SSL Tests - v2, weak ciphers, MD5, Renegotiation


#!/usr/bin/env bash

# Description:
#       Script to extract the most security relevant details from a 
#       target SSL/TLS implementation by using sslscan.
# Author:  Raul Siles (raul _AT_ taddong _DOT_ com)
#          Taddong (www.taddong.com)
# Date:    2011-05-27
# Version: 1.0
#
# - Current SSL/TLS tests: 
#   SSLv2, NULL cipher, weak ciphers -key length-, strong 
#   ciphers -AES-, MD5 signed cert, SSL/TLS renegotiation
#
# Requires: 
# - sslscan
# https://sourceforge.net/projects/sslscan/
#
# Credits: Based on ssl_test.sh by Aung Khant, http://yehg.net.
# 

#
# /**************************************************************************
# *   Copyright 2011 by Taddong (Raul Siles)                                *
# *                                                                         *
# *   This program is free software; you can redistribute it and/or modify  *
# *   it under the terms of the GNU General Public License as published by  *
# *   the Free Software Foundation; either version 3 of the License, or     *
# *   (at your option) any later version.                                   *
# *                                                                         *
# *   This program is distributed in the hope that it will be useful,       *
# *   but WITHOUT ANY WARRANTY; without even the implied warranty of        *
# *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the         *
# *   GNU General Public License for more details.                          *
# *                                                                         *
# *   You should have received a copy of the GNU General Public License     *
# *   along with this program. If not, see .  *
# *                                                                         *
# **************************************************************************/
#

VERSION=1.0

OPENSSLVERSION=$(openssl version)
SSLSCANVERSION=$(sslscan --version | grep version | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g")

echo ------------------------------------------------------
echo " TLSSLed - ($VERSION) based on sslscan and openssl"
echo " by Raul Siles (www.taddong.com)"
echo " ( inspired by ssl_test.sh by Aung Khant )"
echo ------------------------------------------------------
echo + openssl version: $OPENSSLVERSION
echo + $SSLSCANVERSION
echo ------------------------------------------------------
echo

if [ $# -ne 2 ]; then 
   echo Usage: $0 IP PORT
   exit
fi

HOST=$1
PORT=$2

echo  [*] Analyzing SSL/TLS on $HOST:$PORT ...
echo 

# Run sslcan once, store the results to a log file and
# analyze that file for all the different tests:
DATE=$(date +%F_%R:%S)
TARGET=$HOST:$PORT
LOGFILE=sslscan\_$TARGET\_$DATE.log
ERRFILE=sslscan\_$TARGET\_$DATE.err

echo [*] Running sslscan on $HOST:$PORT...
sslscan $HOST:$PORT > $LOGFILE 2> $ERRFILE

echo
echo [*] Testing for SSLv2 ...
cat $LOGFILE | grep "Accepted  SSLv2"
echo
echo [*] Testing for NULL cipher ...
cat $LOGFILE | grep "NULL" | grep Accepted
echo
echo [*] Testing for weak ciphers \(based on key length\) ...
cat $LOGFILE | grep " 40 bits" | grep Accepted
echo 
cat $LOGFILE | grep " 56 bits" | grep Accepted
echo
echo [*] Testing for strong ciphers \(AES\) ...
cat $LOGFILE | grep "AES" | grep Accepted

echo 
echo [*] Testing for MD5 signed certificate ...
#cat $LOGFILE | grep -E 'MD5WithRSAEncryption|md5WithRSAEncryption'
cat $LOGFILE | grep -i 'MD5WithRSAEncryption'

echo 
echo [*] Checking preferred server ciphers ...
cat $LOGFILE | sed '/Prefered Server Cipher(s):/,/^$/!d' | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g"

echo
echo [*] Testing for SSLv3/TLSv1 renegotiation vuln. \(CVE-2009-3555\) ...
#echo [*] echo R \| openssl s_client -connect $HOST:$PORT \| grep "DONE"
#
# Renegotiation details go to stderr (2>)
#
# if $OPENSSLVERSION is updated (version?) it supports RFC5746 and will print:
# Secure Renegotiation IS NOT supported
# Secure Renegotiation IS supported
#

echo R | openssl s_client -connect $HOST:$PORT | grep -E "Secure Renegotiation IS|DONE"

echo
echo [*] New files created:
ls -l $LOGFILE
if [ ! -s $ERRFILE ]; then
        # Error file is empty
        rm $ERRFILE
else
        ls -l $ERRFILE
fi

echo
echo 
echo [*] done
echo

Submitted by Aung Khant and updated by Raul Siles

#!/usr/bin/env bash # Description: # Script to extract the most security relevant details from a # target SSL/TLS implementation by using sslscan. # Author: Raul Siles (raul _AT_ taddong _DOT_ com) # Taddong (www.taddong.com) # Date: 2011-05-27 # Version: 1.0 # # - Current SSL/TLS tests: # SSLv2, NULL cipher, weak ciphers -key length-, strong # ciphers -AES-, MD5 signed cert, SSL/TLS renegotiation # # Requires: # - sslscan # https://sourceforge.net/projects/sslscan/ # # Credits: Based on ssl_test.sh by Aung Khant, http://yehg.net. # # # /************************************************************************** # * Copyright 2011 by Taddong (Raul Siles) * # * * # * This program is free software; you can redistribute it and/or modify * # * it under the terms of the GNU General Public License as published by * # * the Free Software Foundation; either version 3 of the License, or * # * (at your option) any later version. * # * * # * This program is distributed in the hope that it will be useful, * # * but WITHOUT ANY WARRANTY; without even the implied warranty of * # * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * # * GNU General Public License for more details. * # * * # * You should have received a copy of the GNU General Public License * # * along with this program. If not, see <http://www.gnu.org/licenses/>. * # * * # **************************************************************************/ # VERSION=1.0 OPENSSLVERSION=$(openssl version) SSLSCANVERSION=$(sslscan --version | grep version | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g") echo ------------------------------------------------------ echo " TLSSLed - ($VERSION) based on sslscan and openssl" echo " by Raul Siles (www.taddong.com)" echo " ( inspired by ssl_test.sh by Aung Khant )" echo ------------------------------------------------------ echo + openssl version: $OPENSSLVERSION echo + $SSLSCANVERSION echo ------------------------------------------------------ echo if [ $# -ne 2 ]; then echo Usage: $0 IP PORT exit fi HOST=$1 PORT=$2 echo [*] Analyzing SSL/TLS on $HOST:$PORT ... echo # Run sslcan once, store the results to a log file and # analyze that file for all the different tests: DATE=$(date +%F_%R:%S) TARGET=$HOST:$PORT LOGFILE=sslscan\_$TARGET\_$DATE.log ERRFILE=sslscan\_$TARGET\_$DATE.err echo [*] Running sslscan on $HOST:$PORT... sslscan $HOST:$PORT > $LOGFILE 2> $ERRFILE echo echo [*] Testing for SSLv2 ... cat $LOGFILE | grep "Accepted SSLv2" echo echo [*] Testing for NULL cipher ... cat $LOGFILE | grep "NULL" | grep Accepted echo echo [*] Testing for weak ciphers $based on key length$ ... cat $LOGFILE | grep " 40 bits" | grep Accepted echo cat $LOGFILE | grep " 56 bits" | grep Accepted echo echo [*] Testing for strong ciphers $AES$ ... cat $LOGFILE | grep "AES" | grep Accepted echo echo [*] Testing for MD5 signed certificate ... #cat $LOGFILE | grep -E 'MD5WithRSAEncryption|md5WithRSAEncryption' cat $LOGFILE | grep -i 'MD5WithRSAEncryption' echo echo [*] Checking preferred server ciphers ... cat $LOGFILE | sed '/Prefered Server Cipher(s):/,/^$/!d' | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" echo echo [*] Testing for SSLv3/TLSv1 renegotiation vuln. $CVE-2009-3555$ ... #echo [*] echo R \| openssl s_client -connect $HOST:$PORT \| grep "DONE" # # Renegotiation details go to stderr (2>) # # if $OPENSSLVERSION is updated (version?) it supports RFC5746 and will print: # Secure Renegotiation IS NOT supported # Secure Renegotiation IS supported # echo R | openssl s_client -connect $HOST:$PORT | grep -E "Secure Renegotiation IS|DONE" echo echo [*] New files created: ls -l $LOGFILE if [ ! -s $ERRFILE ]; then # Error file is empty rm $ERRFILE else ls -l $ERRFILE fi echo echo echo [*] done echo

SSL Tests - v2, weak ciphers, MD5, Renegotiation

SSL Tests - v2, weak ciphers, MD5, Renegotiation

Related Scripts