Added option to scan all known ciphers "-a"

2024-11-22 14:23:41 +01:00 · 2013-08-03 22:07:13 -04:00 · 2013-08-03 22:07:13 -04:00 · d2b82ed871
commit d2b82ed871
parent f5ff56344a
1 changed files with 32 additions and 5 deletions
--- a/CiphersScan.sh
+++ b/CiphersScan.sh
@ -1,8 +1,9 @@
 #!/usr/bin/env bash

-DOBENCHMARK=1
+DOBENCHMARK=0
 BENCHMARKITER=30
 OPENSSLBIN="./openssl"
+TIMEOUT=10
 REQUEST="GET / HTTP/1.1
 Host: $TARGET

@ -27,7 +28,11 @@ EOF
    # Parse the result
    result=$(grep "New, " $tmp|awk '{print $5}')
    rm "$tmp"
-    if [ "$result" == '(NONE)' ]; then
+    if [ -z $result ]; then
+        verbose "handshake failed, no ciphersuite was returned"
+        result='ConnectionFailure'
+        return 2
+    elif [ "$result" == '(NONE)' ]; then
        verbose "handshake failed, server returned ciphersuite '$result'"
        return 1
    else
@ -40,13 +45,16 @@ EOF
 # Calculate the average handshake time for a specific ciphersuite
 bench_cipher() {
    local ciphersuite="$1"
-    local sslcommand="$OPENSSLBIN s_client -connect $TARGET -cipher $ciphersuite"
+    local sslcommand="timeout $TIMEOUT $OPENSSLBIN s_client -connect $TARGET -cipher $ciphersuite"
    local t="$(date +%s%N)"
    verbose "Benchmarking handshake on '$TARGET' with ciphersuite '$ciphersuite'"
    for i in $(seq 1 $BENCHMARKITER); do
        $sslcommand 2>/dev/null 1>/dev/null << EOF
 $REQUEST
 EOF
+        if [ $? -gt 0 ]; then
+            break
+        fi
    done
    # Time interval in nanoseconds
    local t="$(($(date +%s%N) - t))"
@ -59,13 +67,13 @@ EOF
 # Connect to the target and retrieve the chosen cipher
 get_cipher_pref() {
    local ciphersuite="$1"
-    local sslcommand="$OPENSSLBIN s_client -connect $TARGET -cipher $ciphersuite"
+    local sslcommand="timeout $TIMEOUT $OPENSSLBIN s_client -connect $TARGET -cipher $ciphersuite"
    verbose "Connecting to '$TARGET' with ciphersuite '$ciphersuite'"
    test_cipher_on_target "$sslcommand"
    local success=$?
+    cipherspref=("${cipherspref[@]}" "$result")
    # If the connection succeeded with the current cipher, benchmark and store
    if [ $success -eq 0 ]; then
-        cipherspref=("${cipherspref[@]}" "$result")
        get_cipher_pref "!$result:$ciphersuite"
        return 0
    fi
@ -83,12 +91,16 @@ jvehent - ulfr -  2013
 fi
 TARGET=$1
 VERBOSE=0
+ALLCIPHERS=0
 if [ ! -z $2 ]; then
    if [ "$2" == "-v" ]; then
        VERBOSE=1
        echo "Loading $($OPENSSLBIN ciphers -v ALL 2>/dev/null|grep Kx|wc -l) ciphersuites from $(echo -n $($OPENSSLBIN version 2>/dev/null))"
        $OPENSSLBIN ciphers ALL 2>/dev/null
    fi
+    if [ "$2" == "-a" ]; then
+        ALLCIPHERS=1
+    fi
 fi

 cipherspref=();
@ -119,3 +131,18 @@ for result in "${results[@]}"; do
    fi
    echo $result
 done|column -t
+
+if [ $ALLCIPHERS -gt 0 ]; then
+    echo; echo "All accepted ciphersuites"
+    for cipher in $($OPENSSLBIN ciphers -v ALL:COMPLEMENTOFALL 2>/dev/null |awk '{print $1}'|sort|uniq); do
+        osslcommand="timeout $TIMEOUT $OPENSSLBIN s_client -connect $TARGET -cipher $cipher"
+        test_cipher_on_target "$osslcommand"
+        r=$?
+        if [ $r -eq 0 ]; then
+            echo -en '\E[40;32m'"OK"; tput sgr0
+        else
+            echo -en '\E[40;31m'"KO"; tput sgr0
+        fi
+        echo " $cipher"
+    done
+fi