-
Notifications
You must be signed in to change notification settings - Fork 7
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Rahul Jadhav <nyrahul@gmail.com>
- Loading branch information
Showing
7 changed files
with
294 additions
and
76 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
172.174.240.192:22 open-horizon-edge-vm terrapin | ||
4.242.4.41:22 jfrog-registry-vm terrapin | ||
172.208.81.244:22 jumphost terrapin | ||
20.124.83.23:22 nessus-vm terrapin | ||
74.249.73.76:22 ai-team-vm terrapin | ||
172.208.76.73:22 performance-test-vm terrapin | ||
20.109.50.235:22 devops-vm terrapin | ||
172.190.166.169:22 harbor-accuknox terrapin |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
#!/bin/bash | ||
|
||
: ' | ||
{ | ||
"Banner": "SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.4", | ||
"SupportsChaCha20": true, | ||
"SupportsCbcEtm": false, | ||
"SupportsStrictKex": false, | ||
"Vulnerable": true | ||
} | ||
' | ||
|
||
TPJSON=/tmp/tpin.json | ||
terrapin_scan() | ||
{ | ||
TPIN=/home/rahul/go/bin/Terrapin-Scanner | ||
timeout 5s $TPIN --connect $SVC_Address --json > $TPJSON | ||
[[ $? -ne 0 ]] && status="ERROR" && return | ||
for((i=0;;i++)); do | ||
key=`cat $TPJSON | jq keys | jq -r ".[$i]"` | ||
[[ "$key" == "null" ]] && break | ||
[[ "$key" == "" ]] && break | ||
val=`cat $TPJSON | jq -r ".$key"` | ||
printf -v "TP_$key" '%s' "$val" | ||
done | ||
} | ||
|
||
k8tls_terrapin_scanssh() | ||
{ | ||
terrapin_scan | ||
[[ "$TP_Vulnerable" == "true" ]] && status="FAIL" | ||
cat << EOF >> $jsonout | ||
{ | ||
"plugin": "terrapin-ssh", | ||
"title": "terrapin ssh server attack", | ||
"description": "The exploit can allow an attacker to downgrade the connection security by truncating the extension negotiation message (RFC8308) from the transcript. The truncation can lead to using less secure client authentication algorithms and deactivating specific countermeasures against keystroke timing attacks.", | ||
"link": "https://terrapin-attack.com/", | ||
"banner": "$TP_Banner", | ||
"supportsChaCha20": "$TP_SupportsChaCha20", | ||
"supportsCbcEtm": "$TP_SupportsCbcEtm", | ||
"supportsStrictKex": "$TP_SupportsStrictKex", | ||
"severity": "high", | ||
"remediationEstEffort": "medium", | ||
"solution": "Both SSH client and server needs to be patched to fix the exploit.", | ||
"status": "$status" | ||
} | ||
EOF | ||
rm $TPJSON | ||
} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,143 @@ | ||
#!/bin/bash | ||
|
||
opensslscan() | ||
{ | ||
tmp=/tmp/tls.out | ||
rm -f $tmp 2>/dev/null | ||
timeout 2s openssl s_client -CApath /etc/ssl/certs/ -connect "$SVC_Address" -brief < /dev/null 2>$tmp | ||
# echo "ret=$ret" | ||
# cat $tmp | ||
conn_estd=0 | ||
while read line; do | ||
[[ "$line" == "CONNECTION ESTABLISHED" ]] && conn_estd=1 | ||
[[ $conn_estd -ne 1 ]] && continue | ||
[[ $line != *:* ]] && continue | ||
key=${line/:*/} | ||
val=${line/*: /} | ||
key=${key// /_} | ||
printf -v "TLS_$key" '%s' "$val" | ||
TLS_Status="TLS" | ||
done < $tmp | ||
[[ "$TLS_Verification_error" != "" ]] && TLS_Verification="$TLS_Verification_error" | ||
} | ||
|
||
tls_jsonreport() | ||
{ | ||
tls_chk_insecure_port | ||
cat << EOF >> $jsonout | ||
{ | ||
"Name": "$SVC_Name", | ||
"Address": "$SVC_Address", | ||
"Status": "$TLS_Status", | ||
"Protocol_version": "$TLS_Protocol_version", | ||
"Ciphersuite": "$TLS_Ciphersuite", | ||
"Hash_used": "$TLS_Hash_used", | ||
"Peer_certificate": "$TLS_Peer_certificate", | ||
"Server_Temp_Key": "$TLS_Server_Temp_Key", | ||
"Signature_type": "$TLS_Signature_type", | ||
"Verification": "$TLS_Verification" | ||
} | ||
EOF | ||
} | ||
|
||
tls_csvreport() | ||
{ | ||
[[ "$csvout" == "" ]] && return | ||
cat << EOF >> $csvout | ||
"$SVC_Name","$SVC_Address","$TLS_Status","$TLS_Protocol_version","$TLS_Ciphersuite","$TLS_Hash_used","$TLS_Signature_type","$TLS_Verification" | ||
EOF | ||
} | ||
|
||
do_openssl_scan() | ||
{ | ||
[[ "$TLS_Status" != "" ]] && return #already scanned | ||
TLS_Status="PLAIN_TEXT" | ||
nc -w 1 -z ${SVC_Address/:/ } | ||
case "$?" in | ||
0) opensslscan ;; | ||
*) TLS_Status="CONNFAIL" ;; | ||
esac | ||
tls_csvreport | ||
} | ||
|
||
k8tls_tls_00chktls() | ||
{ | ||
do_openssl_scan | ||
[[ "$TLS_Status" != "TLS" ]] && status="FAIL" | ||
cat << EOF >> $jsonout | ||
{ | ||
"plugin": "tls-security", | ||
"title": "use of TLS security", | ||
"compliance": "NIST.SP.800-52", | ||
"control-id": "2.1", | ||
"description": "It is mandatory for TLS to be enabled for all network communications including east-west traffic.", | ||
"link": "https://csrc.nist.gov/news/2019/nist-publishes-sp-800-52-revision-2", | ||
"severity": "critical", | ||
"remediationEstEffort": "medium", | ||
"solution": "enable TLS or transport security on the port.", | ||
"status": "$status" | ||
} | ||
EOF | ||
} | ||
|
||
k8tls_tls_01checkversion() | ||
{ | ||
do_openssl_scan | ||
[[ "$TLS_Status" != "TLS" ]] && finding_got=0 && return # no finding | ||
if [ "$TLS_Protocol_version" != "TLSv1.2" ] || [ "$TLS_Protocol_version" != "TLSv1.3" ]; then | ||
status="FAIL" | ||
fi | ||
cat << EOF >> $jsonout | ||
{ | ||
"plugin": "tls-version", | ||
"title": "use secure TLS protocol version", | ||
"compliance": "NIST.SP.800-52", | ||
"control-id": "3.1", | ||
"description": "Using TLS >=v1.2 is mandatory for all applications. Version currently in use is $TLS_Protocol_version", | ||
"link": "https://csrc.nist.gov/news/2019/nist-publishes-sp-800-52-revision-2", | ||
"severity": "critical", | ||
"remediationEstEffort": "low", | ||
"solution": "enable TLS >=v1.2 transport security on the port.", | ||
"status": "$status" | ||
} | ||
EOF | ||
} | ||
|
||
k8tls_tls_02certificateChecks() | ||
{ | ||
do_openssl_scan | ||
[[ "$TLS_Status" != "TLS" ]] && finding_got=0 && return # no finding | ||
if [ "$TLS_Verification" != "" ]; then | ||
status="FAIL" | ||
solution="Update certificate signed from trusted CA." | ||
finding="$TLS_Verification" | ||
severity="low" | ||
fi | ||
case "$TLS_Verification" in | ||
"certificate has expired") | ||
solution="renew x.509 certificate" | ||
finding="TLS certificate has expired. Renew the certificate." | ||
severity="critical" | ||
;; | ||
"self-signed certificate") | ||
solution="Use certificates signed by approved Certificates Authority (CA)." | ||
finding="Self-signed certificates have the risk of MITM attacks." | ||
severity="medium" | ||
;; | ||
esac | ||
cat << EOF >> $jsonout | ||
{ | ||
"plugin": "tls-certificate-check", | ||
"title": "check for TLS certificate best practices", | ||
"compliance": "NIST.SP.800-52", | ||
"control-id": "3.3", | ||
"description": "$finding", | ||
"link": "https://csrc.nist.gov/news/2019/nist-publishes-sp-800-52-revision-2", | ||
"severity": "$severity", | ||
"remediationEstEffort": "low", | ||
"solution": "$solution", | ||
"status": "$status" | ||
} | ||
EOF | ||
} | ||
|
Oops, something went wrong.