ciphersurfer 0.99.0 → 1.0.0.rc1

data/Gemfile

@@ -1,4 +1,11 @@
 source "http://rubygems.org"
+
+gem 'rainbow'
+gem 'progressbar'
+gem "awesome_print"
+gem 'json'
+gem 'httpclient'
+
 # Add dependencies required to use your gem here.
 # Example:
 #   gem "activesupport", ">= 2.3.5"

data/Gemfile.lock

@@ -1,12 +1,17 @@
 GEM
   remote: http://rubygems.org/
   specs:
+    awesome_print (1.0.2)
     diff-lcs (1.1.3)
     git (1.2.5)
+    httpclient (2.2.4)
     jeweler (1.6.4)
       bundler (~> 1.0)
       git (>= 1.2.5)
       rake
+    json (1.6.5)
+    progressbar (0.9.2)
+    rainbow (1.1.3)
     rake (0.9.2.2)
     rcov (0.9.11)
     rspec (2.3.0)
@@ -22,7 +27,12 @@ PLATFORMS
   ruby
 
 DEPENDENCIES
+  awesome_print
   bundler (~> 1.0.0)
+  httpclient
   jeweler (~> 1.6.4)
+  json
+  progressbar
+  rainbow
   rcov
   rspec (~> 2.3.0)

data/README.md

@@ -4,9 +4,24 @@ ciphersurfer is a tool to enumerate a website for ciphers it supports. It can
 be used for testing pourposes and to evaluate te security configuration for an
 SSL configured web server.
 
+## Installing ciphersurfer
+
+Installing ciphersurfer is easy. Just follow the standard ruby gem way:
+
+  gem install ciphersurfer
+
+Now you've got a ciphersurfer executable you can invoke using your command line.
+
+## SSLabs
+
+For the SSL security evaluation, we use [SSLabs
+document](https://www.ssllabs.com/downloads/SSL_Server_Rating_Guide_2009.pdf)
+as reference.
+
 ## OWASP Testing guide 
 
-ciphersurfer goal is to make tests described in the [Owasp Testing guide](https://www.owasp.org/index.php/Testing_for_SSL-TLS_(OWASP-CM-001))
+ciphersurfer goal is to make tests described in the [Owasp Testing
+guide](https://www.owasp.org/index.php/Testing_for_SSL-TLS_(OWASP-CM-001\))
 
 
 ## Contributing to ciphersurfer

data/VERSION

@@ -1 +1 @@
-0.99.0
+1.0.0.rc1

data/bin/ciphersurfer

@@ -1,24 +1,101 @@
 #!/usr/bin/env ruby
-#
-$LOAD_PATH.unshift(File.expand_path(File.dirname(__FILE__) + '/../lib'))
-
 require 'ciphersurfer'
+require 'rainbow'
+require 'awesome_print'
+require 'progressbar'
+require 'getoptlong'
+require 'json'
+
+opts = GetoptLong.new(
+  [ '--help', '-h', GetoptLong::NO_ARGUMENT ],
+  [ '--version', '-v', GetoptLong::NO_ARGUMENT ],
+  [ '--list-ciphers', '-l', GetoptLong::NO_ARGUMENT ]#,
+  # [ '--json', '-j', GetoptLong::NO_ARGUMENT]
+)
 
-if ! Ciphersurfer::Scanner.alive?(ARGV[0], ARGV[1])
-  puts "#{ARGV[0]}@#{ARGV[1]}: connection refused"
-  exit 1
+options={:json=>false,:list_ciphers=>false}
+
+opts.each do |opt, arg|
+  case opt
+  when '--help'
+    ap "usage: ciphersurfer [-ljvh] server[:port]"
+    ap "       -l: lists supported ciphers instead of just evaluate the security level"
+    # ap "       -j: formats the output using JSON"
+    ap "       -v: shows  version"
+    ap "       -h: this help"
+    exit 0
+  when '--version'
+    ap "ciphersurfer " + Ciphersurfer::Version.version[:string]
+    exit 0
+  # unsupported right now...
+  #when '--json'
+  #  options[:json]=true
+  when '--list-ciphers'
+    options[:list_ciphers]=true
+  end
 end
-protocol_version = [:SSLv2, :SSLv3, :TLSv1]
+
+if ( ARGV.length != 1 )
+  ap 'ciphersurfer: missing target'
+  exit -1
+end
+
+target = ARGV.shift
+host = target.split(':')[0] ||= "localhost"   #fallback here should never occur... however it's better to be paranoid
+port = target.split(':')[1] ||= 443           # more common here
+
+ap "scanning #{host}:#{port} for supported ciphers"
+
+if ! Ciphersurfer::Scanner.alive?(host, port)
+  ap "it seems there is no server listening @#{host}:#{port}"
+  exit -2 
+end
+
+protocol_version = [:SSLv2, :SSLv3, :TLSv1]#, :TLSv11, :TLSv12]
+
+# ok = {}
+supported_protocols = []
+cipher_bits=[]
+
+
+
 protocol_version.each do |version|
-  puts version
-  s = Ciphersurfer::Scanner.new({:host=>ARGV[0], :port=>ARGV[1], :proto=>version})
+  s = Ciphersurfer::Scanner.new({:host=>host, :port=>port, :proto=>version})
 
   s.go
-  ok = s.ok_ciphers
-  ko = s.ko_ciphers
-
-  ok.each do |o|
-    puts "[+] Accepted\t #{o[:bits]} bits\t#{o[:name]}"
+  if (s.ok_ciphers.size != 0)
+    supported_protocols << version
+    cipher_bits = cipher_bits | s.ok_bits
   end
+  
+  # ok << {:proto=>version, :ciphers=>s.ok_ciphers}
+
 end
 
+cert = Ciphersurfer::Scanner.cert(host, port)
+a=cert.public_key.to_text
+key_size=/Modulus \((\d+)/i.match(a)[1]
+                   
+
+                    proto_score= Ciphersurfer::Score.evaluate_protocols(supported_protocols)
+                    cipher_score= Ciphersurfer::Score.evaluate_ciphers(cipher_bits)
+                    key_score= Ciphersurfer::Score.evaluate_key(key_size.to_i)
+score= Ciphersurfer::Score.score(proto_score, key_score, cipher_score)
+ap Ciphersurfer::Score.evaluate(score) + " ("+score.to_s+")"
+
+ap "Protocol support: " + proto_score.to_s
+ap "Key exchange: " + key_score.to_s
+ap "Cipher strength: " + cipher_score.to_s
+
+
+
+
+# e.g. supported_protocols = [:SSLv2, :TLSv1]
+# e.g. cipher_bits = [0, 256, 1024]
+
+# if options[:list_ciphers] 
+#     ok.each do |o|
+#       puts "[+] Accepted\\t #{o[:bits]} bits\\t#{o[:name]}"
+#     end
+#   end
+

data/lib/ciphersurfer/scanner.rb

@@ -1,17 +1,26 @@
 require 'net/https'
 require 'openssl'
+require 'httpclient'
+
 
 module Ciphersurfer
   class Scanner
     
-    attr_reader :ok_ciphers, :ko_ciphers
+    attr_reader :ok_ciphers, :ok_bits
+    attr_reader :peer_cert
 
     def initialize(options={})
       @host=options[:host]
       @port=options[:port] ||= 443
       @proto=options[:proto]
       @ok_ciphers=[]
-      @ko_ciphers=[]
+      @ok_bits=[]
+    end
+
+    def self.cert(host, port)
+      client=HTTPClient.new
+      response=client.get("https://#{host}:#{port}")
+      peer_cert = response.peer_cert
     end
 
     def self.alive?(host, port)
@@ -25,23 +34,32 @@ module Ciphersurfer
         return false
       rescue OpenSSL::SSL::SSLError => e
         return false
+      rescue 
+        return false
       end
     end
+   
     def go
       context=OpenSSL::SSL::SSLContext.new(@proto)
       cipher_set = context.ciphers
       cipher_set.each do |cipher_name, cipher_version, bits, algorithm_bits|
+
         request = Net::HTTP.new(@host, @port)
         request.use_ssl = true
+        
+        request.ca_file='/Users/thesp0nge/src/hacking/ciphersurfer/cacert.pem'
         request.verify_mode = OpenSSL::SSL::VERIFY_NONE
         request.ciphers= cipher_name
         begin
           response = request.get("/")
+          @ok_bits << bits
           @ok_ciphers << {:bits=>bits, :name=>cipher_name}
         rescue OpenSSL::SSL::SSLError => e
-          @ko_ciphers << {:bits=>bits, :name=>cipher_name}
+          # Quietly discard SSLErrors, really I don't care if the cipher has
+          # not been accepted
         rescue 
-          # Quietly discard all other errors... you must perform all error chekcs in the calling program
+          # Quietly discard all other errors... you must perform all error
+          # chekcs in the calling program
         end
       end
     end

data/lib/ciphersurfer/score.rb

@@ -0,0 +1,117 @@
+module Ciphersurfer
+    PROTOCOL_SUPPORT_RATIO  = 0.3
+    KEY_EXCHANGE_RATIO      = 0.3
+    CIPHER_STRENGTH         = 0.4
+
+    class Score
+
+      # Gives the final evaluation given the final score
+      # @param the score obtained in the previous steps
+      # @result an evaluation between A, the highest one and F, the lowest
+      def self.evaluate(score)
+        return "F" unless score > 0
+
+        case score
+
+        when 0...20
+          ret = "F"
+        when 20...35
+          ret = "E"
+        when 35...50
+          ret = "D"
+        when 50...65
+          ret = "C"
+        when 65...80
+          ret = "B"
+        else
+          ret = "A"
+        end
+
+        return ret
+      end
+
+
+      def self.evaluate_protocols(protocols)
+        best  = -1
+        worst = -1
+
+        if (protocols.include?(:SSLv2))
+          best = 20
+          worst = 20
+        end
+        if (protocols.include?(:SSLv3))
+          best = 80
+          (worst = 80) unless worst != -1
+        end
+        if (protocols.include?(:TLSv1))
+          best = 90
+          (worst = 90) unless worst != -1
+        end
+        if (protocols.include?(:TLSv11))
+          best = 95
+          (worst = 95) unless worst != -1
+        end
+        if (protocols.include?(:TLSv12))
+          best = 100
+          (worst = 100) unless worst != -1
+        end
+
+        (best + worst) / 2
+
+      end
+
+      # @param an Array of supported ciphers bit 
+      def self.evaluate_ciphers(ciphers)
+        best  = -1
+        worst = 999999999999999999999999999999999999
+
+        #[0, 24, 1024]
+        ciphers.each do |c|
+          if (c == 0)
+            worst = 0
+            best = 0 unless best != -1
+          end
+          if (c < 128) && (c!=0)
+            worst = 20 unless worst < 20
+            best = 20 unless best > 20
+          end
+
+          if (c < 256) && (c>=128)
+            worst = 80 unless worst < 80
+            best = 80 unless best > 80
+          end
+
+          if (c >= 256)
+            worst = 100 unless worst < 100
+            best = 100
+          end
+
+        end
+        (best + worst) / 2
+      end
+
+
+      # FIXME: How can I test Weak key (Debian OpenSSL flaw)?
+      # FIXME: Evaluate if "Exportable key exchange limited to 512 bits is fully covered in k_len<1024
+      def self.evaluate_key(key_length)
+        case (key_length)
+        when 0
+          return 0
+        when 1...512
+          return 20
+        when 512...1024
+          return 40
+        when 1024...2048
+          return 80
+        when 2048...4096
+          return 90
+        else
+          return 100
+        end
+      end
+
+      def self.score(proto, key, ciphers)
+        return ((0.3*proto) + (0.3*key) + (0.4*ciphers))
+      end
+    end
+end

data/lib/ciphersurfer.rb

@@ -1,3 +1,4 @@
 require 'ciphersurfer/scanner'
 require 'ciphersurfer/version'
+require 'ciphersurfer/score'
 # require 'ciphersurfer/net_http'

data/spec/ciphersurfer_spec.rb

@@ -1,7 +1,5 @@
 require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
 
 describe "Ciphersurfer" do
-  it "fails" do
-    fail "hey buddy, you should probably rename this file and start specing for real"
-  end
+
 end

data/spec/scoring_spec.rb

@@ -0,0 +1,131 @@
+require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+
+describe 'Ciphersurfer' do
+  describe 'Score' do
+    it "should assign A to overall scores higher than 80" do
+      Ciphersurfer::Score.evaluate(90).should == "A"
+      Ciphersurfer::Score.evaluate(80).should == "A"
+      Ciphersurfer::Score.evaluate(79).should_not == "A"
+    end
+
+    it "should assign B to scores up between 65 and 79" do
+      Ciphersurfer::Score.evaluate(64).should_not == "B"
+      Ciphersurfer::Score.evaluate(65).should == "B"
+      Ciphersurfer::Score.evaluate(79).should == "B"
+      Ciphersurfer::Score.evaluate(80).should_not == "B"
+    end
+    it "should assign C to scores up between 50 and 64" do
+      Ciphersurfer::Score.evaluate(49).should_not == "C"
+      Ciphersurfer::Score.evaluate(50).should == "C"
+      Ciphersurfer::Score.evaluate(64).should == "C"
+      Ciphersurfer::Score.evaluate(65).should_not == "C"
+    end
+    it "should assign D to scores up between 35 and 49" do
+      Ciphersurfer::Score.evaluate(34).should_not == "D"
+      Ciphersurfer::Score.evaluate(35).should == "D"
+      Ciphersurfer::Score.evaluate(49).should == "D"
+      Ciphersurfer::Score.evaluate(50).should_not == "D"
+    end
+    it "should assign E to scores up between 20 and 34" do
+      Ciphersurfer::Score.evaluate(19).should_not == "E"
+      Ciphersurfer::Score.evaluate(20).should == "E"
+      Ciphersurfer::Score.evaluate(34).should == "E"
+      Ciphersurfer::Score.evaluate(35).should_not == "E"
+    end
+    it "should assign F to overall scores lower than 20" do
+      Ciphersurfer::Score.evaluate(19).should == "F"
+      Ciphersurfer::Score.evaluate(0).should == "F"
+      Ciphersurfer::Score.evaluate(-123).should == "F"
+      Ciphersurfer::Score.evaluate(20).should_not == "F"
+    end
+
+    it "should give a 0.5 if both SSLv2 and SSLv3 are supported but no TLS" do
+      Ciphersurfer::Score.evaluate_protocols([:SSLv2, :SSLv3]).should == 0.5
+    end
+    it "should give a 0.2 if only SSLv2 protocol is supported" do
+      Ciphersurfer::Score.evaluate_protocols([:SSLv2]).should == 0.2
+    end
+
+    it "should give a 0.55 if SSLv2 and TLSv1 are supported but no SSLv3" do
+      Ciphersurfer::Score.evaluate_protocols([:SSLv2, :TLSv1]).should == 0.55
+    end
+
+    it "should give a 0.55 if SSLv2, SSLv3 and TLSv1 are supported" do
+      Ciphersurfer::Score.evaluate_protocols([:SSLv2, :SSLv3, :TLSv1]).should == 0.55
+    end
+
+    it "should give a 1 if only TLSv1.2 is supported" do
+      Ciphersurfer::Score.evaluate_protocols([:TLSv12]).should == 1.0
+    end
+
+    it "should give a 0 if cipher has 0 length" do
+      Ciphersurfer::Score.evaluate_ciphers([0]).should == 0
+    end 
+
+    it "should give a 0.2 if ciphers supported have length < 128" do 
+      Ciphersurfer::Score.evaluate_ciphers([40, 56, 64]).should == 0.2
+    end 
+
+    it "should give a 0.8 if ciphers supported have length < 256" do 
+      Ciphersurfer::Score.evaluate_ciphers([128, 168, 255]).should == 0.8
+    end 
+
+    it "should give a 1.0 if ciphers supported have length >= 256" do 
+      Ciphersurfer::Score.evaluate_ciphers([256, 512, 2048]).should == 1.0
+    end 
+
+    it "should give 0.1 if no encryption or ciphers lenght < 128" do
+      Ciphersurfer::Score.evaluate_ciphers([0, 40, 56, 64]).should == 0.1
+    end
+
+    it "should give a 0.5 if ciphers supported have length < 256 and < 128" do 
+      Ciphersurfer::Score.evaluate_ciphers([40, 56, 128, 168, 255]).should == 0.5
+    end 
+
+    it "should give a 0.6 if ciphers supported have length >= 256 and < 128" do 
+      Ciphersurfer::Score.evaluate_ciphers([40, 56, 1024, 2048]).should == 0.6
+    end 
+
+    it "should give a 0 if no key provided" do
+      Ciphersurfer::Score.evaluate_key(0).should == 0
+    end
+
+    it "should give a 0.2 if key < 512" do
+      Ciphersurfer::Score.evaluate_key(128).should == 0.2
+      Ciphersurfer::Score.evaluate_key(256).should == 0.2
+      Ciphersurfer::Score.evaluate_key(511).should == 0.2
+      Ciphersurfer::Score.evaluate_key(512).should_not == 0.2
+    end
+
+    it "should give a 0.4 if 512 <= key < 1024" do
+      Ciphersurfer::Score.evaluate_key(512).should == 0.4
+      Ciphersurfer::Score.evaluate_key(1000).should == 0.4
+      Ciphersurfer::Score.evaluate_key(1024).should_not == 0.4
+    end
+
+    it "should give a 0.8 if 1024 <= key < 2048" do
+      Ciphersurfer::Score.evaluate_key(1024).should == 0.8
+      Ciphersurfer::Score.evaluate_key(2043).should == 0.8
+      Ciphersurfer::Score.evaluate_key(2048).should_not == 0.8
+    end
+
+    it "should give a 0.9 if 2048 <= key < 4096" do
+      Ciphersurfer::Score.evaluate_key(2048).should == 0.9
+      Ciphersurfer::Score.evaluate_key(4095).should == 0.9
+      Ciphersurfer::Score.evaluate_key(4096).should_not == 0.9
+    end
+
+    it "should give a 1.0 if key >= 4096" do
+      Ciphersurfer::Score.evaluate_key(4096).should == 1.0
+    end
+
+
+    it "should evalute the overall score" do
+      Ciphersurfer::Score.score([1.0, 1.0, 1.0]).should == 1.0
+      Ciphersurfer::Score.score([0, 1.0, 1.0]).should == 0.7
+      Ciphersurfer::Score.score([1.0, 0, 1.0]).should == 0.7
+      Ciphersurfer::Score.score([1.0, 1.0, 0]).should == 0.6
+      Ciphersurfer::Score.score([0, 0, 1.0]).should == 0.4
+    end
+  end
+end

metadata

@@ -1,19 +1,74 @@
 --- !ruby/object:Gem::Specification
 name: ciphersurfer
 version: !ruby/object:Gem::Version
-  version: 0.99.0
-  prerelease: 
+  version: 1.0.0.rc1
+  prerelease: 6
 platform: ruby
 authors:
 - Paolo Perego
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-01-25 00:00:00.000000000Z
+date: 2012-01-30 00:00:00.000000000Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: rainbow
+  requirement: &70292333333420 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: *70292333333420
+- !ruby/object:Gem::Dependency
+  name: progressbar
+  requirement: &70292333332820 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: *70292333332820
+- !ruby/object:Gem::Dependency
+  name: awesome_print
+  requirement: &70292333332280 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: *70292333332280
+- !ruby/object:Gem::Dependency
+  name: json
+  requirement: &70292333331760 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: *70292333331760
+- !ruby/object:Gem::Dependency
+  name: httpclient
+  requirement: &70292333331180 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: *70292333331180
 - !ruby/object:Gem::Dependency
   name: rspec
-  requirement: &70299665080160 !ruby/object:Gem::Requirement
+  requirement: &70292333330580 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -21,10 +76,10 @@ dependencies:
         version: 2.3.0
   type: :development
   prerelease: false
-  version_requirements: *70299665080160
+  version_requirements: *70292333330580
 - !ruby/object:Gem::Dependency
   name: bundler
-  requirement: &70299665079560 !ruby/object:Gem::Requirement
+  requirement: &70292333329980 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -32,10 +87,10 @@ dependencies:
         version: 1.0.0
   type: :development
   prerelease: false
-  version_requirements: *70299665079560
+  version_requirements: *70292333329980
 - !ruby/object:Gem::Dependency
   name: jeweler
-  requirement: &70299665078900 !ruby/object:Gem::Requirement
+  requirement: &70292333329400 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -43,10 +98,10 @@ dependencies:
         version: 1.6.4
   type: :development
   prerelease: false
-  version_requirements: *70299665078900
+  version_requirements: *70292333329400
 - !ruby/object:Gem::Dependency
   name: rcov
-  requirement: &70299665078300 !ruby/object:Gem::Requirement
+  requirement: &70292333328800 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -54,7 +109,7 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70299665078300
+  version_requirements: *70292333328800
 description: ciphersurfer is a security tool that list enabled ciphers for a secure
   HTTP connection
 email: thesp0nge@gmail.com
@@ -76,8 +131,10 @@ files:
 - bin/ciphersurfer
 - lib/ciphersurfer.rb
 - lib/ciphersurfer/scanner.rb
+- lib/ciphersurfer/score.rb
 - lib/ciphersurfer/version.rb
 - spec/ciphersurfer_spec.rb
+- spec/scoring_spec.rb
 - spec/spec_helper.rb
 homepage: http://github.com/thesp0nge/ciphersurfer
 licenses:
@@ -94,13 +151,13 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: -3466730773720341843
+      hash: -2946885741293011983
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
-  - - ! '>='
+  - - ! '>'
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
 rubyforge_project: 
 rubygems_version: 1.8.10