mirror of
https://github.com/mozilla/cipherscan.git
synced 2024-09-28 23:53:41 +02:00
Merge pull request #3 from oparoz/common-name-discovery
Common name detector
This commit is contained in:
commit
ed34c0e046
50
cipherscan
50
cipherscan
@ -108,8 +108,13 @@ test_cipher_on_target() {
|
|||||||
fi
|
fi
|
||||||
# filter out the OCSP server certificate
|
# filter out the OCSP server certificate
|
||||||
tmp=$(awk 'BEGIN { pr="yes" } /^======================================/ { if ( pr=="yes" ) pr="no"; else pr="yes" } { if ( pr == "yes" ) print }' <<<"$tmp")
|
tmp=$(awk 'BEGIN { pr="yes" } /^======================================/ { if ( pr=="yes" ) pr="no"; else pr="yes" } { if ( pr == "yes" ) print }' <<<"$tmp")
|
||||||
|
current_certcn=$(grep "subject=" <<<"$tmp"| grep -oP "(?<=CN\=)[^ |\/]+")
|
||||||
|
current_subjaltnames=$(${OPENSSLBIN} x509 -noout -text 2>/dev/null <<<"$tmp"|awk '/X509v3 Subject Alternative Name/ {getline;gsub(/ /, "", $0);print}' | tr -d "DNS:")
|
||||||
current_cipher=$(grep "New, " <<<"$tmp"|awk '{print $5}')
|
current_cipher=$(grep "New, " <<<"$tmp"|awk '{print $5}')
|
||||||
current_pfs=$(grep 'Server Temp Key' <<<"$tmp"|awk '{print $4$5$6$7}')
|
current_pfs=$(grep 'Server Temp Key' <<<"$tmp"|awk '{print $4$5$6$7}')
|
||||||
|
if [ -z $current_pfs ]; then
|
||||||
|
current_pfs="None"
|
||||||
|
fi
|
||||||
current_protocol=$(egrep "^\s+Protocol\s+:" <<<"$tmp"|awk '{print $3}')
|
current_protocol=$(egrep "^\s+Protocol\s+:" <<<"$tmp"|awk '{print $3}')
|
||||||
current_pubkey=$(grep 'Server public key is ' <<<"$tmp"|awk '{print $5}')
|
current_pubkey=$(grep 'Server public key is ' <<<"$tmp"|awk '{print $5}')
|
||||||
if [ -z $current_pubkey ]; then
|
if [ -z $current_pubkey ]; then
|
||||||
@ -147,6 +152,16 @@ test_cipher_on_target() {
|
|||||||
else
|
else
|
||||||
protocols="$protocols,$current_protocol"
|
protocols="$protocols,$current_protocol"
|
||||||
fi
|
fi
|
||||||
|
certcns="$current_certcn"
|
||||||
|
# Let's add the alternative subject names if they exist
|
||||||
|
if [ -n "$current_subjaltnames" ]; then
|
||||||
|
IFS=',' read -ra subjaltnamesarray <<<"$current_subjaltnames"
|
||||||
|
for altname in "${subjaltnamesarray[@]}"; do
|
||||||
|
if [[ "$altname" != "$current_certcn" ]]; then
|
||||||
|
certcns="$certcns,$altname"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
fi
|
||||||
cipher=$current_cipher
|
cipher=$current_cipher
|
||||||
pfs=$current_pfs
|
pfs=$current_pfs
|
||||||
pubkey=$current_pubkey
|
pubkey=$current_pubkey
|
||||||
@ -165,13 +180,13 @@ test_cipher_on_target() {
|
|||||||
|
|
||||||
# if cipher contains NONE, the cipher wasn't accepted
|
# if cipher contains NONE, the cipher wasn't accepted
|
||||||
elif [ "$cipher" == '(NONE) ' ]; then
|
elif [ "$cipher" == '(NONE) ' ]; then
|
||||||
result="$cipher $protocols $pubkey $sigalg $trusted $tickethint $ocspstaple $pfs"
|
result="$cipher $protocols $pubkey $sigalg $trusted $tickethint $ocspstaple $pfs $certcns"
|
||||||
verbose "handshake failed, server returned ciphersuite '$result'"
|
verbose "handshake failed, server returned ciphersuite '$result'"
|
||||||
return 1
|
return 1
|
||||||
|
|
||||||
# the connection succeeded
|
# the connection succeeded
|
||||||
else
|
else
|
||||||
result="$cipher $protocols $pubkey $sigalg $trusted $tickethint $ocspstaple $pfs"
|
result="$cipher $protocols $pubkey $sigalg $trusted $tickethint $ocspstaple $pfs $certcns"
|
||||||
verbose "handshake succeeded, server returned ciphersuite '$result'"
|
verbose "handshake succeeded, server returned ciphersuite '$result'"
|
||||||
return 0
|
return 0
|
||||||
fi
|
fi
|
||||||
@ -226,6 +241,7 @@ get_cipher_pref() {
|
|||||||
display_results_in_terminal() {
|
display_results_in_terminal() {
|
||||||
# Display the results
|
# Display the results
|
||||||
ctr=1
|
ctr=1
|
||||||
|
local certcns
|
||||||
local pubkey
|
local pubkey
|
||||||
local sigalg
|
local sigalg
|
||||||
local trusted
|
local trusted
|
||||||
@ -246,6 +262,7 @@ display_results_in_terminal() {
|
|||||||
trusted=$(awk '{print $5}' <<<$cipher)
|
trusted=$(awk '{print $5}' <<<$cipher)
|
||||||
tickethint=$(awk '{print $6}' <<<$cipher)
|
tickethint=$(awk '{print $6}' <<<$cipher)
|
||||||
ocspstaple=$(awk '{print $7}' <<<$cipher)
|
ocspstaple=$(awk '{print $7}' <<<$cipher)
|
||||||
|
certcns=$(awk '{print $9}' <<<$cipher)
|
||||||
else
|
else
|
||||||
if [ "$pubkey" != "$(awk '{print $3}' <<<$cipher)" ]; then
|
if [ "$pubkey" != "$(awk '{print $3}' <<<$cipher)" ]; then
|
||||||
different=True
|
different=True
|
||||||
@ -291,11 +308,28 @@ display_results_in_terminal() {
|
|||||||
fi
|
fi
|
||||||
done|column -t
|
done|column -t
|
||||||
echo
|
echo
|
||||||
|
|
||||||
|
matchhostname=0
|
||||||
|
hostcertcn="Not a match"
|
||||||
|
if [ -z "$certcns" ]; then
|
||||||
|
hostcertcn="CN not found"
|
||||||
|
else
|
||||||
|
IFS=',' read -ra certcnsarray <<<"$certcns"
|
||||||
|
for certcn in "${certcnsarray[@]}"; do
|
||||||
|
if [[ "$certcn" == "$HOST" ]]; then
|
||||||
|
matchhostname=1
|
||||||
|
hostcertcn="$certcn"
|
||||||
|
break
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
|
||||||
|
fi
|
||||||
if [ $different != "True" ]; then
|
if [ $different != "True" ]; then
|
||||||
if [ "$trusted" == "True" ]; then
|
if [ "$trusted" == "True" ]; then
|
||||||
echo "Certificate: trusted, $pubkey bit, $sigalg signature"
|
echo "Certificate: $hostcertcn, trusted, $pubkey bit, $sigalg signature"
|
||||||
else
|
else
|
||||||
echo "Certificate: UNTRUSTED, $pubkey bit, $sigalg signature"
|
echo "Certificate: $hostcertcn, UNTRUSTED, $pubkey bit, $sigalg signature"
|
||||||
fi
|
fi
|
||||||
echo "TLS ticket lifetime hint: $tickethint"
|
echo "TLS ticket lifetime hint: $tickethint"
|
||||||
fi
|
fi
|
||||||
@ -304,6 +338,13 @@ display_results_in_terminal() {
|
|||||||
else
|
else
|
||||||
echo "OCSP stapling: not supported"
|
echo "OCSP stapling: not supported"
|
||||||
fi
|
fi
|
||||||
|
if [ $matchhostname -eq 0 ]; then
|
||||||
|
echo "WARNING - None of the CNs match the hostname given"
|
||||||
|
fi
|
||||||
|
if [ -n "$certcns" ]; then
|
||||||
|
echo "Here is the list of common names found in the certificate"
|
||||||
|
echo $certcns
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -315,6 +356,7 @@ display_results_in_json() {
|
|||||||
[ $ctr -gt 0 ] && echo -n ','
|
[ $ctr -gt 0 ] && echo -n ','
|
||||||
echo -n "{\"cipher\":\"$(echo $cipher|awk '{print $1}')\","
|
echo -n "{\"cipher\":\"$(echo $cipher|awk '{print $1}')\","
|
||||||
echo -n "\"protocols\":[\"$(echo $cipher|awk '{print $2}'|sed 's/,/","/g')\"],"
|
echo -n "\"protocols\":[\"$(echo $cipher|awk '{print $2}'|sed 's/,/","/g')\"],"
|
||||||
|
echo -n "\"certcns\":[\"$(echo $cipher|awk '{print $9}'|sed 's/,/","/g')\"],"
|
||||||
echo -n "\"pubkey\":[\"$(echo $cipher|awk '{print $3}'|sed 's/,/","/g')\"],"
|
echo -n "\"pubkey\":[\"$(echo $cipher|awk '{print $3}'|sed 's/,/","/g')\"],"
|
||||||
echo -n "\"sigalg\":[\"$(echo $cipher|awk '{print $4}'|sed 's/,/","/g')\"],"
|
echo -n "\"sigalg\":[\"$(echo $cipher|awk '{print $4}'|sed 's/,/","/g')\"],"
|
||||||
echo -n "\"trusted\":\"$(echo $cipher|awk '{print $5}'|sed 's/,/","/g')\","
|
echo -n "\"trusted\":\"$(echo $cipher|awk '{print $5}'|sed 's/,/","/g')\","
|
||||||
|
Loading…
Reference in New Issue
Block a user