Imported Upstream version 1.11.4
Sophie Brun
8 years ago
0 | 0 | Changelog |
1 | 1 | ========= |
2 | ||
3 | Version: 1.11.4 | |
4 | Date : 06/03/2016 | |
5 | Author : rbsec <[email protected]> | |
6 | Changes: The following are a list of changes | |
7 | > Fix compression detection (credit nuxi) | |
8 | > Added support for PostgreSQL (credit nuxi) | |
9 | ||
10 | Version: 1.11.3 | |
11 | Date : 03/03/2016 | |
12 | Author : rbsec <[email protected]> | |
13 | Changes: The following are a list of changes | |
14 | > Properly fix missing SSLv2 EXPORT ciphers by patching OpenSSL | |
15 | ||
16 | Version: 1.11.2 | |
17 | Date : 02/03/2016 | |
18 | Author : rbsec <[email protected]> | |
19 | Changes: The following are a list of changes | |
20 | > Makefile improvements | |
21 | > Update OpenSSL from Git when statically building | |
22 | > Use enable-ssl2 and enable-weak-ciphers when building statically | |
2 | 23 | |
3 | 24 | Version: 1.11.1 |
4 | 25 | Date : 11/12/2015 |
13 | 13 | OS := $(shell uname) |
14 | 14 | |
15 | 15 | SRCS = sslscan.c |
16 | BINPATH = $(DESTDIR)/usr/bin/ | |
17 | MANPATH = $(DESTDIR)/usr/share/man/ | |
16 | PREFIX = /usr | |
17 | BINDIR = $(PREFIX)/bin | |
18 | MANDIR = $(PREFIX)/share/man | |
19 | MAN1DIR = $(MANDIR)/man1 | |
18 | 20 | |
19 | 21 | WARNINGS = -Wall -Wformat=2 |
20 | 22 | DEFINES = -DVERSION=\"$(GIT_VERSION)\" |
27 | 29 | PWD = $(shell pwd)/openssl |
28 | 30 | LDFLAGS += -L${PWD}/ |
29 | 31 | CFLAGS += -I${PWD}/include/ -I${PWD}/ |
30 | LIBS = -lssl -lcrypto -ldl | |
32 | LIBS = -lssl -lcrypto -ldl -lz | |
31 | 33 | GIT_VERSION := $(GIT_VERSION)-static |
32 | 34 | else |
33 | 35 | # for dynamic linking |
35 | 37 | CFLAGS += -I/usr/local/ssl/include/ -I/usr/local/ssl/include/openssl/ -I/usr/local/opt/openssl/include |
36 | 38 | endif |
37 | 39 | |
38 | .PHONY: sslscan clean | |
40 | .PHONY: all sslscan clean install uninstall static opensslpull | |
39 | 41 | |
40 | 42 | all: sslscan |
41 | 43 | @echo |
50 | 52 | sslscan: $(SRCS) |
51 | 53 | $(CC) -o $@ ${WARNINGS} ${LDFLAGS} ${CFLAGS} ${CPPFLAGS} ${DEFINES} ${SRCS} ${LIBS} |
52 | 54 | |
53 | install: | |
54 | mkdir -p $(BINPATH) | |
55 | mkdir -p $(MANPATH)man1/ | |
56 | cp sslscan $(BINPATH) | |
57 | cp sslscan.1 $(MANPATH)man1/ | |
55 | install: sslscan | |
56 | mkdir -p $(DESTDIR)$(BINDIR) | |
57 | mkdir -p $(DESTDIR)$(MAN1DIR) | |
58 | cp sslscan $(DESTDIR)$(BINDIR) | |
59 | cp sslscan.1 $(DESTDIR)$(MAN1DIR) | |
58 | 60 | |
59 | 61 | uninstall: |
60 | rm -f $(BINPATH)sslscan | |
61 | rm -f $(MANPATH)man1/sslscan.1 | |
62 | rm -f $(DESTDIR)$(BINDIR)/sslscan | |
63 | rm -f $(DESTDIR)$(MAN1DIR)/sslscan.1 | |
62 | 64 | |
63 | openssl/Makefile: | |
64 | [ -d openssl -a -d openssl/.git ] && true || git clone https://github.com/openssl/openssl ./openssl && cd ./openssl && git checkout OpenSSL_1_0_2-stable | |
65 | .openssl.is.fresh: opensslpull | |
66 | true | |
67 | opensslpull: | |
68 | if [ -d openssl -a -d openssl/.git ]; then \ | |
69 | cd ./openssl && git checkout OpenSSL_1_0_2-stable && git pull | grep -q "Already up-to-date." && [ -e ../.openssl.is.fresh ] || touch ../.openssl.is.fresh ; \ | |
70 | else \ | |
71 | git clone https://github.com/openssl/openssl ./openssl && cd ./openssl && git checkout OpenSSL_1_0_2-stable && touch ../.openssl.is.fresh ; \ | |
72 | fi | |
73 | sed -i 's/# if 0/# if 1/g' openssl/ssl/s2_lib.c | |
65 | 74 | |
66 | 75 | # Need to build OpenSSL differently on OSX |
67 | 76 | ifeq ($(OS), Darwin) |
77 | openssl/Makefile: .openssl.is.fresh | |
78 | cd ./openssl; ./Configure darwin64-x86_64-cc | |
79 | # Any other *NIX platform | |
80 | else | |
81 | openssl/Makefile: .openssl.is.fresh | |
82 | cd ./openssl; ./config no-shares enable-weak-ssl-ciphers enable-ssl2 zlib | |
83 | endif | |
84 | ||
68 | 85 | openssl/libcrypto.a: openssl/Makefile |
69 | cd ./openssl; ./Configure darwin64-x86_64-cc | |
70 | 86 | $(MAKE) -C openssl depend |
71 | 87 | $(MAKE) -C openssl all |
72 | 88 | $(MAKE) -C openssl test |
73 | ||
74 | # Any other *NIX platform | |
75 | else | |
76 | openssl/libcrypto.a: openssl/Makefile | |
77 | cd ./openssl; ./config no-shares | |
78 | $(MAKE) -C openssl depend | |
79 | $(MAKE) -C openssl all | |
80 | $(MAKE) -C openssl test | |
81 | endif | |
82 | 89 | |
83 | 90 | static: openssl/libcrypto.a |
84 | 91 | $(MAKE) sslscan STATIC_BUILD=TRUE |
86 | 93 | clean: |
87 | 94 | if [ -d openssl -a -d openssl/.git ]; then ( cd ./openssl; git clean -fx ); fi; |
88 | 95 | rm -f sslscan |
96 | rm -f .openssl.is.fresh |
34 | 34 | * Flag expired certificates |
35 | 35 | * Flag TLSv1.0 ciphers in output as weak. |
36 | 36 | * Experimental OSX support (static building only) |
37 | * Support for scanning PostgreSQL servers (credit nuxi) | |
37 | 38 | |
38 | 39 | ### Building on Windows |
39 | 40 | Thanks to a patch by jtesta, sslscan can now be compiled on Windows. This can |
67 | 68 | To compile your own OpenSSL version, you'll probably need to install the |
68 | 69 | OpenSSL build dependencies: |
69 | 70 | |
70 | apt-get install build-essential git | |
71 | apt-get install build-essential git zlib1g-dev | |
71 | 72 | apt-get build-dep openssl |
72 | 73 | |
73 | 74 | then run |
135 | 135 | .br |
136 | 136 | Note that some servers hang when we try to use SSLv3 ciphers over STARTTLS. If you scan hangs, try using the --tlsall option. |
137 | 137 | .TP |
138 | .B \-\-starttls\-psql | |
139 | STARTTLS setup for PostgreSQL | |
140 | .TP | |
138 | 141 | .B \-\-starttls\-xmpp |
139 | 142 | STARTTLS setup for XMPP |
140 | 143 | .TP |
75 | 75 | #include <openssl/x509.h> |
76 | 76 | #include <openssl/x509v3.h> |
77 | 77 | #include <openssl/ocsp.h> |
78 | #ifndef OPENSSL_NO_COMP | |
79 | #include <openssl/comp.h> | |
80 | #endif | |
78 | 81 | |
79 | 82 | // If we're not compiling with Visual Studio, include unistd.h. VS |
80 | 83 | // doesn't have this header. |
451 | 454 | printf_verbose("Server reported: %s\n", buffer); |
452 | 455 | } |
453 | 456 | |
457 | if (options->starttls_psql == true && tlsStarted == false) | |
458 | { | |
459 | unsigned char buffer; | |
460 | ||
461 | tlsStarted = 1; | |
462 | ||
463 | // Send SSLRequest packet | |
464 | send(socketDescriptor, "\x00\x00\x00\x08\x04\xd2\x16\x2f", 8, 0); | |
465 | ||
466 | // Read reply byte | |
467 | if (1 != recv(socketDescriptor, &buffer, 1, 0)) { | |
468 | printf_error("%s ERROR: unexpected EOF reading from %s:%d%s\n", COL_RED, options->host, options->port, RESET); | |
469 | return 0; | |
470 | } | |
471 | ||
472 | if (buffer != 'S') { | |
473 | printf_error("%s ERROR: server at %s:%d%s rejected TLS startup\n", COL_RED, options->host, options->port, RESET); | |
474 | return 0; | |
475 | } | |
476 | } | |
477 | ||
454 | 478 | // Setup an RDP socket with preamble |
455 | 479 | // Borrowed from https://labs.portcullis.co.uk/tools/ssl-cipher-suite-enum/ |
456 | 480 | if (options->rdp == true && tlsStarted == false) |
483 | 507 | return 0; |
484 | 508 | } |
485 | 509 | } |
510 | ||
486 | 511 | // Return |
487 | 512 | return socketDescriptor; |
488 | 513 | } |
719 | 744 | SSL_set_options(ssl, SSL_OP_LEGACY_SERVER_CONNECT); |
720 | 745 | #endif |
721 | 746 | |
747 | #ifdef SSL_OP_NO_COMPRESSION | |
748 | // Make sure to clear the no compression flag | |
749 | SSL_clear_options(ssl, SSL_OP_NO_COMPRESSION); | |
750 | #endif | |
751 | ||
722 | 752 | if (ssl != NULL) |
723 | 753 | { |
724 | 754 | // Connect socket and BIO |
738 | 768 | session = *SSL_get_session(ssl); |
739 | 769 | |
740 | 770 | #ifndef OPENSSL_NO_COMP |
741 | printf_xml(" <compression supported=\"%d\" />\n", | |
742 | session.compress_meth); | |
743 | ||
744 | if (session.compress_meth == 0) | |
771 | // Make sure zlib is actually present | |
772 | if (COMP_zlib()->type != NID_undef) | |
745 | 773 | { |
746 | printf("Compression %sdisabled%s\n\n", COL_GREEN, RESET); | |
774 | printf_xml(" <compression supported=\"%d\" />\n", | |
775 | session.compress_meth); | |
776 | ||
777 | if (session.compress_meth == 0) | |
778 | { | |
779 | printf("Compression %sdisabled%s\n\n", COL_GREEN, RESET); | |
780 | } | |
781 | else | |
782 | { | |
783 | printf("Compression %senabled%s (CRIME)\n\n", COL_RED, RESET); | |
784 | } | |
747 | 785 | } |
748 | 786 | else |
787 | #endif | |
749 | 788 | { |
750 | printf("Compression %senabled%s (CRIME)\n\n", COL_RED, RESET); | |
789 | printf("%sOpenSSL version does not support compression%s\n", COL_RED, RESET); | |
790 | printf("%sRebuild with zlib1g-dev package for zlib support%s\n\n", COL_RED, RESET); | |
751 | 791 | } |
752 | #endif | |
753 | 792 | |
754 | 793 | // Disconnect SSL over socket |
755 | 794 | SSL_shutdown(ssl); |
3087 | 3126 | options.starttls_pop3 = false; |
3088 | 3127 | options.starttls_smtp = false; |
3089 | 3128 | options.starttls_xmpp = false; |
3129 | options.starttls_psql = false; | |
3090 | 3130 | options.xmpp_server = false; |
3091 | 3131 | options.verbose = false; |
3092 | 3132 | options.cipher_details = true; |
3229 | 3269 | // StartTLS... XMPP |
3230 | 3270 | else if (strcmp("--starttls-xmpp", argv[argLoop]) == 0) |
3231 | 3271 | options.starttls_xmpp = true; |
3272 | ||
3273 | // StartTLS... PostgreSQL | |
3274 | else if (strcmp("--starttls-psql", argv[argLoop]) == 0) | |
3275 | options.starttls_psql = true; | |
3276 | ||
3232 | 3277 | #ifndef OPENSSL_NO_SSL2 |
3233 | 3278 | // SSL v2 only... |
3234 | 3279 | else if (strcmp("--ssl2", argv[argLoop]) == 0) |
3348 | 3393 | else if (options.port == 0) { |
3349 | 3394 | if (options.starttls_ftp) |
3350 | 3395 | options.port = 21; |
3351 | if (options.starttls_imap) | |
3396 | else if (options.starttls_imap) | |
3352 | 3397 | options.port = 143; |
3353 | if (options.starttls_irc) | |
3398 | else if (options.starttls_irc) | |
3354 | 3399 | options.port = 6667; |
3355 | if (options.starttls_pop3) | |
3400 | else if (options.starttls_pop3) | |
3356 | 3401 | options.port = 110; |
3357 | if (options.starttls_smtp) | |
3402 | else if (options.starttls_smtp) | |
3358 | 3403 | options.port = 25; |
3359 | if (options.starttls_xmpp) | |
3404 | else if (options.starttls_xmpp) | |
3360 | 3405 | options.port = 5222; |
3361 | if (options.rdp) | |
3406 | else if (options.starttls_psql) | |
3407 | options.port = 5432; | |
3408 | else if (options.rdp) | |
3362 | 3409 | options.port = 3389; |
3363 | if (options.port == 0) | |
3410 | else | |
3364 | 3411 | options.port = 443; |
3365 | 3412 | } |
3366 | 3413 | } |
3457 | 3504 | printf(" %s--starttls-pop3%s STARTTLS setup for POP3\n", COL_GREEN, RESET); |
3458 | 3505 | printf(" %s--starttls-smtp%s STARTTLS setup for SMTP\n", COL_GREEN, RESET); |
3459 | 3506 | printf(" %s--starttls-xmpp%s STARTTLS setup for XMPP\n", COL_GREEN, RESET); |
3507 | printf(" %s--starttls-psql%s STARTTLS setup for PostgreSQL\n", COL_GREEN, RESET); | |
3460 | 3508 | printf(" %s--xmpp-server%s Use a server-to-server XMPP handshake\n", COL_GREEN, RESET); |
3461 | 3509 | printf(" %s--http%s Test a HTTP connection\n", COL_GREEN, RESET); |
3462 | 3510 | printf(" %s--rdp%s Send RDP preamble before starting scan\n", COL_GREEN, RESET); |