE
grep "Accepted TLSv1" $LOGFILE
#
# Connection details go to stderr (2>) and, therefore, to a variable:
#
# if $OPENSSLVERSION is updated (version >= 1.0.1-stable) it supports
# TLS v1.1 & v1.2, if not, the openssl help is displayed in the command output
#
# Example of server that supports all SSL and TLS versions:
# tls.woodgrovebank.com:443 (Microsoft) (20111012)
OUTPUT_TLS1_1=$((sleep 5; echo QUIT) | openssl s_client -tls1_1 -connect $HOST:$PORT 2>&1)
OUTPUT_TLS1_2=$((sleep 5; echo QUIT) | openssl s_client -tls1_2 -connect $HOST:$PORT 2>&1)
# if "DONE": TLS v1.x supported
# else if "wrong version number": TLS v1.x not supported
# else if "unknown option": OpenSSL does not support TLS v1.1 or v1.2
echo
echo [*] Testing for TLS v1.1 support ...
if grep -q DONE <<<$OUTPUT_TLS1_1; then
echo "TLS v1.1 IS supported"
elif grep -q "wrong version number" <<<$OUTPUT_TLS1_1; then
echo "TLS v1.1 IS NOT supported"
elif grep -q "unknown option" <<<$OUTPUT_TLS1_1; then
echo "The local openssl version does NOT support TLS v1.1"
else
echo "UNKNOWN"
fi
echo
echo [*] Testing for TLS v1.2 support ...
if grep -q DONE <<<$OUTPUT_TLS1_2; then
echo "TLS v1.2 IS supported"
elif grep -q "wrong version number" <<<$OUTPUT_TLS1_2; then
echo "TLS v1.2 IS NOT supported"
elif grep -q "unknown option" <<<$OUTPUT_TLS1_2; then
echo "The local openssl version does NOT support TLS v1.2"
else
echo "UNKNOWN"
fi
echo
echo
echo [-] Testing for SSL/TLS HTTPS security headers ...
#
#
#
(echo -e "HEAD / HTTP/1.0\n\n"; sleep 5) | openssl s_client -connect $HOST:$PORT > $HEADLOGFILE 2> $HEADERRFILE
echo
echo [*] Testing for Strict-Transport-Security \(STS\) header ...
grep -i 'Strict-Transport-Security' $HEADLOGFILE
echo
echo [*] Testing for cookies with the secure flag ...
grep -i 'Set-Cookie' $HEADLOGFILE | grep -i 'secure'
echo
echo [*] Testing for cookies without the secure flag ...
grep -i 'Set-Cookie' $HEADLOGFILE | grep -v -i 'secure'
echo
echo
echo [-] New files created:
ls -l $LOGFILE
ls -l $HEADLOGFILE
ls -l $RENEGLOGFILE
# Delete all empty error files:
# It could potentially delete other .err zero-size files not created by TLSSLed
# find . -size 0 -name '*.err' -delete
if [ ! -s $ERRFILE ]; then
# Error file is empty
rm $ERRFILE
else
ls -l $ERRFILE
fi
if [ ! -s $RENEGERRFILE ]; then
# Renegotiation error file is empty
rm $RENEGERRFILE
else
ls -l $RENEGERRFILE
fi
if [ ! -s $HEADERRFILE ]; then
# Openssl HEAD error file is empty
rm $HEADERRFILE
else
ls -l $HEADERRFILE
fi
echo
echo
echo [-] done
echo