jab2870
/
Dotfiles
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
882 Commits
1 Branch
0 Tags
15 MiB
Tag: Branch: Tree: 30558c7b2d
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '30558c7b2d'
${ noResults }
Dotfiles/bin/.bin/webtest/verifySSL

130 lines
2.7 KiB
Raw Normal View History Unescape

BIN: starts verifySSL script This will evolve to become a script that can be used to verify the findings of a tool like testssl Currently only supports "beast"
4 years ago
#!/usr/bin/env bash
port=443
vulnerability=""
host=""
openssl="$(which openssl)"
die(){
echo "$@" >&2
exit 1
}
print_help(){
echo "Attempts to connect using different tls versions"
echo ""
echo "verifySSL [options] <host>"
echo ""
echo "-p | --port Port number (default 443)"
echo "-v | --vulnerability The vulnerability to test"
echo "--list List the vulnerabilities that can be tested"
}
list_vulnerabilites(){
echo "Beast"
BIN: adds sweet32 test to verifySSL
4 years ago
echo "Sweet32"
BIN: Adds lucky13 to verifySSL
4 years ago
echo "Lucky13"
BIN: starts verifySSL script This will evolve to become a script that can be used to verify the findings of a tool like testssl Currently only supports "beast"
4 years ago
}
check-beast(){
local tls1
local ssl3
local tmpfile="$(mktemp)"
# In order to test beast, you need to have a cbc cipher and tls1 or sslv3
echo "" | $openssl s_client -tls1 -connect "${host}:${port}" > /dev/null 2>&1
tls1="$?"
echo "" | $openssl s_client -ssl3 -connect "${host}:${port}" > /dev/null 2>&1
ssl3="$?"
BIN: makes the verifySSL print progress messages to stderr I chose to do this because I want to be able to pipe stdout to a file and use it as evidence. I don't need the progress for that
4 years ago
$openssl ciphers -v | grep -i cbc | cut -d' ' -f1 | while read cipher; do
BIN: starts verifySSL script This will evolve to become a script that can be used to verify the findings of a tool like testssl Currently only supports "beast"
4 years ago
if [ $tls1 -eq 0 ]; then
BIN: Small adjustments to verifySSL The script now prepends the command that is echoed with a $ in order to indicate it is a command that is run Also stops the script showing each cipher that is tested
4 years ago
echo "\$ openssl s_client -tls1 -cipher $cipher -connect ${host}:${port}" >> "$tmpfile"
BIN: starts verifySSL script This will evolve to become a script that can be used to verify the findings of a tool like testssl Currently only supports "beast"
4 years ago
echo "" | $openssl s_client -tls1 -cipher "$cipher" -connect "${host}:${port}" >> "$tmpfile" 2>&1
if [ "$?" -eq 0 ]; then
cat "$tmpfile"
fi
rm "$tmpfile"
fi
if [ $ssl3 -eq 0 ]; then
BIN: Small adjustments to verifySSL The script now prepends the command that is echoed with a $ in order to indicate it is a command that is run Also stops the script showing each cipher that is tested
4 years ago
echo "\$ openssl s_client -ssl3 -cipher $cipher -connect ${host}:${port}" >> "$tmpfile"
BIN: starts verifySSL script This will evolve to become a script that can be used to verify the findings of a tool like testssl Currently only supports "beast"
4 years ago
echo "" | $openssl s_client -ssl3 -cipher "$cipher" -connect "${host}:${port}" >> "$tmpfile" 2>&1
if [ "$?" -eq 0 ]; then
cat "$tmpfile"
fi
rm "$tmpfile"
fi
done
}
BIN: adds sweet32 test to verifySSL
4 years ago
check-sweet32(){
local tmpfile="$(mktemp)"
BIN: Small adjustments to verifySSL The script now prepends the command that is echoed with a $ in order to indicate it is a command that is run Also stops the script showing each cipher that is tested
4 years ago
echo "\$ openssl s_client -cipher 3DES -connect ${host}:${port}" >> "$tmpfile"
BIN: adds sweet32 test to verifySSL
4 years ago
echo "" | $openssl s_client -cipher 3DES -connect "${host}:${port}" >> "$tmpfile" 2>&1
if [ "$?" -eq 0 ]; then
cat "$tmpfile"
fi
rm "$tmpfile"
}
BIN: Adds lucky13 to verifySSL
4 years ago
check-lucky13(){
local tmpfile="$(mktemp)"
Bin: fixes the lucky13 check It apparently works with any cbc cipher and doesn't require tls1
4 years ago
$openssl ciphers -v | grep -i cbc | cut -d' ' -f1 | while read cipher; do
echo "\$ openssl s_client -cipher $cipher -connect ${host}:${port}" >> "$tmpfile"
BIN: Adds lucky13 to verifySSL
4 years ago
echo "" | $openssl s_client -tls1 -cipher "$cipher" -connect "${host}:${port}" >> "$tmpfile" 2>&1
if [ "$?" -eq 0 ]; then
cat "$tmpfile"
fi
rm "$tmpfile"
done
}
BIN: starts verifySSL script This will evolve to become a script that can be used to verify the findings of a tool like testssl Currently only supports "beast"
4 years ago
while [ "$#" -gt 0 ]; do
case "$1" in
-p|--port)
port="$2"
shift; shift
;;
-v|--vulnerability)
vulnerability="$2"
shift; shift
;;
--openssl)
openssl="$2"
shift;shift
;;
-h|--help)
print_help
exit 0
;;
--list)
list_vulnerabilites
exit 0
;;
*)
host="$1"
shift
;;
esac
done
if [ -z "$host" ]; then
die "No host provided"
fi
case "$(echo "$vulnerability" | tr '[:upper:]' '[:lower:]')" in
beast)
check-beast
;;
BIN: adds sweet32 test to verifySSL
4 years ago
sweet32)
check-sweet32
;;
BIN: Adds lucky13 to verifySSL
4 years ago
lucky13)
check-lucky13
;;
BIN: starts verifySSL script This will evolve to become a script that can be used to verify the findings of a tool like testssl Currently only supports "beast"
4 years ago
*)
die "Unknown vulnerability $vulnerability"
;;
esac