Commit upstream/1.11.4 - sslscan

Imported Upstream version 1.11.4 Sophie Brun 8 years ago

7 changed file(s) with 121 addition(s) and 38 deletion(s). Raw diff Collapse all Expand all

-0

.gitignore less more

13	13
14	14	# custom openssl build
15	15	openssl/
	16	.openssl.is.fresh

+21

-0

Changelog less more

0	0	Changelog
1	1	=========
	2
	3	Version: 1.11.4
	4	Date : 06/03/2016
	5	Author : rbsec <[email protected]>
	6	Changes: The following are a list of changes
	7	> Fix compression detection (credit nuxi)
	8	> Added support for PostgreSQL (credit nuxi)
	9
	10	Version: 1.11.3
	11	Date : 03/03/2016
	12	Author : rbsec <[email protected]>
	13	Changes: The following are a list of changes
	14	> Properly fix missing SSLv2 EXPORT ciphers by patching OpenSSL
	15
	16	Version: 1.11.2
	17	Date : 02/03/2016
	18	Author : rbsec <[email protected]>
	19	Changes: The following are a list of changes
	20	> Makefile improvements
	21	> Update OpenSSL from Git when statically building
	22	> Use enable-ssl2 and enable-weak-ciphers when building statically
2	23
3	24	Version: 1.11.1
4	25	Date : 11/12/2015

+31

-23

Makefile less more

13	13	OS := $(shell uname)
14	14
15	15	SRCS = sslscan.c
16		BINPATH = $(DESTDIR)/usr/bin/
17		MANPATH = $(DESTDIR)/usr/share/man/
	16	PREFIX = /usr
	17	BINDIR = $(PREFIX)/bin
	18	MANDIR = $(PREFIX)/share/man
	19	MAN1DIR = $(MANDIR)/man1
18	20
19	21	WARNINGS = -Wall -Wformat=2
20	22	DEFINES = -DVERSION=\"$(GIT_VERSION)\"

27	29	PWD = $(shell pwd)/openssl
28	30	LDFLAGS += -L${PWD}/
29	31	CFLAGS += -I${PWD}/include/ -I${PWD}/
30		LIBS = -lssl -lcrypto -ldl
	32	LIBS = -lssl -lcrypto -ldl -lz
31	33	GIT_VERSION := $(GIT_VERSION)-static
32	34	else
33	35	# for dynamic linking

35	37	CFLAGS += -I/usr/local/ssl/include/ -I/usr/local/ssl/include/openssl/ -I/usr/local/opt/openssl/include
36	38	endif
37	39
38		.PHONY: sslscan clean
	40	.PHONY: all sslscan clean install uninstall static opensslpull
39	41
40	42	all: sslscan
41	43	@echo

50	52	sslscan: $(SRCS)
51	53	$(CC) -o $@ ${WARNINGS} ${LDFLAGS} ${CFLAGS} ${CPPFLAGS} ${DEFINES} ${SRCS} ${LIBS}
52	54
53		install:
54		mkdir -p $(BINPATH)
55		mkdir -p $(MANPATH)man1/
56		cp sslscan $(BINPATH)
57		cp sslscan.1 $(MANPATH)man1/
	55	install: sslscan
	56	mkdir -p $(DESTDIR)$(BINDIR)
	57	mkdir -p $(DESTDIR)$(MAN1DIR)
	58	cp sslscan $(DESTDIR)$(BINDIR)
	59	cp sslscan.1 $(DESTDIR)$(MAN1DIR)
58	60
59	61	uninstall:
60		rm -f $(BINPATH)sslscan
61		rm -f $(MANPATH)man1/sslscan.1
	62	rm -f $(DESTDIR)$(BINDIR)/sslscan
	63	rm -f $(DESTDIR)$(MAN1DIR)/sslscan.1
62	64
63		openssl/Makefile:
64		[ -d openssl -a -d openssl/.git ] && true \|\| git clone https://github.com/openssl/openssl ./openssl && cd ./openssl && git checkout OpenSSL_1_0_2-stable
	65	.openssl.is.fresh: opensslpull
	66	true
	67	opensslpull:
	68	if [ -d openssl -a -d openssl/.git ]; then \
	69	cd ./openssl && git checkout OpenSSL_1_0_2-stable && git pull \| grep -q "Already up-to-date." && [ -e ../.openssl.is.fresh ] \|\| touch ../.openssl.is.fresh ; \
	70	else \
	71	git clone https://github.com/openssl/openssl ./openssl && cd ./openssl && git checkout OpenSSL_1_0_2-stable && touch ../.openssl.is.fresh ; \
	72	fi
	73	sed -i 's/# if 0/# if 1/g' openssl/ssl/s2_lib.c
65	74
66	75	# Need to build OpenSSL differently on OSX
67	76	ifeq ($(OS), Darwin)
	77	openssl/Makefile: .openssl.is.fresh
	78	cd ./openssl; ./Configure darwin64-x86_64-cc
	79	# Any other *NIX platform
	80	else
	81	openssl/Makefile: .openssl.is.fresh
	82	cd ./openssl; ./config no-shares enable-weak-ssl-ciphers enable-ssl2 zlib
	83	endif
	84
68	85	openssl/libcrypto.a: openssl/Makefile
69		cd ./openssl; ./Configure darwin64-x86_64-cc
70	86	$(MAKE) -C openssl depend
71	87	$(MAKE) -C openssl all
72	88	$(MAKE) -C openssl test
73
74		# Any other *NIX platform
75		else
76		openssl/libcrypto.a: openssl/Makefile
77		cd ./openssl; ./config no-shares
78		$(MAKE) -C openssl depend
79		$(MAKE) -C openssl all
80		$(MAKE) -C openssl test
81		endif
82	89
83	90	static: openssl/libcrypto.a
84	91	$(MAKE) sslscan STATIC_BUILD=TRUE

86	93	clean:
87	94	if [ -d openssl -a -d openssl/.git ]; then ( cd ./openssl; git clean -fx ); fi;
88	95	rm -f sslscan
	96	rm -f .openssl.is.fresh

-1

README.md less more

34	34	* Flag expired certificates
35	35	* Flag TLSv1.0 ciphers in output as weak.
36	36	* Experimental OSX support (static building only)
	37	* Support for scanning PostgreSQL servers (credit nuxi)
37	38
38	39	### Building on Windows
39	40	Thanks to a patch by jtesta, sslscan can now be compiled on Windows. This can

67	68	To compile your own OpenSSL version, you'll probably need to install the
68	69	OpenSSL build dependencies:
69	70
70		apt-get install build-essential git
	71	apt-get install build-essential git zlib1g-dev
71	72	apt-get build-dep openssl
72	73
73	74	then run

-0

sslscan.1 less more

135	135	.br
136	136	Note that some servers hang when we try to use SSLv3 ciphers over STARTTLS. If you scan hangs, try using the --tlsall option.
137	137	.TP
	138	.B \-\-starttls\-psql
	139	STARTTLS setup for PostgreSQL
	140	.TP
138	141	.B \-\-starttls\-xmpp
139	142	STARTTLS setup for XMPP
140	143	.TP

+62

-14

sslscan.c less more

75	75	#include <openssl/x509.h>
76	76	#include <openssl/x509v3.h>
77	77	#include <openssl/ocsp.h>
	78	#ifndef OPENSSL_NO_COMP
	79	#include <openssl/comp.h>
	80	#endif
78	81
79	82	// If we're not compiling with Visual Studio, include unistd.h. VS
80	83	// doesn't have this header.

451	454	printf_verbose("Server reported: %s\n", buffer);
452	455	}
453	456
	457	if (options->starttls_psql == true && tlsStarted == false)
	458	{
	459	unsigned char buffer;
	460
	461	tlsStarted = 1;
	462
	463	// Send SSLRequest packet
	464	send(socketDescriptor, "\x00\x00\x00\x08\x04\xd2\x16\x2f", 8, 0);
	465
	466	// Read reply byte
	467	if (1 != recv(socketDescriptor, &buffer, 1, 0)) {
	468	printf_error("%s ERROR: unexpected EOF reading from %s:%d%s\n", COL_RED, options->host, options->port, RESET);
	469	return 0;
	470	}
	471
	472	if (buffer != 'S') {
	473	printf_error("%s ERROR: server at %s:%d%s rejected TLS startup\n", COL_RED, options->host, options->port, RESET);
	474	return 0;
	475	}
	476	}
	477
454	478	// Setup an RDP socket with preamble
455	479	// Borrowed from https://labs.portcullis.co.uk/tools/ssl-cipher-suite-enum/
456	480	if (options->rdp == true && tlsStarted == false)

483	507	return 0;
484	508	}
485	509	}
	510
486	511	// Return
487	512	return socketDescriptor;
488	513	}

719	744	SSL_set_options(ssl, SSL_OP_LEGACY_SERVER_CONNECT);
720	745	#endif
721	746
	747	#ifdef SSL_OP_NO_COMPRESSION
	748	// Make sure to clear the no compression flag
	749	SSL_clear_options(ssl, SSL_OP_NO_COMPRESSION);
	750	#endif
	751
722	752	if (ssl != NULL)
723	753	{
724	754	// Connect socket and BIO

738	768	session = *SSL_get_session(ssl);
739	769
740	770	#ifndef OPENSSL_NO_COMP
741		printf_xml(" <compression supported=\"%d\" />\n",
742		session.compress_meth);
743
744		if (session.compress_meth == 0)
	771	// Make sure zlib is actually present
	772	if (COMP_zlib()->type != NID_undef)
745	773	{
746		printf("Compression %sdisabled%s\n\n", COL_GREEN, RESET);
	774	printf_xml(" <compression supported=\"%d\" />\n",
	775	session.compress_meth);
	776
	777	if (session.compress_meth == 0)
	778	{
	779	printf("Compression %sdisabled%s\n\n", COL_GREEN, RESET);
	780	}
	781	else
	782	{
	783	printf("Compression %senabled%s (CRIME)\n\n", COL_RED, RESET);
	784	}
747	785	}
748	786	else
	787	#endif
749	788	{
750		printf("Compression %senabled%s (CRIME)\n\n", COL_RED, RESET);
	789	printf("%sOpenSSL version does not support compression%s\n", COL_RED, RESET);
	790	printf("%sRebuild with zlib1g-dev package for zlib support%s\n\n", COL_RED, RESET);
751	791	}
752		#endif
753	792
754	793	// Disconnect SSL over socket
755	794	SSL_shutdown(ssl);

3087	3126	options.starttls_pop3 = false;
3088	3127	options.starttls_smtp = false;
3089	3128	options.starttls_xmpp = false;
	3129	options.starttls_psql = false;
3090	3130	options.xmpp_server = false;
3091	3131	options.verbose = false;
3092	3132	options.cipher_details = true;

3229	3269	// StartTLS... XMPP
3230	3270	else if (strcmp("--starttls-xmpp", argv[argLoop]) == 0)
3231	3271	options.starttls_xmpp = true;
	3272
	3273	// StartTLS... PostgreSQL
	3274	else if (strcmp("--starttls-psql", argv[argLoop]) == 0)
	3275	options.starttls_psql = true;
	3276
3232	3277	#ifndef OPENSSL_NO_SSL2
3233	3278	// SSL v2 only...
3234	3279	else if (strcmp("--ssl2", argv[argLoop]) == 0)

3348	3393	else if (options.port == 0) {
3349	3394	if (options.starttls_ftp)
3350	3395	options.port = 21;
3351		if (options.starttls_imap)
	3396	else if (options.starttls_imap)
3352	3397	options.port = 143;
3353		if (options.starttls_irc)
	3398	else if (options.starttls_irc)
3354	3399	options.port = 6667;
3355		if (options.starttls_pop3)
	3400	else if (options.starttls_pop3)
3356	3401	options.port = 110;
3357		if (options.starttls_smtp)
	3402	else if (options.starttls_smtp)
3358	3403	options.port = 25;
3359		if (options.starttls_xmpp)
	3404	else if (options.starttls_xmpp)
3360	3405	options.port = 5222;
3361		if (options.rdp)
	3406	else if (options.starttls_psql)
	3407	options.port = 5432;
	3408	else if (options.rdp)
3362	3409	options.port = 3389;
3363		if (options.port == 0)
	3410	else
3364	3411	options.port = 443;
3365	3412	}
3366	3413	}

3457	3504	printf(" %s--starttls-pop3%s STARTTLS setup for POP3\n", COL_GREEN, RESET);
3458	3505	printf(" %s--starttls-smtp%s STARTTLS setup for SMTP\n", COL_GREEN, RESET);
3459	3506	printf(" %s--starttls-xmpp%s STARTTLS setup for XMPP\n", COL_GREEN, RESET);
	3507	printf(" %s--starttls-psql%s STARTTLS setup for PostgreSQL\n", COL_GREEN, RESET);
3460	3508	printf(" %s--xmpp-server%s Use a server-to-server XMPP handshake\n", COL_GREEN, RESET);
3461	3509	printf(" %s--http%s Test a HTTP connection\n", COL_GREEN, RESET);
3462	3510	printf(" %s--rdp%s Send RDP preamble before starting scan\n", COL_GREEN, RESET);

-0

sslscan.h less more

126	126	int starttls_pop3;
127	127	int starttls_smtp;
128	128	int starttls_xmpp;
	129	int starttls_psql;
129	130	int xmpp_server;
130	131	int sslVersion;
131	132	int targets;