yawast 0.5.0.beta2 → 0.5.0.beta3

data/lib/scanner/core.rb

@@ -22,7 +22,7 @@ module Yawast
 
           Yawast.set_openssl_options
 
-          Yawast::Scanner::Generic.server_info(@uri, options)
+          Yawast::Scanner::Plugins::DNS::Generic.dns_info @uri, options
         end
 
         @setup = true

data/lib/scanner/generic.rb

@@ -1,116 +1,10 @@
 require 'ipaddr_extensions'
 require 'json'
+require 'public_suffix'
 
 module Yawast
   module Scanner
     class Generic
-      def self.server_info(uri, options)
-        begin
-          puts 'DNS Information:'
-
-          dns = Resolv::DNS.new
-          Resolv::DNS.open do |resv|
-            a = resv.getresources(uri.host, Resolv::DNS::Resource::IN::A)
-            unless a.empty?
-              a.each do |ip|
-                begin
-                  host_name = dns.getname(ip.address)
-                rescue
-                  host_name = 'N/A'
-                end
-
-                Yawast::Utilities.puts_info "\t\t#{ip.address} (#{host_name})"
-
-                # if address is private, force internal SSL mode, don't show links
-                if IPAddr.new(ip.address.to_s, Socket::AF_INET).private?
-                  options.internalssl = true
-                else
-                  #show network info
-                  get_network_info ip
-                  get_network_location_info ip
-
-                  puts "\t\t\thttps://www.shodan.io/host/#{ip.address}"
-                  puts "\t\t\thttps://censys.io/ipv4/#{ip.address}"
-                end
-              end
-            end
-
-            aaaa = resv.getresources(uri.host, Resolv::DNS::Resource::IN::AAAA)
-            unless aaaa.empty?
-              aaaa.each do |ip|
-                begin
-                  host_name = dns.getname(ip.address)
-                rescue
-                  host_name = 'N/A'
-                end
-
-                Yawast::Utilities.puts_info "\t\t#{ip.address} (#{host_name})"
-
-                # if address is private, force internal SSL mode, don't show links
-                if IPAddr.new(ip.address.to_s, Socket::AF_INET6).private?
-                  options.internalssl = true
-                else
-                  #show network info
-                  get_network_info ip
-                  get_network_location_info ip
-
-                  puts "\t\t\thttps://www.shodan.io/host/#{ip.address.to_s.downcase}"
-                end
-              end
-            end
-
-            txt = resv.getresources(uri.host, Resolv::DNS::Resource::IN::TXT)
-            unless txt.empty?
-              txt.each do |rec|
-                Yawast::Utilities.puts_info "\t\tTXT: #{rec.data}"
-              end
-            end
-
-            mx = resv.getresources(uri.host, Resolv::DNS::Resource::IN::MX)
-            unless mx.empty?
-              mx.each do |rec|
-                Yawast::Utilities.puts_info "\t\tMX: #{rec.exchange} (#{rec.preference})"
-              end
-            end
-
-            ns = resv.getresources(uri.host, Resolv::DNS::Resource::IN::NS)
-            unless ns.empty?
-              ns.each do |rec|
-                Yawast::Utilities.puts_info "\t\tNS: #{rec.name}"
-              end
-            end
-          end
-
-          puts
-        rescue => e
-          Yawast::Utilities.puts_error "Error getting basic information: #{e.message}"
-          raise
-        end
-      end
-
-      def self.get_network_info(ip)
-        begin
-          network_info = JSON.parse(Net::HTTP.get(URI("https://api.iptoasn.com/v1/as/ip/#{ip.address}")))
-
-          Yawast::Utilities.puts_info "\t\t\t#{network_info['as_country_code']} - #{network_info['as_description']}"
-        rescue => e
-          Yawast::Utilities.puts_error "Error getting network information: #{e.message}"
-        end
-      end
-
-      def self.get_network_location_info(ip)
-        begin
-          info = JSON.parse(Net::HTTP.get(URI("https://freegeoip.net/json/#{ip.address}")))
-          location = [info['city'], info['region_name'], info['country_code']].reject { |c| c.empty? }.join(', ')
-
-          if location != nil && !location.empty?
-            Yawast::Utilities.puts_info "\t\t\t#{location}"
-          end
-        rescue => e
-          Yawast::Utilities.puts_error "Error getting location information: #{e.message}"
-        end
-      end
-
       def self.head_info(head, uri)
         begin
           server = ''
@@ -242,6 +136,11 @@ module Yawast
               unless elements.include?(' HttpOnly') || elements.include?(' httponly')
                 Yawast::Utilities.puts_warn "\t\t\tCookie missing HttpOnly flag"
               end
+
+              #check for SameSite cookies
+              unless elements.include?(' SameSite') || elements.include?(' samesite')
+                Yawast::Utilities.puts_warn "\t\t\tCookie missing SameSite flag"
+              end
             end
 
             puts ''

data/lib/scanner/plugins/dns/generic.rb

@@ -0,0 +1,195 @@
+module Yawast
+  module Scanner
+    module Plugins
+      module DNS
+        class Generic
+          def self.dns_info(uri, options)
+            begin
+              puts 'DNS Information:'
+              root_domain = PublicSuffix.parse(uri.host).domain
+
+              dns = Resolv::DNS.new
+              Resolv::DNS.open do |resv|
+                a = resv.getresources(uri.host, Resolv::DNS::Resource::IN::A)
+                unless a.empty?
+                  a.each do |ip|
+                    begin
+                      host_name = dns.getname(ip.address)
+                    rescue
+                      host_name = 'N/A'
+                    end
+
+                    Yawast::Utilities.puts_info "\t\t#{ip.address} (#{host_name})"
+
+                    # if address is private, force internal SSL mode, don't show links
+                    if IPAddr.new(ip.address.to_s, Socket::AF_INET).private?
+                      options.internalssl = true
+                    else
+                      #show network info
+                      Yawast::Utilities.puts_info "\t\t\t#{get_network_info(ip.address)}"
+                      get_network_location_info ip
+
+                      puts "\t\t\thttps://www.shodan.io/host/#{ip.address}"
+                      puts "\t\t\thttps://censys.io/ipv4/#{ip.address}"
+                    end
+                  end
+                end
+
+                aaaa = resv.getresources(uri.host, Resolv::DNS::Resource::IN::AAAA)
+                unless aaaa.empty?
+                  aaaa.each do |ip|
+                    begin
+                      host_name = dns.getname(ip.address)
+                    rescue
+                      host_name = 'N/A'
+                    end
+
+                    Yawast::Utilities.puts_info "\t\t#{ip.address} (#{host_name})"
+
+                    # if address is private, force internal SSL mode, don't show links
+                    if IPAddr.new(ip.address.to_s, Socket::AF_INET6).private?
+                      options.internalssl = true
+                    else
+                      #show network info
+                      Yawast::Utilities.puts_info "\t\t\t#{get_network_info(ip.address)}"
+                      get_network_location_info ip
+
+                      puts "\t\t\thttps://www.shodan.io/host/#{ip.address.to_s.downcase}"
+                    end
+                  end
+                end
+
+                txt = resv.getresources(uri.host, Resolv::DNS::Resource::IN::TXT)
+                unless txt.empty?
+                  txt.each do |rec|
+                    Yawast::Utilities.puts_info "\t\tTXT: #{rec.data}"
+                  end
+                end
+
+                #check for higher-level TXT records, if we aren't already at the top
+                if root_domain != uri.host
+                  txt = resv.getresources(root_domain, Resolv::DNS::Resource::IN::TXT)
+                  unless txt.empty?
+                    txt.each do |rec|
+                      Yawast::Utilities.puts_info "\t\tTXT (#{root_domain}): #{rec.data}"
+                    end
+                  end
+                end
+
+                mx = resv.getresources(uri.host, Resolv::DNS::Resource::IN::MX)
+                unless mx.empty?
+                  mx.each do |rec|
+                    ip = resv.getaddress rec.exchange
+
+                    Yawast::Utilities.puts_info "\t\tMX: #{rec.exchange} (#{rec.preference}) - #{ip} (#{get_network_info(ip.to_s)})"
+                  end
+                end
+
+                #check for higher-level MX records, if we aren't already at the top
+                if root_domain != uri.host
+                  mx = resv.getresources(root_domain, Resolv::DNS::Resource::IN::MX)
+                  unless mx.empty?
+                    mx.each do |rec|
+                      ip = resv.getaddress rec.exchange
+
+                      Yawast::Utilities.puts_info "\t\tMX (#{root_domain}): #{rec.exchange} (#{rec.preference}) - #{ip} (#{get_network_info(ip.to_s)})"
+                    end
+                  end
+                end
+
+                ns = resv.getresources(root_domain, Resolv::DNS::Resource::IN::NS)
+                unless ns.empty?
+                  ns.each do |rec|
+                    ip = resv.getaddress rec.name
+
+                    Yawast::Utilities.puts_info "\t\tNS: #{rec.name} - #{ip} (#{get_network_info(ip.to_s)})"
+                  end
+                end
+
+                if options.srv
+                  File.open(File.dirname(__FILE__) + '/../../../resources/srv_list.txt', 'r') do |f|
+                    f.each_line do |line|
+                      host = line.strip + '.' + root_domain
+                      begin
+                        srv = resv.getresources(host, Resolv::DNS::Resource::IN::SRV)
+
+                        unless srv.empty?
+                          srv.each do |rec|
+                            ip = resv.getaddress rec.target
+
+                            Yawast::Utilities.puts_info "\t\tSRV: #{host}: #{rec.target}:#{rec.port} - #{ip} (#{get_network_info(ip.to_s)})"
+                          end
+                        end
+                      rescue
+                        #if this fails, don't really care
+                      end
+                    end
+                  end
+                end
+
+                if options.subdomains
+                  File.open(File.dirname(__FILE__) + '/../../../resources/subdomain_list.txt', 'r') do |f|
+                    f.each_line do |line|
+                      host = line.strip + '.' + root_domain
+
+                      begin
+                        a = resv.getresources(host, Resolv::DNS::Resource::IN::A)
+
+                        unless a.empty?
+                          a.each do |ip|
+                            if IPAddr.new(ip.address.to_s, Socket::AF_INET).private?
+                              Yawast::Utilities.puts_info "\t\tA: #{host}: #{ip.address}"
+                            else
+                              Yawast::Utilities.puts_info "\t\tA: #{host}: #{ip.address} (#{get_network_info(ip.address)})"
+                            end
+                          end
+                        end
+                      rescue
+                        #if this fails, don't really care
+                      end
+                    end
+                  end
+                end
+              end
+
+              puts
+            rescue => e
+              Yawast::Utilities.puts_error "Error getting basic information: #{e.message}"
+              raise
+            end
+          end
+
+          def self.get_network_info(ip)
+            #check to see if we have this one cached
+            @netinfo = Hash.new if @netinfo == nil
+            return @netinfo[ip] if @netinfo[ip] != nil
+
+            begin
+              network_info = JSON.parse(Net::HTTP.get(URI("https://api.iptoasn.com/v1/as/ip/#{ip}")))
+
+              ret = "#{network_info['as_country_code']} - #{network_info['as_description']}"
+              @netinfo[ip] = ret
+
+              return ret
+            rescue => e
+              return "Error: getting network information failed (#{e.message})"
+            end
+          end
+
+          def self.get_network_location_info(ip)
+            begin
+              info = JSON.parse(Net::HTTP.get(URI("https://freegeoip.net/json/#{ip.address}")))
+              location = [info['city'], info['region_name'], info['country_code']].reject { |c| c.empty? }.join(', ')
+
+              if location != nil && !location.empty?
+                Yawast::Utilities.puts_info "\t\t\t#{location}"
+              end
+            rescue => e
+              Yawast::Utilities.puts_error "Error getting location information: #{e.message}"
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/scanner/plugins/ssl/sweet32.rb

@@ -0,0 +1,85 @@
+module Yawast
+  module Scanner
+    module Plugins
+      module SSL
+        class Sweet32
+          def self.get_tdes_session_msg_count(uri)
+            # this method will send a number of HEAD requests to see
+            #  if the connection is eventually killed.
+            puts 'TLS Session Request Limit: Checking number of requests accepted using 3DES suites...'
+
+            count = 0
+            begin
+              req = Yawast::Shared::Http.get_http(uri)
+              req.use_ssl = uri.scheme == 'https'
+              req.keep_alive_timeout = 600
+              headers = Yawast::Shared::Http.get_headers
+
+              #force 3DES - this is to ensure that 3DES specific limits are caught
+              req.ciphers = ['3DES']
+
+              #attempt to find a version that supports 3DES
+              versions = OpenSSL::SSL::SSLContext::METHODS.find_all { |v| !v.to_s.include?('_client') && !v.to_s.include?('_server')}
+              versions.each do |version|
+                if version.to_s != 'SSLv23'
+                  req.ssl_version = version
+
+                  begin
+                    req.start do |http|
+                      head = http.head(uri.path, headers)
+
+                      #check to see if this is on Cloudflare - they break Keep-Alive limits, creating a false positive
+                      head.each do |k, v|
+                        if k.downcase == 'server'
+                          if v == 'cloudflare-nginx'
+                            puts 'Cloudflare server found: SWEET32 mitigated: https://support.cloudflare.com/hc/en-us/articles/231510928'
+                            return
+                          end
+                        end
+                      end
+                    end
+
+                    print "Using #{version}"
+                    break
+                  rescue
+                    #we don't care
+                  end
+                end
+              end
+
+              req.start do |http|
+                10000.times do |i|
+                  http.head(uri.path, headers)
+
+                  # hack to detect transparent disconnects
+                  if http.instance_variable_get(:@ssl_context).session_cache_stats[:cache_hits] != 0
+                    raise 'TLS Reconnected'
+                  end
+
+                  count += 1
+
+                  if i % 20 == 0
+                    print '.'
+                  end
+                end
+              end
+            rescue => e
+              puts
+
+              if e.message.include? 'alert handshake failure'
+                Yawast::Utilities.puts_info 'TLS Session Request Limit: Server does not support 3DES cipher suites'
+              else
+                Yawast::Utilities.puts_info "TLS Session Request Limit: Connection terminated after #{count} requests (#{e.message})"
+              end
+
+              return
+            end
+
+            puts
+            Yawast::Utilities.puts_vuln 'TLS Session Request Limit: Connection not terminated after 10,000 requests; possibly vulnerable to SWEET32'
+          end
+        end
+      end
+    end
+  end
+end

data/lib/scanner/ssl.rb

@@ -34,7 +34,7 @@ module Yawast
 
           ssl.sysclose
 
-          get_tdes_session_msg_count(uri) if tdes_session_count
+          Yawast::Scanner::Plugins::SSL::Sweet32.get_tdes_session_msg_count(uri) if tdes_session_count
         rescue => e
           Yawast::Utilities.puts_error "SSL: Error Reading X509 Details: #{e.message}"
         end
@@ -148,7 +148,7 @@ module Yawast
 
             if ciphers != nil
               check_version_suites uri, ip, ciphers, version
-            elsif get_ciphers_failed == false
+            elsif !get_ciphers_failed
               Yawast::Utilities.puts_info "\t#{version}: No cipher suites available."
             end
           end
@@ -160,6 +160,19 @@ module Yawast
       def self.check_version_suites(uri, ip, ciphers, version)
         puts "\tChecking for #{version} suites (#{ciphers.count} possible suites)"
 
+        #first, let's see if we can connect using this version - so we don't do pointless checks
+        req = Yawast::Shared::Http.get_http(uri)
+        req.use_ssl = uri.scheme == 'https'
+        req.ssl_version = version
+        begin
+          req.start do |http|
+            http.head(uri.path, Yawast::Shared::Http.get_headers)
+          end
+        rescue
+          Yawast::Utilities.puts_info "\t\tVersion: #{version}\tNo Supported Cipher Suites"
+          return
+        end
+
         ciphers.each do |cipher|
           #try to connect and see what happens
           begin
@@ -183,7 +196,9 @@ module Yawast
               Yawast::Utilities.puts_error "\t\tVersion: #{ssl.ssl_version.ljust(7)}\tBits: #{cipher[2]}\tCipher: #{cipher[0]}\t(Supported But Failed)"
             end
           rescue => e
-            Yawast::Utilities.puts_error "\t\tVersion: #{''.ljust(7)}\tBits: #{cipher[2]}\tCipher: #{cipher[0]}\t(#{e.message})"
+            unless e.message.include?('Connection reset by peer')
+              Yawast::Utilities.puts_error "\t\tVersion: #{''.ljust(7)}\tBits: #{cipher[2]}\tCipher: #{cipher[0]}\t(#{e.message})"
+            end
           ensure
             ssl.sysclose unless ssl == nil
           end
@@ -233,53 +248,6 @@ module Yawast
         end
       end
 
-      def self.get_tdes_session_msg_count(uri)
-        # this method will send a number of HEAD requests to see
-        #  if the connection is eventually killed.
-        puts 'TLS Session Request Limit: Checking number of requests accepted using 3DES suites...'
-
-        count = 0
-        begin
-          req = Yawast::Shared::Http.get_http(uri)
-          req.use_ssl = uri.scheme == 'https'
-          req.keep_alive_timeout = 600
-          headers = Yawast::Shared::Http.get_headers
-
-          #force 3DES - this is to ensure that 3DES specific limits are caught
-          req.ciphers = ['3DES']
-
-          req.start do |http|
-            10000.times do |i|
-              http.head(uri.path, headers)
-
-              # hack to detect transparent disconnects
-              if http.instance_variable_get(:@ssl_context).session_cache_stats[:cache_hits] != 0
-                raise 'TLS Reconnected'
-              end
-
-              count += 1
-
-              if i % 20 == 0
-                print '.'
-              end
-            end
-          end
-        rescue => e
-          puts
-
-          if e.message.include? 'alert handshake failure'
-            Yawast::Utilities.puts_info 'TLS Session Request Limit: Server does not support 3DES cipher suites'
-          else
-            Yawast::Utilities.puts_info "TLS Session Request Limit: Connection terminated after #{count} requests (#{e.message})"
-          end
-
-          return
-        end
-
-        puts
-        Yawast::Utilities.puts_vuln 'TLS Session Request Limit: Connection not terminated after 10,000 requests; possibly vulnerable to SWEET32'
-      end
-
       #private methods
       class << self
         private

data/lib/scanner/ssl_labs.rb

@@ -54,7 +54,7 @@ module Yawast
               Yawast::Utilities.puts_error "Error getting information for IP: #{ep.ip_address}: #{e.message}"
             end
 
-            Yawast::Scanner::Ssl.get_tdes_session_msg_count(uri) if tdes_session_count
+            Yawast::Scanner::Plugins::SSL::Sweet32.get_tdes_session_msg_count(uri) if tdes_session_count
 
             puts
           end

data/lib/version.rb

@@ -1,3 +1,3 @@
 module Yawast
-  VERSION = '0.5.0.beta2'
+  VERSION = '0.5.0.beta3'
 end

data/yawast.gemspec

@@ -20,6 +20,7 @@ Gem::Specification.new do |s|
   s.add_runtime_dependency 'colorize', '~> 0.8'
   s.add_runtime_dependency 'ipaddr_extensions', '~> 1.0'
   s.add_runtime_dependency 'ipaddress', '~> 0.8'
+  s.add_runtime_dependency 'public_suffix', '~> 2.0'
 
   s.bindir            = 'bin'
   s.files             = `git ls-files`.split("\n")

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: yawast
 version: !ruby/object:Gem::Version
-  version: 0.5.0.beta2
+  version: 0.5.0.beta3
 platform: ruby
 authors:
 - Adam Caudill
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-03-07 00:00:00.000000000 Z
+date: 2017-03-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ssllabs
@@ -108,6 +108,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.8'
+- !ruby/object:Gem::Dependency
+  name: public_suffix
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
 description: YAWAST is an application meant to simplify initial analysis and information
   gathering for penetration testers and security auditors.
 email: adam@adamcaudill.com
@@ -135,6 +149,8 @@ files:
 - lib/commands/utils.rb
 - lib/resources/common_dir.txt
 - lib/resources/common_file.txt
+- lib/resources/srv_list.txt
+- lib/resources/subdomain_list.txt
 - lib/scanner/apache.rb
 - lib/scanner/cert.rb
 - lib/scanner/cms.rb
@@ -143,8 +159,10 @@ files:
 - lib/scanner/iis.rb
 - lib/scanner/nginx.rb
 - lib/scanner/php.rb
+- lib/scanner/plugins/dns/generic.rb
 - lib/scanner/plugins/http/directory_search.rb
 - lib/scanner/plugins/http/file_presence.rb
+- lib/scanner/plugins/ssl/sweet32.rb
 - lib/scanner/ssl.rb
 - lib/scanner/ssl_labs.rb
 - lib/shared/http.rb