yawast 0.5.0.beta5 → 0.5.0.beta6
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +1 -0
- data/lib/scanner/plugins/ssl/sweet32.rb +50 -0
- data/lib/scanner/ssl.rb +0 -48
- data/lib/version.rb +1 -1
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: a42594da84134e0108d8a69007e728c4d68f34e3
|
|
4
|
+
data.tar.gz: 8eca21aecae891e4abeb5638b36d001f9c09e83a
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: e94055f7e7f190cf08f5e9e485165a0910c8351a39277c65284a21cfdd977a1925d159a49101c86fea18451327388275b8f116b791fd7f30a60ddab1c5affaf0
|
|
7
|
+
data.tar.gz: 710427503811039ecfa1734bd391d5479060dee96cdfdea986b21a615194f7365dcb0d895d2ff7d73e1e0ed9c5bd81716f39555897221a8d2f85d9b29847a518
|
data/CHANGELOG.md
CHANGED
|
@@ -11,6 +11,7 @@
|
|
|
11
11
|
* [#91](https://github.com/adamcaudill/yawast/issues/91) - Enhanced file search
|
|
12
12
|
* [#96](https://github.com/adamcaudill/yawast/issues/96) - Scan for known SRV DNS Records
|
|
13
13
|
* [#97](https://github.com/adamcaudill/yawast/issues/97) - Search for Common Subdomains
|
|
14
|
+
* [#100](https://github.com/adamcaudill/yawast/issues/100) - Check for missing cipher suite support
|
|
14
15
|
* [#102](https://github.com/adamcaudill/yawast/issues/102) - Use SSLShake to power cipher suite enumeration
|
|
15
16
|
* [#76](https://github.com/adamcaudill/yawast/issues/76) - Bug: Handle error for OpenSSL version support error
|
|
16
17
|
* [#98](https://github.com/adamcaudill/yawast/issues/98) - Bug: SWEET32 Test Fails if 3DES Not Support By Latest Server Supported TLS Version
|
|
@@ -6,6 +6,12 @@ module Yawast
|
|
|
6
6
|
def self.get_tdes_session_msg_count(uri)
|
|
7
7
|
# this method will send a number of HEAD requests to see
|
|
8
8
|
# if the connection is eventually killed.
|
|
9
|
+
unless check_tdes(uri)
|
|
10
|
+
#if the OpenSSL install doesn't support 3DES, bailout
|
|
11
|
+
Yawast::Utilities.puts_error "Your copy of OpenSSL doesn't support 3DES cipher suites - SWEET32 test aborted."
|
|
12
|
+
return
|
|
13
|
+
end
|
|
14
|
+
|
|
9
15
|
puts 'TLS Session Request Limit: Checking number of requests accepted using 3DES suites...'
|
|
10
16
|
|
|
11
17
|
count = 0
|
|
@@ -80,6 +86,50 @@ module Yawast
|
|
|
80
86
|
puts
|
|
81
87
|
Yawast::Utilities.puts_vuln 'TLS Session Request Limit: Connection not terminated after 10,000 requests; possibly vulnerable to SWEET32'
|
|
82
88
|
end
|
|
89
|
+
|
|
90
|
+
def self.check_tdes(uri)
|
|
91
|
+
puts 'Confirming your OpenSSL supports 3DES cipher suites...'
|
|
92
|
+
|
|
93
|
+
dns = Resolv::DNS.new
|
|
94
|
+
|
|
95
|
+
if IPAddress.valid? uri.host
|
|
96
|
+
ip = IPAddress.parse uri.host
|
|
97
|
+
else
|
|
98
|
+
ip = dns.getaddresses(uri.host)[0]
|
|
99
|
+
end
|
|
100
|
+
|
|
101
|
+
#find all versions that don't include '_server' or '_client'
|
|
102
|
+
versions = OpenSSL::SSL::SSLContext::METHODS.find_all { |v| !v.to_s.include?('_client') && !v.to_s.include?('_server')}
|
|
103
|
+
|
|
104
|
+
versions.each do |version|
|
|
105
|
+
#ignore SSLv23, as it's an auto-negotiate, which just adds noise
|
|
106
|
+
if version.to_s != 'SSLv23' && version.to_s != 'SSLv2'
|
|
107
|
+
#try to get the list of ciphers supported for each version
|
|
108
|
+
ciphers = nil
|
|
109
|
+
|
|
110
|
+
get_ciphers_failed = false
|
|
111
|
+
begin
|
|
112
|
+
ciphers = OpenSSL::SSL::SSLContext.new(version).ciphers
|
|
113
|
+
rescue => e
|
|
114
|
+
Yawast::Utilities.puts_error "\tError getting cipher suites for #{version}, skipping. (#{e.message})"
|
|
115
|
+
get_ciphers_failed = true
|
|
116
|
+
end
|
|
117
|
+
|
|
118
|
+
if ciphers != nil
|
|
119
|
+
ciphers.each do |cipher|
|
|
120
|
+
if cipher[0].include?('3DES') || cipher[0].include?('CBC3')
|
|
121
|
+
return true
|
|
122
|
+
end
|
|
123
|
+
end
|
|
124
|
+
elsif !get_ciphers_failed
|
|
125
|
+
Yawast::Utilities.puts_info "\t#{version}: No cipher suites available."
|
|
126
|
+
end
|
|
127
|
+
end
|
|
128
|
+
end
|
|
129
|
+
|
|
130
|
+
puts ''
|
|
131
|
+
return false
|
|
132
|
+
end
|
|
83
133
|
end
|
|
84
134
|
end
|
|
85
135
|
end
|
data/lib/scanner/ssl.rb
CHANGED
|
@@ -160,54 +160,6 @@ module Yawast
|
|
|
160
160
|
puts ''
|
|
161
161
|
end
|
|
162
162
|
|
|
163
|
-
def self.check_version_suites(uri, ip, ciphers, version)
|
|
164
|
-
puts "\tChecking for #{version} suites (#{ciphers.count} possible suites)"
|
|
165
|
-
|
|
166
|
-
#first, let's see if we can connect using this version - so we don't do pointless checks
|
|
167
|
-
req = Yawast::Shared::Http.get_http(uri)
|
|
168
|
-
req.use_ssl = uri.scheme == 'https'
|
|
169
|
-
req.ssl_version = version
|
|
170
|
-
begin
|
|
171
|
-
req.start do |http|
|
|
172
|
-
http.head(uri.path, Yawast::Shared::Http.get_headers)
|
|
173
|
-
end
|
|
174
|
-
rescue
|
|
175
|
-
Yawast::Utilities.puts_info "\t\tVersion: #{version}\tNo Supported Cipher Suites"
|
|
176
|
-
return
|
|
177
|
-
end
|
|
178
|
-
|
|
179
|
-
ciphers.each do |cipher|
|
|
180
|
-
#try to connect and see what happens
|
|
181
|
-
begin
|
|
182
|
-
socket = TCPSocket.new(ip.to_s, uri.port)
|
|
183
|
-
context = OpenSSL::SSL::SSLContext.new(version)
|
|
184
|
-
context.ciphers = cipher[0]
|
|
185
|
-
ssl = OpenSSL::SSL::SSLSocket.new(socket, context)
|
|
186
|
-
ssl.hostname = uri.host
|
|
187
|
-
|
|
188
|
-
ssl.connect
|
|
189
|
-
|
|
190
|
-
check_cipher_strength cipher, ssl
|
|
191
|
-
|
|
192
|
-
ssl.sysclose
|
|
193
|
-
rescue OpenSSL::SSL::SSLError => e
|
|
194
|
-
unless e.message.include?('alert handshake failure') ||
|
|
195
|
-
e.message.include?('no ciphers available') ||
|
|
196
|
-
e.message.include?('wrong version number') ||
|
|
197
|
-
e.message.include?('alert protocol version') ||
|
|
198
|
-
e.message.include?('Connection reset by peer')
|
|
199
|
-
Yawast::Utilities.puts_error "\t\tVersion: #{ssl.ssl_version.ljust(7)}\tBits: #{cipher[2]}\tCipher: #{cipher[0]}\t(Supported But Failed)"
|
|
200
|
-
end
|
|
201
|
-
rescue => e
|
|
202
|
-
unless e.message.include?('Connection reset by peer')
|
|
203
|
-
Yawast::Utilities.puts_error "\t\tVersion: #{''.ljust(7)}\tBits: #{cipher[2]}\tCipher: #{cipher[0]}\t(#{e.message})"
|
|
204
|
-
end
|
|
205
|
-
ensure
|
|
206
|
-
ssl.sysclose unless ssl == nil
|
|
207
|
-
end
|
|
208
|
-
end
|
|
209
|
-
end
|
|
210
|
-
|
|
211
163
|
def self.check_cipher_strength(cipher, ssl)
|
|
212
164
|
if cipher[2] < 112 || cipher[0].include?('RC4')
|
|
213
165
|
#less than 112 bits or RC4, flag as a vuln
|
data/lib/version.rb
CHANGED