From 5c07a6e552821e6f70a8b1403b28cfbe9477db49 Mon Sep 17 00:00:00 2001 From: Michael Zeltner Date: Sun, 2 Feb 2014 15:41:16 +0100 Subject: [PATCH] Support s_client args, give -starttls example --- README.md | 13 ++++++++++++- cipherscan | 34 ++++++++++++++++++++++------------ 2 files changed, 34 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index 44655ea..0392b4f 100644 --- a/README.md +++ b/README.md @@ -20,7 +20,7 @@ Use '-a' to force openssl to test every single cipher it know. Use '-json' to output the results in json format ``` -$ ./cipherscan www.google.com:443 -json +$ ./cipherscan -json www.google.com:443 ``` Example @@ -48,4 +48,15 @@ prio ciphersuite protocols pfs_keysize 16 ECDHE-RSA-AES128-SHA256 SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits 17 AES128-SHA256 SSLv3,TLSv1,TLSv1.1,TLSv1.2 18 AES128-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 +$ ./cipherscan -starttls xmpp jabber.ccc.de:5222 +......... +prio ciphersuite protocols pfs_keysize +1 DHE-RSA-AES256-SHA SSLv3,TLSv1 DH,1024bits +2 AES256-SHA SSLv3,TLSv1 +3 EDH-RSA-DES-CBC3-SHA SSLv3,TLSv1 DH,1024bits +4 DES-CBC3-SHA SSLv3,TLSv1 +5 DHE-RSA-AES128-SHA SSLv3,TLSv1 DH,1024bits +6 AES128-SHA SSLv3,TLSv1 +7 RC4-SHA SSLv3,TLSv1 +8 RC4-MD5 SSLv3,TLSv1 ``` diff --git a/cipherscan b/cipherscan index 3f6a40e..84fc0a3 100755 --- a/cipherscan +++ b/cipherscan @@ -10,7 +10,13 @@ BENCHMARKITER=30 OPENSSLBIN="$(dirname $0)/openssl" TIMEOUT=10 CIPHERSUITE="ALL:COMPLEMENTOFALL" -TARGET=$1 +HOST=$(sed -e 's/:.*//'<<<"${@: -1}") +PORT=$(sed -e 's/.*://'<<<"${@: -1}") +if [ "$HOST" = "$PORT" ]; then + PORT=443 +fi +TARGET=$HOST:$PORT +SCLIENTARGS=$(sed -e "s/${@: -1}//" -e "s/-v//" -e "s/-a//" -e "s/-json//" <<<"$@") VERBOSE=0 ALLCIPHERS=0 OUTPUTFORMAT="terminal" @@ -23,18 +29,25 @@ Connection: close usage() { - echo -e "usage: $0 + echo -e "usage: $0 [-a|-v|-json] [openssl s_client args] $0 attempts to connect to a target site using all the ciphersuites it knowns. Julien Vehent [:ulfr] - https://github.com/jvehent/cipherscan +Port defaults to 443 + example: $ $0 www.google.com:443 -Use only one of the options below: +Use one of the options below as the first argument: -v increase verbosity -a test all known ciphers individually at the end -json output results in json format +The rest of the arguments will be interpreted as openssl s_client argument. +This enables checking smtp/imap/pop3/ftp/xmpp via -starttls + +example: $0 -starttls xmpp jabber.ccc.de:5222 + OpenSSL path can be changed in the OPENSSLBIN variable Benchmarking can be enabled in the DOBENCHMARK variable " @@ -105,7 +118,7 @@ EOF # Calculate the average handshake time for a specific ciphersuite bench_cipher() { local ciphersuite="$1" - local sslcommand="timeout $TIMEOUT $OPENSSLBIN s_client -connect $TARGET -cipher $ciphersuite" + local sslcommand="timeout $TIMEOUT $OPENSSLBIN s_client $SCLIENTARGS -connect $TARGET -cipher $ciphersuite" local t="$(date +%s%N)" verbose "Benchmarking handshake on '$TARGET' with ciphersuite '$ciphersuite'" for i in $(seq 1 $BENCHMARKITER); do @@ -129,7 +142,7 @@ EOF get_cipher_pref() { [ "$OUTPUTFORMAT" == "terminal" ] && echo -n '.' local ciphersuite="$1" - local sslcommand="timeout $TIMEOUT $OPENSSLBIN s_client -connect $TARGET -cipher $ciphersuite" + local sslcommand="timeout $TIMEOUT $OPENSSLBIN s_client $SCLIENTARGS -connect $TARGET -cipher $ciphersuite" verbose "Connecting to '$TARGET' with ciphersuite '$ciphersuite'" test_cipher_on_target "$sslcommand" local success=$? @@ -193,17 +206,14 @@ display_results_in_json() { [[ -z $1 || "$1" == "-h" || "$1" == "--help" ]] && usage if [ ! -z $2 ]; then - if [ "$2" == "-v" ]; then + if [ "$1" == "-v" ]; then VERBOSE=1 echo "Loading $($OPENSSLBIN ciphers -v $CIPHERSUITE 2>/dev/null|grep Kx|wc -l) ciphersuites from $(echo -n $($OPENSSLBIN version 2>/dev/null))" $OPENSSLBIN ciphers ALL 2>/dev/null - elif [ "$2" == "-a" ]; then + elif [ "$1" == "-a" ]; then ALLCIPHERS=1 - elif [ "$2" == "-json" ]; then + elif [ "$1" == "-json" ]; then OUTPUTFORMAT="json" - else - echo "ERROR: unknown option '$2'"; echo - usage fi fi @@ -225,7 +235,7 @@ if [ $ALLCIPHERS -gt 0 ]; then echo; echo "All accepted ciphersuites" for c in $($OPENSSLBIN ciphers -v ALL:COMPLEMENTOFALL 2>/dev/null |awk '{print $1}'|sort|uniq); do r="fail" - osslcommand="timeout $TIMEOUT $OPENSSLBIN s_client -connect $TARGET -cipher $c" + osslcommand="timeout $TIMEOUT $OPENSSLBIN s_client $SCLIENTARGS -connect $TARGET -cipher $c" test_cipher_on_target "$osslcommand" if [ $? -eq 0 ]; then r="pass"