sslscan_wrapper 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 17102ec6e6de9081e6b60fd9c8c87b9402a48fbdb9835504e186c72446acc751
+  data.tar.gz: fd6a13ba469b548cecc3334ef7912602040622591ecc85fe35042487a4e60390
+SHA512:
+  metadata.gz: 110da3e2aa079522204b497810c4dd73604ca9a6cc94c87c5f5774b311a35669f89646cbc9fcbfd6b18ca54c258a1a601269a26f77a37c4faebf2e3cd397016d
+  data.tar.gz: 3561cca8da3ab70d813955657afb89070b27e86467634a58247ccd2feb48356ed03704018d9303c7a6bdf5bd0df4f6b10fa953d04749ec183a327c8c8e5e7468

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+gemspec
+

data/README.md

@@ -0,0 +1,34 @@
+[![Gem Version](https://badge.fury.io/rb/sslscan_wrapper.svg)](https://badge.fury.io/rb/sslscan_wrapper)
+
+# sslscan\_wrapper
+
+sslscan\_wrapper is a wrapper around the sslscan tool to scan SSL/TLS protocol parameters.
+
+ * [rbsec/sslscan at GitHub](https://github.com/rbsec/sslscan)
+
+Since it is only a wrapper around sslscan it does not depend on the openssl version
+the ruby interpreter is linked with. The sslscan tool can be compiled statically with
+a openssl version supporting old protocol versions and ciphers.
+
+## API Documentation
+
+Available at [rubydoc.info](http://www.rubydoc.info/gems/sslscan_wrapper).
+
+## Usage
+
+```
+require 'sslscan_wrapper'
+
+scanner = SslscanWrapper::Scanner.new
+report = scanner.scan('www.somesite.tld', 443)
+
+report.ciphers
+# => ["ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-RSA-AES128-GCM-SHA256", ...
+report.host
+# => "www.somesite.tld"
+report.signature_algorithm
+# => "sha256WithRSAEncryption"
+report.heartbleed_vulnerable?
+# => false
+```
+

data/Rakefile

@@ -0,0 +1,14 @@
+require 'rake/clean'
+require 'rubygems'
+require 'rubygems/package_task'
+require 'rdoc/task'                                                                       
+
+spec = eval(File.read('sslscan_wrapper.gemspec'))
+Gem::PackageTask.new(spec) do |pkg|
+end
+
+Rake::RDocTask.new do |rd|
+  rd.rdoc_files.include("lib/**/*.rb","bin/**/*")
+  rd.title = 'Wrapper for sslscan SSL/TLS scanner'
+end                                                                                       
+

data/lib/sslscan_wrapper.rb

@@ -0,0 +1 @@
+require 'sslscan_wrapper/scanner'

data/lib/sslscan_wrapper/report.rb

@@ -0,0 +1,114 @@
+require 'nokogiri'
+require 'time'
+
+module SslscanWrapper
+  class Report
+    # The content body of the report
+    attr_reader :body
+    # The nokogiri document object
+    attr_reader :doc
+    # Initialize a new report object
+    #
+    # Examples
+    #
+    #   content = File.read('report.xml')
+    #   SslscanWrapper::Report.new(content)
+    #
+    # Returns a new SslscanWrapper::Report
+    def initialize(output)
+      @body = output
+      @doc = Nokogiri::XML(@body)
+    end
+
+    # The hostname of the scanned host
+    def host
+      @doc.xpath('//ssltest/@host').first.value
+    end
+
+    # The port of the scan report
+    def port
+      @doc.xpath('//ssltest/@port').first.value
+    end
+
+    # Is ssl compression supported on target?
+    def compression_supported?
+      @doc.xpath('//compression/@supported').first.value == '1'
+    end
+
+    # Does the target support TLS renegotiation?
+    def renegotiation_supported?
+      @doc.xpath('//renegotiation/@supported').first.value == '1'
+    end
+
+    def renegotiation_secure?
+      @doc.xpath('//renegotiation/@secure').first.value == '1'
+    end
+
+    # Signature algorithm used in the certificate
+    def signature_algorithm
+      @doc.xpath('//certificate/signature-algorithm').first.content
+    end
+
+    # Subject of the certificate
+    def subject
+      @doc.xpath('//certificate/subject').first.content
+    end
+
+    # Subject alternative names of the certificate
+    def altnames
+      @doc.xpath('//certificate/altnames').first.content
+    end
+
+    # Issuer of the certificate
+    def issuer
+      @doc.xpath('//certificate/issuer').first.content
+    end
+
+    # Is the certificate a self-signed certificate?
+    def self_signed?
+      @doc.xpath('//certificate/self-signed').first.content == 'true'
+    end
+
+    # Is the certificate expired?
+    def expired?
+      @doc.xpath('//certificate/expired').first.content == 'true'
+    end
+
+    # Time the certificate starts to be valid
+    def not_before
+      time_str = @doc.xpath('//certificate/not-valid-before').first.content
+      Time.parse(time_str)
+    end
+
+    # Time the certificate is no longer valid
+    def not_after
+      time_str = @doc.xpath('//certificate/not-valid-after').first.content
+      Time.parse(time_str)
+    end
+
+    # Returns a list of supported ciphers
+    def ciphers
+      @doc.xpath('//cipher/@cipher').map(&:value)
+    end
+
+    # Is the cipher supported?
+    def cipher_supported?(cipher)
+      @doc.xpath("//cipher[@cipher=\"#{cipher}\"]").count > 0
+    end
+
+    # Returns a list of preferred ciphers
+    def preferred_ciphers
+      @doc.xpath('//cipher[@status="preferred"]/@cipher').map(&:value)
+    end
+
+    # Returns a list of SSL/TLS protocol versions vulnerable to heartbleed
+    def heartbleed_vulnerable_sslversions
+      @doc.xpath('//heartbleed[@vulnerable="1"]/@sslversion').map(&:value)
+    end
+
+    # Are there any heartblead vulnerable SSL/TLS protocol versions?
+    def heartbleed_vulnerable?
+      @doc.xpath('//heartbleed[@vulnerable="1"]').count > 0
+    end
+  end
+end

data/lib/sslscan_wrapper/scanner.rb

@@ -0,0 +1,95 @@
+require 'sslscan_wrapper/report'
+require 'open3'
+
+module SslscanWrapper
+  class Scanner
+    # sslscan executable
+    attr_accessor :command
+
+    # Hostname for SNI
+    attr_accessor :sni_name
+    # Only use IPv4
+    attr_accessor :ipv4
+    # Only use IPv6
+    attr_accessor :ipv6
+    # Only check SSLv2 ciphers
+    attr_accessor :ssl2
+    # Only check SSLv3 ciphers
+    attr_accessor :ssl3
+    # Only check TLSv1.0 ciphers
+    attr_accessor :tls10
+    # Only check TLSv1.1 ciphers
+    attr_accessor :tls11
+    # Only check TLSv1.2 ciphers
+    attr_accessor :tls12
+    # Only check TLS ciphers (all versions)
+    attr_accessor :tlsall
+    # Request OCSP response from server
+    attr_accessor :ocsp
+    # A file containing the private key or a PKCS12 file containing a private key/certificate pair
+    attr_accessor :pk
+    # The password for the private  key or PKCS12 file certs=<file> A file containing PEM/ASN1 formatted client certificates
+    attr_accessor :pkpass
+    # Use a server-to-server XMPP handshake
+    attr_accessor :xmpp_server
+    # Test a HTTP connection
+    attr_accessor :http
+    # Send RDP preamble before starting scan
+    attr_accessor :rdp
+    # Enable SSL implementation bug work-arounds
+    attr_accessor :bugs
+    # Set socket timeout. Default is 3s
+    attr_accessor :timeout
+    # Pause between connection request. Default is disabled
+    attr_accessor :sleep
+
+    @@SSL_SCAN_FLAGS = [ :ipv4, :ipv6, :ssl2, :ssl3, :tls10, :tls11, :tls12, :tlsall, :ocsp, :xmpp_server, :http, :bugs ]
+    @@SSL_SCAN_OPTIONS = [ :sleep, :timeout, :sni_name, :pk, :pkpass ]
+    @@SSL_SCAN_ARGS = [ '--xml=-', '--no-colour' ]
+
+    # Initialize a new SslscanWrapper::Scanner object
+    #
+    # Examples
+    #
+    #   scan = SslscanWrapper::Scanner.new do |s|
+    #     s.ipv4 = true
+    #   end
+    #
+    # Returns a SslscanWrapper::Scanner object
+    def initialize
+      @command = 'sslscan'
+      @port = 443
+      yield self if block_given?
+    end
+
+    # Scan a target
+    #
+    # Returns a SslscanWrapper::Report object
+    def scan(host, port)
+      execute(host, port)
+    end
+
+    private
+
+    def cmd(host, port)
+      cmd = [ @command ] + @@SSL_SCAN_ARGS
+      @@SSL_SCAN_FLAGS.each do |flag|
+        next if send(flag).nil?
+        cmd << "--#{flag.to_s.gsub('_', '-')}"
+      end
+      @@SSL_SCAN_OPTIONS.each do |option|
+        next if (value = send(option)).nil?
+        cmd << '--' + option.to_s.gsub('_', '-')
+        cmd << value
+      end
+      cmd << "#{host}:#{port}"
+    end
+
+    def execute(host, port)
+      command = cmd(host, port)
+      report, err, status = Open3.capture3(*command)
+      raise "Error while executing sslscan: #{err}" unless status.success?
+      SslscanWrapper::Report.new(report)
+    end
+  end
+end

metadata

@@ -0,0 +1,106 @@
+--- !ruby/object:Gem::Specification
+name: sslscan_wrapper
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Markus Benning
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2018-04-04 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: aruba
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: nokogiri
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12'
+- !ruby/object:Gem::Dependency
+  name: rdoc
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '6'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '6'
+description: 
+email: ich@markusbenning.de
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- Gemfile
+- README.md
+- Rakefile
+- lib/sslscan_wrapper.rb
+- lib/sslscan_wrapper/report.rb
+- lib/sslscan_wrapper/scanner.rb
+homepage: https://github.com/benningm/sslscan_wrapper
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.7.6
+signing_key: 
+specification_version: 4
+summary: Wrapper for sslscan SSL/TLS protocol scanner
+test_files: []