yawast 0.5.0.beta5 → 0.5.0.beta6

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 02aa0ad73bc9e34325a0989a0e9c30a28fe2e40a
4
- data.tar.gz: 0391495210e5beeff8306ad8173730f707a4a607
3
+ metadata.gz: a42594da84134e0108d8a69007e728c4d68f34e3
4
+ data.tar.gz: 8eca21aecae891e4abeb5638b36d001f9c09e83a
5
5
  SHA512:
6
- metadata.gz: 32d58a74c90bab8977d103fb40a5dce202e2dd80c9a3d7bb9fb01b197944dcc9894fb8d6a2a3273952cb6398c1ab1ff8dbeb7fe167909cb6a65bb0bc3fac2903
7
- data.tar.gz: 3fc7dad7e9bab7552f97f127aba85b468372f5fce27ed916db6f504b0b21d43b39ade769c547525d3fad5b8da8e768a247d59c7da757c9b627766fd4c42fbd57
6
+ metadata.gz: e94055f7e7f190cf08f5e9e485165a0910c8351a39277c65284a21cfdd977a1925d159a49101c86fea18451327388275b8f116b791fd7f30a60ddab1c5affaf0
7
+ data.tar.gz: 710427503811039ecfa1734bd391d5479060dee96cdfdea986b21a615194f7365dcb0d895d2ff7d73e1e0ed9c5bd81716f39555897221a8d2f85d9b29847a518
data/CHANGELOG.md CHANGED
@@ -11,6 +11,7 @@
11
11
  * [#91](https://github.com/adamcaudill/yawast/issues/91) - Enhanced file search
12
12
  * [#96](https://github.com/adamcaudill/yawast/issues/96) - Scan for known SRV DNS Records
13
13
  * [#97](https://github.com/adamcaudill/yawast/issues/97) - Search for Common Subdomains
14
+ * [#100](https://github.com/adamcaudill/yawast/issues/100) - Check for missing cipher suite support
14
15
  * [#102](https://github.com/adamcaudill/yawast/issues/102) - Use SSLShake to power cipher suite enumeration
15
16
  * [#76](https://github.com/adamcaudill/yawast/issues/76) - Bug: Handle error for OpenSSL version support error
16
17
  * [#98](https://github.com/adamcaudill/yawast/issues/98) - Bug: SWEET32 Test Fails if 3DES Not Support By Latest Server Supported TLS Version
@@ -6,6 +6,12 @@ module Yawast
6
6
  def self.get_tdes_session_msg_count(uri)
7
7
  # this method will send a number of HEAD requests to see
8
8
  # if the connection is eventually killed.
9
+ unless check_tdes(uri)
10
+ #if the OpenSSL install doesn't support 3DES, bailout
11
+ Yawast::Utilities.puts_error "Your copy of OpenSSL doesn't support 3DES cipher suites - SWEET32 test aborted."
12
+ return
13
+ end
14
+
9
15
  puts 'TLS Session Request Limit: Checking number of requests accepted using 3DES suites...'
10
16
 
11
17
  count = 0
@@ -80,6 +86,50 @@ module Yawast
80
86
  puts
81
87
  Yawast::Utilities.puts_vuln 'TLS Session Request Limit: Connection not terminated after 10,000 requests; possibly vulnerable to SWEET32'
82
88
  end
89
+
90
+ def self.check_tdes(uri)
91
+ puts 'Confirming your OpenSSL supports 3DES cipher suites...'
92
+
93
+ dns = Resolv::DNS.new
94
+
95
+ if IPAddress.valid? uri.host
96
+ ip = IPAddress.parse uri.host
97
+ else
98
+ ip = dns.getaddresses(uri.host)[0]
99
+ end
100
+
101
+ #find all versions that don't include '_server' or '_client'
102
+ versions = OpenSSL::SSL::SSLContext::METHODS.find_all { |v| !v.to_s.include?('_client') && !v.to_s.include?('_server')}
103
+
104
+ versions.each do |version|
105
+ #ignore SSLv23, as it's an auto-negotiate, which just adds noise
106
+ if version.to_s != 'SSLv23' && version.to_s != 'SSLv2'
107
+ #try to get the list of ciphers supported for each version
108
+ ciphers = nil
109
+
110
+ get_ciphers_failed = false
111
+ begin
112
+ ciphers = OpenSSL::SSL::SSLContext.new(version).ciphers
113
+ rescue => e
114
+ Yawast::Utilities.puts_error "\tError getting cipher suites for #{version}, skipping. (#{e.message})"
115
+ get_ciphers_failed = true
116
+ end
117
+
118
+ if ciphers != nil
119
+ ciphers.each do |cipher|
120
+ if cipher[0].include?('3DES') || cipher[0].include?('CBC3')
121
+ return true
122
+ end
123
+ end
124
+ elsif !get_ciphers_failed
125
+ Yawast::Utilities.puts_info "\t#{version}: No cipher suites available."
126
+ end
127
+ end
128
+ end
129
+
130
+ puts ''
131
+ return false
132
+ end
83
133
  end
84
134
  end
85
135
  end
data/lib/scanner/ssl.rb CHANGED
@@ -160,54 +160,6 @@ module Yawast
160
160
  puts ''
161
161
  end
162
162
 
163
- def self.check_version_suites(uri, ip, ciphers, version)
164
- puts "\tChecking for #{version} suites (#{ciphers.count} possible suites)"
165
-
166
- #first, let's see if we can connect using this version - so we don't do pointless checks
167
- req = Yawast::Shared::Http.get_http(uri)
168
- req.use_ssl = uri.scheme == 'https'
169
- req.ssl_version = version
170
- begin
171
- req.start do |http|
172
- http.head(uri.path, Yawast::Shared::Http.get_headers)
173
- end
174
- rescue
175
- Yawast::Utilities.puts_info "\t\tVersion: #{version}\tNo Supported Cipher Suites"
176
- return
177
- end
178
-
179
- ciphers.each do |cipher|
180
- #try to connect and see what happens
181
- begin
182
- socket = TCPSocket.new(ip.to_s, uri.port)
183
- context = OpenSSL::SSL::SSLContext.new(version)
184
- context.ciphers = cipher[0]
185
- ssl = OpenSSL::SSL::SSLSocket.new(socket, context)
186
- ssl.hostname = uri.host
187
-
188
- ssl.connect
189
-
190
- check_cipher_strength cipher, ssl
191
-
192
- ssl.sysclose
193
- rescue OpenSSL::SSL::SSLError => e
194
- unless e.message.include?('alert handshake failure') ||
195
- e.message.include?('no ciphers available') ||
196
- e.message.include?('wrong version number') ||
197
- e.message.include?('alert protocol version') ||
198
- e.message.include?('Connection reset by peer')
199
- Yawast::Utilities.puts_error "\t\tVersion: #{ssl.ssl_version.ljust(7)}\tBits: #{cipher[2]}\tCipher: #{cipher[0]}\t(Supported But Failed)"
200
- end
201
- rescue => e
202
- unless e.message.include?('Connection reset by peer')
203
- Yawast::Utilities.puts_error "\t\tVersion: #{''.ljust(7)}\tBits: #{cipher[2]}\tCipher: #{cipher[0]}\t(#{e.message})"
204
- end
205
- ensure
206
- ssl.sysclose unless ssl == nil
207
- end
208
- end
209
- end
210
-
211
163
  def self.check_cipher_strength(cipher, ssl)
212
164
  if cipher[2] < 112 || cipher[0].include?('RC4')
213
165
  #less than 112 bits or RC4, flag as a vuln
data/lib/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module Yawast
2
- VERSION = '0.5.0.beta5'
2
+ VERSION = '0.5.0.beta6'
3
3
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: yawast
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.5.0.beta5
4
+ version: 0.5.0.beta6
5
5
  platform: ruby
6
6
  authors:
7
7
  - Adam Caudill