added terrapin ssh scanning support

Signed-off-by: Rahul Jadhav <nyrahul@gmail.com>

Dockerfile

@@ -3,11 +3,12 @@ FROM ubuntu:latest
 RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends openssl ca-certificates curl netcat
 RUN curl -LO https://dl.k8s.io/release/v1.27.2/bin/linux/amd64/kubectl --output-dir /usr/local/bin/ && chmod +x /usr/local/bin/kubectl
 RUN curl -sfL https://raw.githubusercontent.com/kubearmor/tabled/main/install.sh | sh -s -- -b /usr/local/bin v0.1.2
+RUN curl -L https://github.com/RUB-NDS/Terrapin-Scanner/releases/download/v1.1.0/Terrapin_Scanner_Linux_amd64 -o /usr/local/bin/Terrapin_Scanner && chmod +x /usr/local/bin/Terrapin_Scanner
 
-COPY src /home/kubetls
-COPY config /home/kubetls
+COPY src /home/k8tls
+COPY config /home/k8tls
 RUN update-ca-certificates
 
-WORKDIR /home/kubetls
+WORKDIR /home/k8tls
 
-ENTRYPOINT ["/home/kubetls/tlsscan"]
+ENTRYPOINT ["/home/k8tls/tlsscan"]

README.md

@@ -24,12 +24,17 @@ Our primary reason to work on this tool was to handle 5G Security Control checks
 
 ### Scan k8s services
 
-For k8s, the solution gets deployed as a job that scans the k8s service ports.
+1. Deploy the k8tls job
 
 ```
 kubectl apply -f https://raw.githubusercontent.com/kubearmor/k8tls/main/k8s/job.yaml
+```
+
+2. Get the report
+```
 kubectl logs -n k8tls $(kubectl get pod -n k8tls -l job-name=k8tls -o name) -f
 ```
+
 ```
 | Name                                                             | Address              | Status     | Version | Ciphersuite            | Hash   | Signature | Verification                                 |
 | ---------------------------------------------------------------- | -------------------- | ---------- | ------- | ---------------------- | ------ | --------- | -------------------------------------------- |

config/addr.list

@@ -8,5 +8,5 @@ revoked.badssl.com:443 BadSSL
 pinning-test.badssl.com:443 BadSSL
 dh480.badssl.com:443 BadSSL
 isunknownaddress.com:12345 LocalTest
-localhost:9090
-localhost:22 namespace:deployment/wordpress
+localhost:9090 webserver
+localhost:22 localssh

config/ssh.list

@@ -0,0 +1,8 @@
+172.174.240.192:22 open-horizon-edge-vm terrapin
+4.242.4.41:22 jfrog-registry-vm terrapin
+172.208.81.244:22 jumphost terrapin
+20.124.83.23:22 nessus-vm terrapin
+74.249.73.76:22 ai-team-vm terrapin
+172.208.76.73:22 performance-test-vm terrapin
+20.109.50.235:22 devops-vm terrapin
+172.190.166.169:22 harbor-accuknox terrapin

src/findings_terrapin

@@ -0,0 +1,50 @@
+#!/bin/bash
+
+: '
+{
+	"Banner": "SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.4",
+	"SupportsChaCha20": true,
+	"SupportsCbcEtm": false,
+	"SupportsStrictKex": false,
+	"Vulnerable": true
+}
+'
+
+TPJSON=/tmp/tpin.json
+terrapin_scan()
+{
+	TPIN=/home/rahul/go/bin/Terrapin-Scanner
+	timeout 5s $TPIN --connect $SVC_Address --json > $TPJSON
+	[[ $? -ne 0 ]] && status="ERROR" && return
+	for((i=0;;i++)); do
+		key=`cat $TPJSON | jq keys | jq -r ".[$i]"`
+		[[ "$key" == "null" ]] && break
+		[[ "$key" == "" ]] && break
+		val=`cat $TPJSON | jq -r ".$key"`
+		printf -v "TP_$key" '%s' "$val"
+	done
+}
+
+k8tls_terrapin_scanssh()
+{
+	terrapin_scan
+	[[ "$TP_Vulnerable" == "true" ]] && status="FAIL"
+	cat << EOF >> $jsonout
+				{
+					"plugin": "terrapin-ssh",
+					"title": "terrapin ssh server attack",
+					"description": "The exploit can allow an attacker to downgrade the connection security by truncating the extension negotiation message (RFC8308) from the transcript. The truncation can lead to using less secure client authentication algorithms and deactivating specific countermeasures against keystroke timing attacks.",
+					"link": "https://terrapin-attack.com/",
+					"banner": "$TP_Banner",
+					"supportsChaCha20": "$TP_SupportsChaCha20",
+					"supportsCbcEtm": "$TP_SupportsCbcEtm",
+					"supportsStrictKex": "$TP_SupportsStrictKex",
+					"severity": "high",
+					"remediationEstEffort": "medium",
+					"solution": "Both SSH client and server needs to be patched to fix the exploit.",
+					"status": "$status"
+				}
+EOF
+	rm $TPJSON
+}
+

src/findings_tls

@@ -0,0 +1,143 @@
+#!/bin/bash
+
+opensslscan()
+{
+	tmp=/tmp/tls.out
+	rm -f $tmp 2>/dev/null
+	timeout 2s openssl s_client -CApath /etc/ssl/certs/ -connect "$SVC_Address" -brief < /dev/null 2>$tmp
+#	echo "ret=$ret"
+#	cat $tmp
+	conn_estd=0
+	while read line; do
+		[[ "$line" == "CONNECTION ESTABLISHED" ]] && conn_estd=1
+		[[ $conn_estd -ne 1 ]] && continue
+		[[ $line != *:* ]] && continue
+		key=${line/:*/}
+		val=${line/*: /}
+		key=${key// /_}
+		printf -v "TLS_$key" '%s' "$val"
+		TLS_Status="TLS"
+	done < $tmp
+	[[ "$TLS_Verification_error" != "" ]] && TLS_Verification="$TLS_Verification_error"
+}
+
+tls_jsonreport()
+{
+	tls_chk_insecure_port
+	cat << EOF >> $jsonout
+				{
+					"Name": "$SVC_Name",
+					"Address": "$SVC_Address",
+					"Status": "$TLS_Status",
+					"Protocol_version": "$TLS_Protocol_version",
+					"Ciphersuite": "$TLS_Ciphersuite",
+					"Hash_used": "$TLS_Hash_used",
+					"Peer_certificate": "$TLS_Peer_certificate",
+					"Server_Temp_Key": "$TLS_Server_Temp_Key",
+					"Signature_type": "$TLS_Signature_type",
+					"Verification": "$TLS_Verification"
+				}
+EOF
+}
+
+tls_csvreport()
+{
+	[[ "$csvout" == "" ]] && return
+	cat << EOF >> $csvout
+"$SVC_Name","$SVC_Address","$TLS_Status","$TLS_Protocol_version","$TLS_Ciphersuite","$TLS_Hash_used","$TLS_Signature_type","$TLS_Verification"
+EOF
+}
+
+do_openssl_scan()
+{
+	[[ "$TLS_Status" != "" ]] && return	#already scanned
+	TLS_Status="PLAIN_TEXT"
+	nc -w 1 -z ${SVC_Address/:/ }
+	case "$?" in
+		0) opensslscan ;;
+		*) TLS_Status="CONNFAIL" ;;
+	esac
+	tls_csvreport
+}
+
+k8tls_tls_00chktls()
+{
+	do_openssl_scan
+	[[ "$TLS_Status" != "TLS" ]] && status="FAIL"
+	cat << EOF >> $jsonout
+				{
+					"plugin": "tls-security",
+					"title": "use of TLS security",
+					"compliance": "NIST.SP.800-52",
+					"control-id": "2.1",
+					"description": "It is mandatory for TLS to be enabled for all network communications including east-west traffic.",
+					"link": "https://csrc.nist.gov/news/2019/nist-publishes-sp-800-52-revision-2",
+					"severity": "critical",
+					"remediationEstEffort": "medium",
+					"solution": "enable TLS or transport security on the port.",
+					"status": "$status"
+				}
+EOF
+}
+
+k8tls_tls_01checkversion()
+{
+	do_openssl_scan
+	[[ "$TLS_Status" != "TLS" ]] && finding_got=0 && return	# no finding
+	if [ "$TLS_Protocol_version" != "TLSv1.2" ] || [ "$TLS_Protocol_version" != "TLSv1.3" ]; then
+		status="FAIL"
+	fi
+	cat << EOF >> $jsonout
+				{
+					"plugin": "tls-version",
+					"title": "use secure TLS protocol version",
+					"compliance": "NIST.SP.800-52",
+					"control-id": "3.1",
+					"description": "Using TLS >=v1.2 is mandatory for all applications. Version currently in use is $TLS_Protocol_version",
+					"link": "https://csrc.nist.gov/news/2019/nist-publishes-sp-800-52-revision-2",
+					"severity": "critical",
+					"remediationEstEffort": "low",
+					"solution": "enable TLS >=v1.2 transport security on the port.",
+					"status": "$status"
+				}
+EOF
+}
+
+k8tls_tls_02certificateChecks()
+{
+	do_openssl_scan
+	[[ "$TLS_Status" != "TLS" ]] && finding_got=0 && return	# no finding
+	if [ "$TLS_Verification" != "" ]; then
+		status="FAIL"
+		solution="Update certificate signed from trusted CA."
+		finding="$TLS_Verification"
+		severity="low"
+	fi
+	case "$TLS_Verification" in
+		"certificate has expired")
+			solution="renew x.509 certificate"
+			finding="TLS certificate has expired. Renew the certificate."
+			severity="critical"
+			;;
+		"self-signed certificate")
+			solution="Use certificates signed by approved Certificates Authority (CA)."
+			finding="Self-signed certificates have the risk of MITM attacks."
+			severity="medium"
+			;;
+	esac
+	cat << EOF >> $jsonout
+				{
+					"plugin": "tls-certificate-check",
+					"title": "check for TLS certificate best practices",
+					"compliance": "NIST.SP.800-52",
+					"control-id": "3.3",
+					"description": "$finding",
+					"link": "https://csrc.nist.gov/news/2019/nist-publishes-sp-800-52-revision-2",
+					"severity": "$severity",
+					"remediationEstEffort": "low",
+					"solution": "$solution",
+					"status": "$status"
+				}
+EOF
+}
+