ScanSSL 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 1ade7f0a27b608559183de6a444401019558d66c
+  data.tar.gz: 15e1e854ba06cdc47589865f88c0b4ce7afef132
+SHA512:
+  metadata.gz: 07dec5c21cf71cee698a7fe3831d7c57ee4f1e232b220c1fc57df55b9ca5e39204068569cbb52ac77285e6ef7adb9c91343e55d6cd29c5b5d4cd5fc9c9769c82
+  data.tar.gz: 445d6b2ad93032f71c1e1a15789e46ae93c7747547dd9435ec9416dd228fe728decf76c7b6d43ff3590fff98438e13149f6da6841d15863fc3a6cc401f0214cf

data/bin/scanssl

@@ -0,0 +1,93 @@
+#!/usr/bin/env ruby
+# 
+# ScanSSL gem.
+# Some info here.
+#
+
+require 'optparse'
+
+unless File.respond_to? :realpath
+  class File #:nodoc:
+    def self.realpath path
+      return realpath(File.readlink(path)) if symlink?(path)
+      path
+    end
+  end
+end
+$: << File.expand_path(File.dirname(File.realpath(__FILE__)) + '/../lib')
+
+require 'scanssl'
+require 'rubygems'
+
+options = {}
+
+begin
+  OptionParser.new do |opts|
+    opts.banner = "Usage: #{File.basename($0)} [options]"
+
+    opts.on('-s', '--server server', 'Server to scan') do |server|
+      options[:server] = server
+    end
+
+    opts.on('-p', '--port port', 'Port to scan') do |port|
+      options[:port] = port
+    end
+
+    opts.on('-d', '--debug', 'Debug mode') do
+      options[:debug] = true
+    end
+
+    opts.on('-c', '--certificate', 'Displays certificate information') do
+      options[:check_cert] = true
+      ScanSSL
+    end
+
+    opts.on('-o', '--output filename', 'File to save results in') do |filename|
+      options[:output] = filename
+    end
+
+    opts.on('-t', '--type filetype', 'Type file: txt, pdf, html') do |filetype|
+      options[:file_type] = filetype
+    end
+
+    opts.on('-v', '--version', 'Version number') do
+      puts "ScanSSL version: #{ScanSSL::VERSION}"
+      exit
+    end
+
+    opts.on('-h', '--help', 'Displays Help') do
+      puts opts
+      exit
+    end
+  end.parse!
+
+rescue OptionParser::MissingArgument
+  puts "Wrong argument. Check: -h for more help."
+
+rescue OptionParser::InvalidOption
+  puts "Invalid argument. Check: -h for more help."
+end
+
+unless options[:server]
+  puts "Missing -s/--server argument!"
+  puts "Try -h"
+  exit
+end
+
+unless options[:port]
+  puts "Missing -p/--port argument!"
+  puts "Try -h"
+  exit
+end
+
+pid = fork do
+  ScanSSL::Command.call(options)
+end
+
+Signal.trap("INT") do
+  puts "Terminating Scan..."
+  Process.kill("TERM", pid)
+  exit 0
+end
+
+Process.waitpid(pid, 0)

data/lib/scanssl.rb

@@ -0,0 +1,58 @@
+require 'colorize'
+require 'getoptlong'
+require 'openssl'
+require 'socket'
+require 'webrick'
+require 'prawn'
+
+require 'scanssl/version'
+require 'scanssl/settings'
+require 'scanssl/certInfo'
+require 'scanssl/fileExport'
+require 'scanssl/scanHost'
+
+module ScanSSL
+  class Command
+    def self.call(options = {})
+      @server = options[:server]
+      @port = options[:port]
+
+      # Get Certiticate Information
+      if options[:check_cert] == true
+        a = ScanSSL::CertInfo.new(@server, @port)
+        # Not sure yet if we need to have an access to one of those
+        # datas so right now I'm returning each of them.
+        # We can convert it to hash or array.
+        colorOutputCert(a.valid?,
+                        a.valid_from, 
+                        a.valid_until, 
+                        a.issuer, 
+                        a.subject, 
+                        a.algorithm, 
+                        a.key_size, 
+                        a.public_key)
+      end
+
+      if options[:check_cert] == nil
+        run = ScanSSL::ScanHost.new
+        puts run.scan(@server, @port)
+      end
+    end
+
+    def self.colorOutputCert(cValid, cFrom, cUntil, cIssuer, cSubject, cAlgorithm, cKey, cPublic)
+      puts "== Certificate Information ==".bold
+      puts "domain: #{@server}"
+      puts "port: #{@port}"
+      puts "----------------"
+      puts "valid: #{cValid}"
+      puts "valid from:#{cFrom}"
+      puts "valid until: #{cUntil}"
+      puts "issuer: #{cIssuer}"
+      puts "subject: #{cSubject}"
+      puts "algorithm: #{cAlgorithm}"
+      puts "key size: #{cKey}"
+      puts "public key:"
+      puts "#{cPublic}"
+    end
+  end
+end

data/lib/scanssl/certInfo.rb

@@ -0,0 +1,65 @@
+module ScanSSL
+  class CertInfo < Certificate
+    def initialize(server, port)
+      @ssl_context = OpenSSL::SSL::SSLContext.new
+      @cert_store = OpenSSL::X509::Store.new
+      @cert_store.set_default_paths
+      @ssl_context.cert_store = @cert_store
+      @tcp_socket = TCPSocket.new(server, port)
+      @socket_destination = OpenSSL::SSL::SSLSocket.new @tcp_socket, @ssl_context
+      @socket_destination.connect
+    end
+
+    def valid?
+      return TRUTH_TABLE[(@socket_destination.verify_result == 0)]
+    end
+
+    def valid_from
+      return cert.not_before
+    end
+
+    def valid_until
+      return cert.not_after
+    end
+
+    def issuer
+      return certprops.select { |name, data, type| name == "O" }.first[1]
+    end
+
+    def subject
+      return cert.subject
+    end
+
+    def algorithm
+      return cert.signature_algorithm
+    end
+
+    def key_size
+      begin
+        key_size = OpenSSL::PKey::RSA.new(cert.public_key).to_text.match(/Public-Key: \((.*) bit/).to_a[1].strip.to_i
+        if key_size.between?(1000, 2000)
+          key_size = $1
+        elsif key_size > 2000
+          key_size = $1
+        else
+          key_size = $1
+        end
+        return key_size
+      end
+    rescue
+      return "Problem with key_size"
+    end
+
+    def public_key
+      return cert.public_key
+    end
+
+    def cert
+      return OpenSSL::X509::Certificate.new(@socket_destination.peer_cert)
+    end
+
+    def certprops
+      return OpenSSL::X509::Name.new(cert.issuer).to_a
+    end
+  end
+end

data/lib/scanssl/fileExport.rb

@@ -0,0 +1,18 @@
+module ScanSSL
+  class Export
+    def self.pdf(file, data)
+      Prawn::Document.generate(file) do
+        text "Hello :-) This is my #{data}"
+      end
+    end
+
+    def self.txt(file, data)
+      ftxt = File.open("#{path}/#{file}", "a")
+      ftxt.write(data)
+      ftxt.close
+    end
+
+    def self.csv(file, data)
+    end
+  end
+end

data/lib/scanssl/scanHost.rb

@@ -0,0 +1,128 @@
+module ScanSSL
+  # I think the best will be to put the result to the hash or array
+  # and return it to ScanSLL::Command so we can send it to Colorize method
+  # and sort.
+  #
+  class ScanHost < Certificate
+    def scan(server, port)
+      ssl2_array = []
+      ssl3_array = []
+      tls1_array = []
+      tls1_1_array = []
+      tls1_2_array = []
+      threads = []
+
+      c = []
+        PROTOCOLS.each do |protocol|
+          ssl_context = OpenSSL::SSL::SSLContext.new
+          ssl_context.ciphers = CIPHERS
+          ssl_context.options = protocol
+          threads << Thread.new do
+            ssl_context.ciphers.each do |cipher|
+            begin
+              ssl_context = OpenSSL::SSL::SSLContext.new
+              ssl_context.options = protocol
+              ssl_context.ciphers = cipher[0].to_s
+              begin
+                tcp_socket = WEBrick::Utils.timeout(5){
+                  TCPSocket.new(server, port)
+                }
+              rescue => e
+                puts e.message
+                exit 1
+              end
+              socket_destination = OpenSSL::SSL::SSLSocket.new tcp_socket, ssl_context
+              WEBrick::Utils.timeout(5) {
+                socket_destination.connect
+              }
+              if protocol == SSLV3
+                ssl_version, cipher, bits, vulnerability = result_parse(cipher[0], cipher[3], protocol)
+                result = "Server supports: %-22s %-42s %-10s %s\n"%[ssl_version, cipher, bits, vulnerability]
+                ssl3_array << result
+              elsif protocol == TLSV1
+                ssl_version, cipher, bits, vulnerability = result_parse(cipher[0], cipher[2], protocol)
+                result = "Server supports: %-22s %-42s %-10s %s\n"%[ssl_version, cipher, bits, vulnerability]
+                tls1_array << result
+              elsif protocol == TLSV1_1
+                ssl_version, cipher, bits, vulnerability = result_parse(cipher[0], cipher[2], protocol)
+                result = "Server supports: %-22s %-42s %-10s %s\n"%[ssl_version, cipher, bits, vulnerability]
+                tls1_1_array << result
+              elsif protocol == TLSV1_2
+                ssl_version, cipher, bits, vulnerability = result_parse(cipher[0], cipher[2], protocol)
+                result = "Server supports: %-22s %-42s %-10s %s\n"%[ssl_version, cipher, bits, vulnerability]
+                tls1_2_array << result
+              elsif protocol == SSLV2
+                ssl_version, cipher, bits, vulnerability = result_parse(cipher[0], cipher[2], protocol)
+                result = "Server supports: %-22s %-42s %-10s %s\n"%[ssl_version, cipher, bits, vulnerability]
+                ssl2_array << result
+              end
+
+            rescue Exception => e
+              if @debug
+                puts e.message
+                puts e.backtrace.join "\n"
+                if protocol == SSLV2
+                  puts "Server Don't Supports: SSLv2 #{c[0]} #{c[2]} bits"
+                elsif protocol == SSLV3
+                  puts "Server Don't Supports: SSLv3 #{c[0]} #{c[3]} bits"
+                elsif protocol == TLSV1
+                  puts "Server Don't Supports: TLSv1 #{c[0]} #{c[2]} bits"
+                elsif protocol == TLSV1_1
+                  puts "Server Don't Supports: TLSv1.1 #{c[0]} #{c[2]} bits"
+                elsif protocol == TLSV1_2
+                  puts "Server Don't Supports: TLSv1.2 #{c[0]} #{c[2]} bits"
+                end
+              end
+            ensure
+              socket_destination.close if socket_destination rescue nil
+              tcp_socket.close if tcp_socket rescue nil
+            end
+          end
+        end
+    end
+      begin    
+        threads.map(&:join)
+      rescue Interrupt
+      end
+      return ssl3_array, ssl2_array, tls1_array, tls1_1_array, tls1_2_array
+    end
+
+    def result_parse(cipher_name, cipher_bits, protocol)
+      ssl_version = PROTOCOL_COLOR_NAME[protocol]
+      cipher = case cipher_name
+        when /^(RC4|MD5)/
+          cipher_name.colorize(:yellow)
+        when /^RC2/
+          cipher_name.colorize(:red)
+        when /^EXP/
+          cipher_name.colorize(:red)
+        else
+          cipher_name.colorize(:gree)
+        end
+
+      bits = case cipher_bits
+        when 48, 56, 40
+          cipher_bits.to_s.colorize(:red)
+        when 112
+          cipher_bits.to_s.colorize(:yellow)
+        else
+          cipher_bits.to_s.colorize(:green)
+        end
+      detect_vulnerabilites(ssl_version, cipher, bits)
+    end
+
+    def detect_vulnerabilites(ssl_version, cipher, bits)
+      if ssl_version.match(/SSLv3/).to_s != "" && cipher.match(/RC/i).to_s == ""
+        return ssl_version, cipher, bits, "     POODLE (CVE-2014-3566)".colorize(:red)
+      elsif cipher.match(/RC2/i)
+        return ssl_version, cipher, bits, "     Chosen-Plaintext Attack".colorize(:red)
+      elsif cipher.match(/EXP/i)
+        return ssl_version, cipher, bits, "     FREAK (CVE-2015-0204)".colorize(:red)
+      elsif cipher.match(/RC4/i)
+        return ssl_version, cipher, bits, "     Bar-Mitzvah Attack".colorize(:yellow)
+      else
+        return ssl_version, cipher, bits, ''
+      end
+    end
+  end
+end

data/lib/scanssl/settings.rb

@@ -0,0 +1,28 @@
+module ScanSSL
+  class Certificate
+    NO_SSLV2      = 16777216
+    NO_SSLV3      = 33554432
+    NO_TLSV1      = 67108864
+    NO_TLSV1_1    = 268435456
+    NO_TLSV1_2    = 134217728
+
+    SSLV2         = NO_SSLV3 + NO_TLSV1 + NO_TLSV1_1 + NO_TLSV1_2
+    SSLV3         = NO_SSLV2 + NO_TLSV1 + NO_TLSV1_1 + NO_TLSV1_2
+    TLSV1         = NO_SSLV2 + NO_SSLV3 + NO_TLSV1_1 + NO_TLSV1_2
+    TLSV1_1       = NO_SSLV2 + NO_SSLV3 + NO_TLSV1   + NO_TLSV1_2
+    TLSV1_2       = NO_SSLV2 + NO_SSLV3 + NO_TLSV1   + NO_TLSV1_1
+
+    PROTOCOLS     = [SSLV2, SSLV3, TLSV1, TLSV1_1, TLSV1_2]
+    CIPHERS       = 'ALL::COMPLEMENTOFDEFAULT::COMPLEMENTOFALL'
+    
+    PROTOCOL_COLOR_NAME = {
+      SSLV2   => 'SSLv2',
+      SSLV3   => 'SSLv3',
+      TLSV1   => 'TLSv1',
+      TLSV1_1 => 'TLSv1.1',
+      TLSV1_2 => 'TLSv1.2'
+    }
+
+    TRUTH_TABLE = { true => 'true', false => 'false' }
+  end
+end

data/lib/scanssl/version.rb

@@ -0,0 +1,3 @@
+module ScanSSL
+  VERSION = '0.0.1'
+end

metadata

@@ -0,0 +1,56 @@
+--- !ruby/object:Gem::Specification
+name: ScanSSL
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- bararchy
+- ik5
+- elichai
+- Dor Lerner
+- wolfedale
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2015-11-03 00:00:00.000000000 Z
+dependencies: []
+description: A simple and easy to use SSL Cipher scanner
+email: bar.hofesh@gmail.com
+executables:
+- scanssl
+extensions: []
+extra_rdoc_files: []
+files:
+- bin/scanssl
+- lib/scanssl.rb
+- lib/scanssl/certInfo.rb
+- lib/scanssl/fileExport.rb
+- lib/scanssl/scanHost.rb
+- lib/scanssl/settings.rb
+- lib/scanssl/version.rb
+homepage: https://github.com/bararchy/ruby-SSLscanner
+licenses:
+- GPL3
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.5.1
+signing_key: 
+specification_version: 4
+summary: ScanSSL
+test_files: []
+has_rdoc: