From 4a51ef71d6e989b7f67517c99d28ffb32ee17333 Mon Sep 17 00:00:00 2001 From: Julien Vehent Date: Wed, 7 Aug 2013 10:40:03 -0400 Subject: [PATCH] Added protocol --- CiphersScan.sh | 16 +++-- README.md | 191 +++++++++++++++++++++++++++++++++++++++++++------ 2 files changed, 178 insertions(+), 29 deletions(-) diff --git a/CiphersScan.sh b/CiphersScan.sh index 4be01c6..909195a 100755 --- a/CiphersScan.sh +++ b/CiphersScan.sh @@ -26,13 +26,13 @@ test_cipher_on_target() { $REQUEST EOF # Parse the result - result=$(grep "New, " $tmp|awk '{print $5}') + result="$(grep "New, " $tmp|awk '{print $5}') $(grep -E "^\s+Protocol\s+:" $tmp|awk '{print $3}')" rm "$tmp" - if [ -z $result ]; then + if [ -z "$result" ]; then verbose "handshake failed, no ciphersuite was returned" result='ConnectionFailure' return 2 - elif [ "$result" == '(NONE)' ]; then + elif [ "$result" == '(NONE) ' ]; then verbose "handshake failed, server returned ciphersuite '$result'" return 1 else @@ -74,7 +74,8 @@ get_cipher_pref() { cipherspref=("${cipherspref[@]}" "$result") # If the connection succeeded with the current cipher, benchmark and store if [ $success -eq 0 ]; then - get_cipher_pref "!$result:$ciphersuite" + pciph=$(echo $result|awk '{print $1}') + get_cipher_pref "!$pciph:$ciphersuite" return 0 fi } @@ -108,8 +109,9 @@ results=() get_cipher_pref "ALL" ctr=1 for cipher in "${cipherspref[@]}"; do + pciph=$(echo $cipher|awk '{print $1}') if [ $DOBENCHMARK -eq 1 ]; then - bench_cipher "$cipher" + bench_cipher "$pciph" r="$ctr $cipher $cipherbenchms" else r="$ctr $cipher" @@ -119,9 +121,9 @@ for cipher in "${cipherspref[@]}"; do done if [ $DOBENCHMARK -eq 1 ]; then - header="prio ciphersuite avg_handshake_microsec" + header="prio ciphersuite protocol avg_handshake_microsec" else - header="prio ciphersuite" + header="prio ciphersuite protocol" fi ctr=0 for result in "${results[@]}"; do diff --git a/README.md b/README.md index 83e7629..c8289c3 100644 --- a/README.md +++ b/README.md @@ -2,38 +2,185 @@ CipherScan ========== A very simple way to find out which SSL ciphersuites are supported by a target. -Run: ./CipherScan.sh www.google.com:443 -v +Run: ./CipherScan.sh www.google.com:443 And watch. -Edit the script if you need more (disable benchmarking by setting DOBENCHMARK to 0). - The newer your version of openssl, the better results you'll get. Older versions of OpenSSL don't support TLS1.2 ciphers, elliptic curves, etc... Build Your Own! +Options +------- +Enable benchmarking by setting DOBENCHMARK to 1 at the top of the script. + +Use '-v' to get more stuff to read. + +Use '-a' to force openssl to test every single cipher it know. Example ------- ``` -$ ./CiphersScan.sh www.google.com:443 +$ ./CiphersScan.sh www.google.com:443 -a +prio ciphersuite protocol +1 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 +2 ECDHE-RSA-RC4-SHA TLSv1.2 +3 ECDHE-RSA-AES128-SHA TLSv1.2 +4 AES128-GCM-SHA256 TLSv1.2 +5 RC4-SHA TLSv1.2 +6 RC4-MD5 TLSv1.2 +7 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 +8 ECDHE-RSA-AES256-SHA384 TLSv1.2 +9 ECDHE-RSA-AES256-SHA TLSv1.2 +10 AES256-GCM-SHA384 TLSv1.2 +11 AES256-SHA256 TLSv1.2 +12 AES256-SHA TLSv1.2 +13 ECDHE-RSA-DES-CBC3-SHA TLSv1.2 +14 DES-CBC3-SHA TLSv1.2 +15 ECDHE-RSA-AES128-SHA256 TLSv1.2 +16 AES128-SHA256 TLSv1.2 +17 AES128-SHA TLSv1.2 +18 (NONE) -prio ciphersuite avg_handshake_ms -1 ECDHE-RSA-AES128-GCM-SHA256 392 -2 ECDHE-RSA-RC4-SHA 412 -3 ECDHE-RSA-AES128-SHA 415 -4 AES128-GCM-SHA256 428 -5 RC4-SHA 404 -6 RC4-MD5 399 -7 ECDHE-RSA-AES256-GCM-SHA384 389 -8 ECDHE-RSA-AES256-SHA384 388 -9 ECDHE-RSA-AES256-SHA 394 -10 AES256-GCM-SHA384 388 -11 AES256-SHA256 389 -12 AES256-SHA 389 -13 ECDHE-RSA-DES-CBC3-SHA 392 -14 DES-CBC3-SHA 391 -15 ECDHE-RSA-AES128-SHA256 394 -16 AES128-SHA256 391 -17 AES128-SHA 389 +All accepted ciphersuites +KO ADH-AES128-GCM-SHA256 +KO ADH-AES128-SHA +KO ADH-AES128-SHA256 +KO ADH-AES256-GCM-SHA384 +KO ADH-AES256-SHA +KO ADH-AES256-SHA256 +KO ADH-CAMELLIA128-SHA +KO ADH-CAMELLIA256-SHA +KO ADH-DES-CBC3-SHA +KO ADH-DES-CBC-SHA +KO ADH-RC4-MD5 +KO ADH-SEED-SHA +KO AECDH-AES128-SHA +KO AECDH-AES256-SHA +KO AECDH-DES-CBC3-SHA +KO AECDH-NULL-SHA +KO AECDH-RC4-SHA +OK AES128-GCM-SHA256 +OK AES128-SHA +OK AES128-SHA256 +OK AES256-GCM-SHA384 +OK AES256-SHA +OK AES256-SHA256 +KO CAMELLIA128-SHA +KO CAMELLIA256-SHA +KO DES-CBC3-MD5 +OK DES-CBC3-SHA +KO DES-CBC-MD5 +KO DES-CBC-SHA +KO DH-DSS-AES128-GCM-SHA256 +KO DH-DSS-AES128-SHA +KO DH-DSS-AES128-SHA256 +KO DH-DSS-AES256-GCM-SHA384 +KO DH-DSS-AES256-SHA +KO DH-DSS-AES256-SHA256 +KO DH-DSS-CAMELLIA128-SHA +KO DH-DSS-CAMELLIA256-SHA +KO DH-DSS-DES-CBC3-SHA +KO DH-DSS-DES-CBC-SHA +KO DH-DSS-SEED-SHA +KO DHE-DSS-AES128-GCM-SHA256 +KO DHE-DSS-AES128-SHA +KO DHE-DSS-AES128-SHA256 +KO DHE-DSS-AES256-GCM-SHA384 +KO DHE-DSS-AES256-SHA +KO DHE-DSS-AES256-SHA256 +KO DHE-DSS-CAMELLIA128-SHA +KO DHE-DSS-CAMELLIA256-SHA +KO DHE-DSS-SEED-SHA +KO DHE-RSA-AES128-GCM-SHA256 +KO DHE-RSA-AES128-SHA +KO DHE-RSA-AES128-SHA256 +KO DHE-RSA-AES256-GCM-SHA384 +KO DHE-RSA-AES256-SHA +KO DHE-RSA-AES256-SHA256 +KO DHE-RSA-CAMELLIA128-SHA +KO DHE-RSA-CAMELLIA256-SHA +KO DHE-RSA-SEED-SHA +KO DH-RSA-AES128-GCM-SHA256 +KO DH-RSA-AES128-SHA +KO DH-RSA-AES128-SHA256 +KO DH-RSA-AES256-GCM-SHA384 +KO DH-RSA-AES256-SHA +KO DH-RSA-AES256-SHA256 +KO DH-RSA-CAMELLIA128-SHA +KO DH-RSA-CAMELLIA256-SHA +KO DH-RSA-DES-CBC3-SHA +KO DH-RSA-DES-CBC-SHA +KO DH-RSA-SEED-SHA +KO ECDH-ECDSA-AES128-GCM-SHA256 +KO ECDH-ECDSA-AES128-SHA +KO ECDH-ECDSA-AES128-SHA256 +KO ECDH-ECDSA-AES256-GCM-SHA384 +KO ECDH-ECDSA-AES256-SHA +KO ECDH-ECDSA-AES256-SHA384 +KO ECDH-ECDSA-DES-CBC3-SHA +KO ECDH-ECDSA-NULL-SHA +KO ECDH-ECDSA-RC4-SHA +KO ECDHE-ECDSA-AES128-GCM-SHA256 +KO ECDHE-ECDSA-AES128-SHA +KO ECDHE-ECDSA-AES128-SHA256 +KO ECDHE-ECDSA-AES256-GCM-SHA384 +KO ECDHE-ECDSA-AES256-SHA +KO ECDHE-ECDSA-AES256-SHA384 +KO ECDHE-ECDSA-DES-CBC3-SHA +KO ECDHE-ECDSA-NULL-SHA +KO ECDHE-ECDSA-RC4-SHA +OK ECDHE-RSA-AES128-GCM-SHA256 +OK ECDHE-RSA-AES128-SHA +OK ECDHE-RSA-AES128-SHA256 +OK ECDHE-RSA-AES256-GCM-SHA384 +OK ECDHE-RSA-AES256-SHA +OK ECDHE-RSA-AES256-SHA384 +OK ECDHE-RSA-DES-CBC3-SHA +KO ECDHE-RSA-NULL-SHA +OK ECDHE-RSA-RC4-SHA +KO ECDH-RSA-AES128-GCM-SHA256 +KO ECDH-RSA-AES128-SHA +KO ECDH-RSA-AES128-SHA256 +KO ECDH-RSA-AES256-GCM-SHA384 +KO ECDH-RSA-AES256-SHA +KO ECDH-RSA-AES256-SHA384 +KO ECDH-RSA-DES-CBC3-SHA +KO ECDH-RSA-NULL-SHA +KO ECDH-RSA-RC4-SHA +KO EDH-DSS-DES-CBC3-SHA +KO EDH-DSS-DES-CBC-SHA +KO EDH-RSA-DES-CBC3-SHA +KO EDH-RSA-DES-CBC-SHA +KO EXP-ADH-DES-CBC-SHA +KO EXP-ADH-RC4-MD5 +KO EXP-DES-CBC-SHA +KO EXP-DH-DSS-DES-CBC-SHA +KO EXP-DH-RSA-DES-CBC-SHA +KO EXP-EDH-DSS-DES-CBC-SHA +KO EXP-EDH-RSA-DES-CBC-SHA +KO EXP-RC2-CBC-MD5 +KO EXP-RC4-MD5 +KO IDEA-CBC-MD5 +KO IDEA-CBC-SHA +KO NULL-MD5 +KO NULL-SHA +KO NULL-SHA256 +KO PSK-3DES-EDE-CBC-SHA +KO PSK-AES128-CBC-SHA +KO PSK-AES256-CBC-SHA +KO PSK-RC4-SHA +KO RC2-CBC-MD5 +OK RC4-MD5 +OK RC4-SHA +KO SEED-SHA +KO SRP-3DES-EDE-CBC-SHA +KO SRP-AES-128-CBC-SHA +KO SRP-AES-256-CBC-SHA +KO SRP-DSS-3DES-EDE-CBC-SHA +KO SRP-DSS-AES-128-CBC-SHA +KO SRP-DSS-AES-256-CBC-SHA +KO SRP-RSA-3DES-EDE-CBC-SHA +KO SRP-RSA-AES-128-CBC-SHA +KO SRP-RSA-AES-256-CBC-SHA ```