RubyGems - yawast - Versions diffs - 0.5.0.beta5 → 0.5.0.beta6 - Mend

yawast 0.5.0.beta5 → 0.5.0.beta6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +1 -0
data/lib/scanner/plugins/ssl/sweet32.rb +50 -0
data/lib/scanner/ssl.rb +0 -48
data/lib/version.rb +1 -1
metadata +1 -1

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 02aa0ad73bc9e34325a0989a0e9c30a28fe2e40a
-  data.tar.gz: 0391495210e5beeff8306ad8173730f707a4a607
+  metadata.gz: a42594da84134e0108d8a69007e728c4d68f34e3
+  data.tar.gz: 8eca21aecae891e4abeb5638b36d001f9c09e83a
 SHA512:
-  metadata.gz: 32d58a74c90bab8977d103fb40a5dce202e2dd80c9a3d7bb9fb01b197944dcc9894fb8d6a2a3273952cb6398c1ab1ff8dbeb7fe167909cb6a65bb0bc3fac2903
-  data.tar.gz: 3fc7dad7e9bab7552f97f127aba85b468372f5fce27ed916db6f504b0b21d43b39ade769c547525d3fad5b8da8e768a247d59c7da757c9b627766fd4c42fbd57
+  metadata.gz: e94055f7e7f190cf08f5e9e485165a0910c8351a39277c65284a21cfdd977a1925d159a49101c86fea18451327388275b8f116b791fd7f30a60ddab1c5affaf0
+  data.tar.gz: 710427503811039ecfa1734bd391d5479060dee96cdfdea986b21a615194f7365dcb0d895d2ff7d73e1e0ed9c5bd81716f39555897221a8d2f85d9b29847a518

data/CHANGELOG.md CHANGED Viewed

@@ -11,6 +11,7 @@
 * [#91](https://github.com/adamcaudill/yawast/issues/91) - Enhanced file search
 * [#96](https://github.com/adamcaudill/yawast/issues/96) - Scan for known SRV DNS Records
 * [#97](https://github.com/adamcaudill/yawast/issues/97) - Search for Common Subdomains
+* [#100](https://github.com/adamcaudill/yawast/issues/100) - Check for missing cipher suite support
 * [#102](https://github.com/adamcaudill/yawast/issues/102) - Use SSLShake to power cipher suite enumeration
 * [#76](https://github.com/adamcaudill/yawast/issues/76) - Bug: Handle error for OpenSSL version support error
 * [#98](https://github.com/adamcaudill/yawast/issues/98) - Bug: SWEET32 Test Fails if 3DES Not Support By Latest Server Supported TLS Version

data/lib/scanner/plugins/ssl/sweet32.rb CHANGED Viewed

@@ -6,6 +6,12 @@ module Yawast
           def self.get_tdes_session_msg_count(uri)
             # this method will send a number of HEAD requests to see
             #  if the connection is eventually killed.
+            unless check_tdes(uri)
+              #if the OpenSSL install doesn't support 3DES, bailout
+              Yawast::Utilities.puts_error "Your copy of OpenSSL doesn't support 3DES cipher suites - SWEET32 test aborted."
+              return
+            end
             puts 'TLS Session Request Limit: Checking number of requests accepted using 3DES suites...'
             count = 0
@@ -80,6 +86,50 @@ module Yawast
             puts
             Yawast::Utilities.puts_vuln 'TLS Session Request Limit: Connection not terminated after 10,000 requests; possibly vulnerable to SWEET32'
           end
+          def self.check_tdes(uri)
+            puts 'Confirming your OpenSSL supports 3DES cipher suites...'
+            dns = Resolv::DNS.new
+            if IPAddress.valid? uri.host
+              ip = IPAddress.parse uri.host
+            else
+              ip = dns.getaddresses(uri.host)[0]
+            end
+            #find all versions that don't include '_server' or '_client'
+            versions = OpenSSL::SSL::SSLContext::METHODS.find_all { |v| !v.to_s.include?('_client') && !v.to_s.include?('_server')}
+            versions.each do |version|
+              #ignore SSLv23, as it's an auto-negotiate, which just adds noise
+              if version.to_s != 'SSLv23' && version.to_s != 'SSLv2'
+                #try to get the list of ciphers supported for each version
+                ciphers = nil
+                get_ciphers_failed = false
+                begin
+                  ciphers = OpenSSL::SSL::SSLContext.new(version).ciphers
+                rescue => e
+                  Yawast::Utilities.puts_error "\tError getting cipher suites for #{version}, skipping. (#{e.message})"
+                  get_ciphers_failed = true
+                end
+                if ciphers != nil
+                  ciphers.each do |cipher|
+                    if cipher[0].include?('3DES') || cipher[0].include?('CBC3')
+                      return true
+                    end
+                  end
+                elsif !get_ciphers_failed
+                  Yawast::Utilities.puts_info "\t#{version}: No cipher suites available."
+                end
+              end
+            end
+            puts ''
+            return false
+          end
         end
       end
     end

data/lib/scanner/ssl.rb CHANGED Viewed

@@ -160,54 +160,6 @@ module Yawast
         puts ''
       end
-      def self.check_version_suites(uri, ip, ciphers, version)
-        puts "\tChecking for #{version} suites (#{ciphers.count} possible suites)"
-        #first, let's see if we can connect using this version - so we don't do pointless checks
-        req = Yawast::Shared::Http.get_http(uri)
-        req.use_ssl = uri.scheme == 'https'
-        req.ssl_version = version
-        begin
-          req.start do |http|
-            http.head(uri.path, Yawast::Shared::Http.get_headers)
-          end
-        rescue
-          Yawast::Utilities.puts_info "\t\tVersion: #{version}\tNo Supported Cipher Suites"
-          return
-        end
-        ciphers.each do |cipher|
-          #try to connect and see what happens
-          begin
-            socket = TCPSocket.new(ip.to_s, uri.port)
-            context = OpenSSL::SSL::SSLContext.new(version)
-            context.ciphers = cipher[0]
-            ssl = OpenSSL::SSL::SSLSocket.new(socket, context)
-            ssl.hostname = uri.host
-            ssl.connect
-            check_cipher_strength cipher, ssl
-            ssl.sysclose
-          rescue OpenSSL::SSL::SSLError => e
-            unless e.message.include?('alert handshake failure') ||
-                e.message.include?('no ciphers available') ||
-                e.message.include?('wrong version number') ||
-                e.message.include?('alert protocol version') ||
-                e.message.include?('Connection reset by peer')
-              Yawast::Utilities.puts_error "\t\tVersion: #{ssl.ssl_version.ljust(7)}\tBits: #{cipher[2]}\tCipher: #{cipher[0]}\t(Supported But Failed)"
-            end
-          rescue => e
-            unless e.message.include?('Connection reset by peer')
-              Yawast::Utilities.puts_error "\t\tVersion: #{''.ljust(7)}\tBits: #{cipher[2]}\tCipher: #{cipher[0]}\t(#{e.message})"
-            end
-          ensure
-            ssl.sysclose unless ssl == nil
-          end
-        end
-      end
       def self.check_cipher_strength(cipher, ssl)
         if cipher[2] < 112 || cipher[0].include?('RC4')
           #less than 112 bits or RC4, flag as a vuln

data/lib/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module Yawast
-  VERSION = '0.5.0.beta5'
+  VERSION = '0.5.0.beta6'
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: yawast
 version: !ruby/object:Gem::Version
-  version: 0.5.0.beta5
+  version: 0.5.0.beta6
 platform: ruby
 authors:
 - Adam Caudill