Permalink
Browse files

Fine tuning if Jac2NL's commit of IDS evasion

Reduce the offensive tests to 4: the others are "just" / mostly cipher
based checks which should not cause an IDS to block. (This maybe
subject to reconsider at a later time.)

Added a switch --ids-friendly

Updated VULN_COUNT accordingly

Added this (including PHONE_OUT to env debugging output)

Added help()

Manual section added
  • Loading branch information...
drwetter committed Jun 26, 2018
1 parent 01f1771 commit 33cf1d524c354195a2fec2b9606d7a5c3bd3ee2f
Showing with 48 additions and 27 deletions.
  1. +4 −1 doc/testssl.1
  2. +4 −2 doc/testssl.1.html
  3. +4 −2 doc/testssl.1.md
  4. +36 −22 testssl.sh
View
@@ -152,7 +152,10 @@ Please note that the content of \fBfname\fR has to be in Unix format\. DOS carri
\fB\-n, \-\-nodns <min|none>\fR tells testssl\.sh which DNS lookups should be performed\. \fBmin\fR uses only forward DNS resolution (A and AAAA record or MX record) and skips CAA lookups and PTR records from the IP address back to a DNS name\. \fBnone\fR performs no DNS lookups at all\. For the latter you either have to supply the IP address as a target, to use \fB\-\-ip\fR or have the IP address in /etc/hosts\. The use of the switch is only useful if you either can\'t or are not willing to perform DNS lookups\. The latter can apply e\.g\. to some pentestsi\. In general this option could e\.g\. help you to avoid timeouts by DNS lookups\. \fBNODNS\fR is the enviroment variable for this\.
.
.P
\fB\-\-sneaky\fR as a friendly feature for the server side testssl\.sh uses a HTTP user agent \fBTLS tester from ${URL}\fR\. With this option your traces are less verbose and a Firefox user agent is being used\. Be aware that it doesn\'t hide your activities\. That is just not possible (environment preset via \fBSNEAKY=true\fR)\.
\fB\-\-sneaky\fR is a friendly feature for the server side testssl\.sh uses a HTTP user agent \fBTLS tester from ${URL}\fR\. With this option your traces are less verbose and a Firefox user agent is being used\. Be aware that it doesn\'t hide your activities\. That is just not possible (environment preset via \fBSNEAKY=true\fR)\.
.
.P
\fB\-\-ids\-friendly\fR is a switch which may help to get a scan finished which otherwise will be blocked by a server side IDS\. This switch skips tests for the following vulnerabilities:heartbleed, CCS injection, ticketbleed and ROBOT\. The environment variable OFFENSIVE set to false will achieve the same result\. Please be advised that as an alternative or as a general approach you can try to apply evasion techniques by changing the variables USLEEP_SND and / or USLEEP_REC and maybe *MAX_WAITSOCK\.
.
.P
\fB\-\-phone\-out\fR instructs testssl\.sh to query external \-\- in a sense of the current run \-\- URLs or URIs\. This is needed for checking revoked certificates via CRL and OCSP\. By using this switch you acknowledge that the check might could have privacy issues, a download of several megabytes (CRL file) may happen and there may be network connectivity problems while contacting CA which testssl\.sh doesn\'t handle\. PHONE_OUT is the environment variable for this which needs to be set to true if you want this\.
View
@@ -200,9 +200,11 @@ <h3 id="SPECIAL-INVOCATIONS">SPECIAL INVOCATIONS</h3>
DNS lookups at all. For the latter you either have to supply the IP address as a target, to use <code>--ip</code> or have the IP address
in /etc/hosts. The use of the switch is only useful if you either can't or are not willing to perform DNS lookups. The latter can apply e.g. to some pentestsi. In general this option could e.g. help you to avoid timeouts by DNS lookups. <code>NODNS</code> is the enviroment variable for this.</p>
<p><code>--sneaky</code> as a friendly feature for the server side testssl.sh uses a HTTP user agent <code>TLS tester from ${URL}</code>. With this option your traces are less verbose and a Firefox user agent is being used. Be aware that it doesn't hide your activities. That is just not possible (environment preset via <code>SNEAKY=true</code>).</p>
<p><code>--sneaky</code> is a friendly feature for the server side testssl.sh uses a HTTP user agent <code>TLS tester from ${URL}</code>. With this option your traces are less verbose and a Firefox user agent is being used. Be aware that it doesn't hide your activities. That is just not possible (environment preset via <code>SNEAKY=true</code>).</p>
<p><code>--phone-out</code> instructs testssl.sh to query external -- in a sense of the current run -- URLs or URIs. This is needed for checking revoked certificates via CRL and OCSP. By using this switch you acknowledge that the check might could have privacy issues, a download of several megabytes (CRL file) may happen and there may be network connectivity problems while contacting CA which testssl.sh doesn't handle. PHONE_OUT is the environment variable for this which needs to be set to true if you want this.</p>
<p><code>--ids-friendly</code> is a switch which may help to get a scan finished which otherwise will be blocked by a server side IDS. This switch skips tests for the following vulnerabilities:heartbleed, CCS injection, ticketbleed and ROBOT. The environment variable OFFENSIVE set to false will achieve the same result. Please be advised that as an alternative or as a general approach you can try to apply evasion techniques by changing the variables USLEEP_SND and / or USLEEP_REC and maybe *MAX_WAITSOCK.</p>
<p><code>--phone-out</code> instructs testssl.sh to query external -- in a sense of the current run -- URLs or URIs. This is needed for checking revoked certificates via CRL and OCSP. By using this switch you acknowledge that the check might could have privacy issues, a download of several megabytes (CRL file) may happen and there may be network connectivity problems while contacting CA which testssl.sh doesn't handle. PHONE_OUT is the environment variable for this which needs to be set to true if you want this.</p>
<h3 id="SINGLE-CHECK-OPTIONS">SINGLE CHECK OPTIONS</h3>
View
@@ -123,9 +123,11 @@ Please note that the content of `fname` has to be in Unix format. DOS carriage r
DNS lookups at all. For the latter you either have to supply the IP address as a target, to use `--ip` or have the IP address
in /etc/hosts. The use of the switch is only useful if you either can't or are not willing to perform DNS lookups. The latter can apply e.g. to some pentestsi. In general this option could e.g. help you to avoid timeouts by DNS lookups. `NODNS` is the enviroment variable for this.
`--sneaky` as a friendly feature for the server side testssl.sh uses a HTTP user agent `TLS tester from ${URL}`. With this option your traces are less verbose and a Firefox user agent is being used. Be aware that it doesn't hide your activities. That is just not possible (environment preset via `SNEAKY=true`).
`--sneaky` is a friendly feature for the server side testssl.sh uses a HTTP user agent `TLS tester from ${URL}`. With this option your traces are less verbose and a Firefox user agent is being used. Be aware that it doesn't hide your activities. That is just not possible (environment preset via `SNEAKY=true`).
`--phone-out` instructs testssl.sh to query external -- in a sense of the current run -- URLs or URIs. This is needed for checking revoked certificates via CRL and OCSP. By using this switch you acknowledge that the check might could have privacy issues, a download of several megabytes (CRL file) may happen and there may be network connectivity problems while contacting CA which testssl.sh doesn't handle. PHONE_OUT is the environment variable for this which needs to be set to true if you want this.
`--ids-friendly` is a switch which may help to get a scan finished which otherwise will be blocked by a server side IDS. This switch skips tests for the following vulnerabilities:heartbleed, CCS injection, ticketbleed and ROBOT. The environment variable OFFENSIVE set to false will achieve the same result. Please be advised that as an alternative or as a general approach you can try to apply evasion techniques by changing the variables USLEEP_SND and / or USLEEP_REC and maybe *MAX_WAITSOCK.
`--phone-out` instructs testssl.sh to query external -- in a sense of the current run -- URLs or URIs. This is needed for checking revoked certificates via CRL and OCSP. By using this switch you acknowledge that the check might could have privacy issues, a download of several megabytes (CRL file) may happen and there may be network connectivity problems while contacting CA which testssl.sh doesn't handle. PHONE_OUT is the environment variable for this which needs to be set to true if you want this.
### SINGLE CHECK OPTIONS
View
@@ -220,7 +220,7 @@ APPEND=${APPEND:-false} # append to csv/json file instead of ove
[[ -z "$NODNS" ]] && declare NODNS # If unset it does all DNS lookups per default. "min" only for hosts or "none" at all
HAS_IPv6=${HAS_IPv6:-false} # if you have OpenSSL with IPv6 support AND IPv6 networking set it to yes
ALL_CLIENTS=${ALL_CLIENTS:-false} # do you want to run all client simulation form all clients supplied by SSLlabs?
OFFENSIVE=${OFFENSIVE:-true} # do you want to include offensive vulnerability tests?
OFFENSIVE=${OFFENSIVE:-true} # do you want to include offensive vulnerability tests which may cause blocking by an IDS?
########### Tuning vars which cannot be set by a cmd line switch. Use instead e.g "HEADER_MAXSLEEP=10 ./testssl.sh <your_args_here>"
#
@@ -15235,7 +15235,6 @@ help() {
Alternatively: nmap output in greppable format (-oG) (1x port per line allowed)
--mode <serial|parallel> Mass testing to be done serial (default) or parallel (--parallel is shortcut for the latter)
--add-ca <cafile> <cafile> or a comma separated list of CA files will be added during runtime to all CA stores
--phone-out Allow to contact external servers for CRL download and querying OCSP responder
single check as <options> ("$PROG_NAME URI" does everything except -E and -g):
-e, --each-cipher checks each local cipher remotely
@@ -15282,6 +15281,8 @@ tuning / connect options (most also can be preset via environment variables):
b) arg "one" means: just test the first DNS returns (useful for multiple IPs)
-n, --nodns <min|none> if "none": do not try any DNS lookups, "min" queries A, AAAA and MX records
--sneaky leave less traces in target logs: user agent, referer
--ids-friendly skips a few vulnerablity checks which may cause IDSs to block the scanning IP
--phone-out allow to contact external servers for CRL download and querying OCSP responder
output options (can also be preset via environment variables):
--warnings <batch|off|false> "batch" doesn't ask for a confirmation, "off" or "false" skips connection warnings
@@ -15401,6 +15402,8 @@ SHOW_EACH_C: $SHOW_EACH_C
SSL_NATIVE: $SSL_NATIVE
ASSUME_HTTP $ASSUME_HTTP
SNEAKY: $SNEAKY
OFFENSIVE: $OFFENSIVE
PHONE_OUT: $PHONE_OUT
DEBUG: $DEBUG
@@ -16832,19 +16835,19 @@ initialize_globals() {
set_scanning_defaults() {
do_allciphers=true
do_vulnerabilities=true
do_beast="$OFFENSIVE"
do_lucky13="$OFFENSIVE"
do_breach="$OFFENSIVE"
do_beast=true
do_lucky13=true
do_breach=true
do_heartbleed="$OFFENSIVE"
do_ccs_injection="$OFFENSIVE"
do_ticketbleed="$OFFENSIVE"
do_robot="$OFFENSIVE"
do_crime="$OFFENSIVE"
do_freak="$OFFENSIVE"
do_logjam="$OFFENSIVE"
do_drown="$OFFENSIVE"
do_ssl_poodle="$OFFENSIVE"
do_sweet32="$OFFENSIVE"
do_crime=true
do_freak=true
do_logjam=true
do_drown=true
do_ssl_poodle=true
do_sweet32=true
do_header=true
do_pfs=true
do_rc4=true
@@ -16855,7 +16858,11 @@ set_scanning_defaults() {
do_server_preference=true
do_tls_fallback_scsv=true
do_client_simulation=true
VULN_COUNT=16
if "$OFFENSIVE"; then
VULN_COUNT=16
else
VULN_COUNT=12
fi
}
# returns number of $do variables set = number of run_funcs() to perform
@@ -17032,18 +17039,25 @@ parse_cmd_line() {
do_ticketbleed="$OFFENSIVE"
do_robot="$OFFENSIVE"
do_renego=true
do_crime="$OFFENSIVE"
do_breach="$OFFENSIVE"
do_ssl_poodle="$OFFENSIVE"
do_crime=true
do_breach=true
do_ssl_poodle=true
do_tls_fallback_scsv=true
do_sweet32="$OFFENSIVE"
do_freak="$OFFENSIVE"
do_drown="$OFFENSIVE"
do_logjam="$OFFENSIVE"
do_beast="$OFFENSIVE"
do_lucky13="$OFFENSIVE"
do_sweet32=true
do_freak=true
do_drown=true
do_logjam=true
do_beast=true
do_lucky13=true
do_rc4=true
VULN_COUNT=16
if "$OFFENSIVE"; then
VULN_COUNT=16
else
VULN_COUNT=12
fi
;;
--ids-friendly)
OFFENSIVE=false
;;
-H|--heartbleed)
do_heartbleed=true

0 comments on commit 33cf1d5

Please sign in to comment.