LittleNellie/cipherscan
2
0
Fork 0
mirror of https://github.com/mozilla/cipherscan.git synced 2024-09-28 23:53:41 +02:00
Code Issues Releases Wiki Activity

Merge pull request #3 from oparoz/common-name-discovery

Browse Source 
Common name detector
This commit is contained in:
Olivier Paroz 2014-09-22 02:18:16 +02:00
commit ed34c0e046
1 changed files with 46 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
cipherscan
View File

@ -108,8 +108,13 @@ test_cipher_on_target() {
fi fi
# filter out the OCSP server certificate # filter out the OCSP server certificate
tmp=$(awk 'BEGIN { pr="yes" } /^======================================/ { if ( pr=="yes" ) pr="no"; else pr="yes" } { if ( pr == "yes" ) print }' <<<"$tmp") tmp=$(awk 'BEGIN { pr="yes" } /^======================================/ { if ( pr=="yes" ) pr="no"; else pr="yes" } { if ( pr == "yes" ) print }' <<<"$tmp")
current_certcn=$(grep "subject=" <<<"$tmp"| grep -oP "(?<=CN\=)[^ |\/]+")
current_subjaltnames=$(${OPENSSLBIN} x509 -noout -text 2>/dev/null <<<"$tmp"|awk '/X509v3 Subject Alternative Name/ {getline;gsub(/ /, "", $0);print}' | tr -d "DNS:")
current_cipher=$(grep "New, " <<<"$tmp"|awk '{print $5}') current_cipher=$(grep "New, " <<<"$tmp"|awk '{print $5}')
current_pfs=$(grep 'Server Temp Key' <<<"$tmp"|awk '{print $4$5$6$7}') current_pfs=$(grep 'Server Temp Key' <<<"$tmp"|awk '{print $4$5$6$7}')
if [ -z $current_pfs ]; then
current_pfs="None"
fi
current_protocol=$(egrep "^\s+Protocol\s+:" <<<"$tmp"|awk '{print $3}') current_protocol=$(egrep "^\s+Protocol\s+:" <<<"$tmp"|awk '{print $3}')
current_pubkey=$(grep 'Server public key is ' <<<"$tmp"|awk '{print $5}') current_pubkey=$(grep 'Server public key is ' <<<"$tmp"|awk '{print $5}')
if [ -z $current_pubkey ]; then if [ -z $current_pubkey ]; then
@ -147,6 +152,16 @@ test_cipher_on_target() {
else else
protocols="$protocols,$current_protocol" protocols="$protocols,$current_protocol"
fi fi
certcns="$current_certcn"
# Let's add the alternative subject names if they exist
if [ -n "$current_subjaltnames" ]; then
IFS=',' read -ra subjaltnamesarray <<<"$current_subjaltnames"
for altname in "${subjaltnamesarray[@]}"; do
if [[ "$altname" != "$current_certcn" ]]; then
certcns="$certcns,$altname"
fi
done
fi
cipher=$current_cipher cipher=$current_cipher
pfs=$current_pfs pfs=$current_pfs
pubkey=$current_pubkey pubkey=$current_pubkey
@ -165,13 +180,13 @@ test_cipher_on_target() {
# if cipher contains NONE, the cipher wasn't accepted # if cipher contains NONE, the cipher wasn't accepted
elif [ "$cipher" == '(NONE) ' ]; then elif [ "$cipher" == '(NONE) ' ]; then
result="$cipher $protocols $pubkey $sigalg $trusted $tickethint $ocspstaple $pfs" result="$cipher $protocols $pubkey $sigalg $trusted $tickethint $ocspstaple $pfs $certcns"
verbose "handshake failed, server returned ciphersuite '$result'" verbose "handshake failed, server returned ciphersuite '$result'"
return 1 return 1
# the connection succeeded # the connection succeeded
else else
result="$cipher $protocols $pubkey $sigalg $trusted $tickethint $ocspstaple $pfs" result="$cipher $protocols $pubkey $sigalg $trusted $tickethint $ocspstaple $pfs $certcns"
verbose "handshake succeeded, server returned ciphersuite '$result'" verbose "handshake succeeded, server returned ciphersuite '$result'"
return 0 return 0
fi fi
@ -226,6 +241,7 @@ get_cipher_pref() {
display_results_in_terminal() { display_results_in_terminal() {
# Display the results # Display the results
ctr=1 ctr=1
local certcns
local pubkey local pubkey
local sigalg local sigalg
local trusted local trusted
@ -246,6 +262,7 @@ display_results_in_terminal() {
trusted=$(awk '{print $5}' <<<$cipher) trusted=$(awk '{print $5}' <<<$cipher)
tickethint=$(awk '{print $6}' <<<$cipher) tickethint=$(awk '{print $6}' <<<$cipher)
ocspstaple=$(awk '{print $7}' <<<$cipher) ocspstaple=$(awk '{print $7}' <<<$cipher)
certcns=$(awk '{print $9}' <<<$cipher)
else else
if [ "$pubkey" != "$(awk '{print $3}' <<<$cipher)" ]; then if [ "$pubkey" != "$(awk '{print $3}' <<<$cipher)" ]; then
different=True different=True
@ -291,11 +308,28 @@ display_results_in_terminal() {
fi fi
done|column -t done|column -t
echo echo
matchhostname=0
hostcertcn="Not a match"
if [ -z "$certcns" ]; then
hostcertcn="CN not found"
else
IFS=',' read -ra certcnsarray <<<"$certcns"
for certcn in "${certcnsarray[@]}"; do
if [[ "$certcn" == "$HOST" ]]; then
matchhostname=1
hostcertcn="$certcn"
break
fi
done
fi
if [ $different != "True" ]; then if [ $different != "True" ]; then
if [ "$trusted" == "True" ]; then if [ "$trusted" == "True" ]; then
echo "Certificate: trusted, $pubkey bit, $sigalg signature" echo "Certificate: $hostcertcn, trusted, $pubkey bit, $sigalg signature"
else else
echo "Certificate: UNTRUSTED, $pubkey bit, $sigalg signature" echo "Certificate: $hostcertcn, UNTRUSTED, $pubkey bit, $sigalg signature"
fi fi
echo "TLS ticket lifetime hint: $tickethint" echo "TLS ticket lifetime hint: $tickethint"
fi fi
@ -304,6 +338,13 @@ display_results_in_terminal() {
else else
echo "OCSP stapling: not supported" echo "OCSP stapling: not supported"
fi fi
if [ $matchhostname -eq 0 ]; then
echo "WARNING - None of the CNs match the hostname given"
fi
if [ -n "$certcns" ]; then
echo "Here is the list of common names found in the certificate"
echo $certcns
fi
} }
@ -315,6 +356,7 @@ display_results_in_json() {
[ $ctr -gt 0 ] && echo -n ',' [ $ctr -gt 0 ] && echo -n ','
echo -n "{\"cipher\":\"$(echo $cipher|awk '{print $1}')\"," echo -n "{\"cipher\":\"$(echo $cipher|awk '{print $1}')\","
echo -n "\"protocols\":[\"$(echo $cipher|awk '{print $2}'|sed 's/,/","/g')\"]," echo -n "\"protocols\":[\"$(echo $cipher|awk '{print $2}'|sed 's/,/","/g')\"],"
echo -n "\"certcns\":[\"$(echo $cipher|awk '{print $9}'|sed 's/,/","/g')\"],"
echo -n "\"pubkey\":[\"$(echo $cipher|awk '{print $3}'|sed 's/,/","/g')\"]," echo -n "\"pubkey\":[\"$(echo $cipher|awk '{print $3}'|sed 's/,/","/g')\"],"
echo -n "\"sigalg\":[\"$(echo $cipher|awk '{print $4}'|sed 's/,/","/g')\"]," echo -n "\"sigalg\":[\"$(echo $cipher|awk '{print $4}'|sed 's/,/","/g')\"],"
echo -n "\"trusted\":\"$(echo $cipher|awk '{print $5}'|sed 's/,/","/g')\"," echo -n "\"trusted\":\"$(echo $cipher|awk '{print $5}'|sed 's/,/","/g')\","