Checking for SSL Vulnerabilities on the Command Line
by The Shell Shakespeare on Jul.03, 2009, under Redspin Labs
While Nessus is a wonderful vulnerability scanner, sometimes it is too slow and resource heavy for individual issues. The following 2 equivalent scripts perform checks for the following SSL related Nessus plugins:
- 20007: SSL Version 2 (v2) Protocol Detection
- 26928: SSL Weak Cipher Suites Supported
- 31705: SSL Anonymous Cipher Suites Supported
The first is the curl version:
#!/bin/bash
# phaas at redspin.com: Never us a 'sh when a bash is necessary
# Checks the Equivalent of Nessus Plugin 20007, 26928 and 31705 (10863+21643)
if [ $# -lt 1 ]
then
echo "List SSL Weakness present for a given website"
echo "Usage: `basename $0` website {port}"
exit 1
fi
web=${1-'www.redspin.com'}
port=${2-'443'}
# Check for the insecure SSLv2 version
curl -m1 -Ik "https://$web:$port" --ciphers sslv2 &> /dev/null
if [[ "$?" -eq 0 ]]; then echo -e "$web:$port: (ssl2) Weak SSLv2 encryption enabled"; fi
# Enumerate weak SSL ciphers using curl
IFS=$'\n' # Loop across lines, rather than words
ciphers='LOW:EXP:eNULL:aNULL' # Include EXP (Export Ciphers)
for line in `openssl ciphers -v $ciphers | tr -s ' '`; do
version=`echo "$line" | cut -d' ' -f2 | tr [:upper:] [:lower:]`
cipher=`echo "$line" | cut -d' ' -f1`
auth=`echo "$line" | tr -s ' ' | grep -o "Au=[^ ]*" | cut -d'=' -f2`
strength=`echo "$line" | sed 's#Kx=[^ ]*##' | grep -o '([0-9]*)' | tr -d '()' | grep -v 'None'`
if [[ "$auth" == 'None' ]]; then auth="no"; fi
if [[ -z "$strength" ]]; then strength="without encryption"; else strength="at $strength bit encryption"; fi
#echo "curl -m1 -Ik https://$web:$port --ciphers $cipher -$version &> /dev/null"
curl -m1 -Ik "https://$web:$port" --ciphers "$cipher" -$version &> /dev/null
if [[ "$?" -eq 0 ]]; then
echo -e "$web:$port: ($version) $cipher = Supported $strength with $auth authentication support"
fi
done
And the following is the openssl version:
#!/bin/bash
# phaas at redspin.com: Never us a 'sh when a bash is necessary
# Checks the Equivalent of Nessus Plugin 20007, 26928 and 31705 (10863+21643)
if [ $# -lt 1 ]
then
echo "List SSL Weakness present for a given website"
echo "Usage: `basename $0` website {port}"
exit 1
fi
web=${1-'www.redspin.com'}
port=${2-'443'}
# Check for the insecure SSLv2 version
sslv2=`echo -e '' | openssl s_client -connect $web:$port -ssl2 -no_ssl3 -no_tls1 2>/dev/null | grep -i 'SSLv2'`
if [ -n "$sslv2" ]; then echo -e "$web:$port: (ssl2) Weak SSLv2 encryption enabled"; fi
# Enumerate weak SSL ciphers using openssl
IFS=$'\n' # Loop across lines, rather than words
ciphers='LOW:EXP:eNULL:aNULL' # Include EXP (Export Ciphers)
for line in `openssl ciphers -v $ciphers | tr -s ' '`; do
version=`echo "$line" | cut -d' ' -f2 | tr [:upper:] [:lower:] | tr -d 'v'`
cipher=`echo "$line" | cut -d' ' -f1`
auth=`echo "$line" | tr -s ' ' | grep -o "Au=[^ ]*" | cut -d'=' -f2`
strength=`echo "$line" | sed 's#Kx=[^ ]*##' | grep -o '([0-9]*)' | tr -d '()' | grep -v 'None'`
if [[ "$auth" == 'None' ]]; then auth="no"; fi
if [[ -z "$strength" ]]; then strength="without encryption"; else strength="at $strength bit encryption"; fi
#echo "openssl s_client -connect $web:$port -$version -cipher $cipher"
supported=`echo "" | openssl s_client -connect $web:$port -$version -cipher $cipher 2>&1 | grep DONE`
if [[ -n "$supported" ]]; then
echo -e "$web:$port: ($version) $cipher = Supported $strength with $auth authentication support"
fi
done
I decided to include both because while openssl is usually included by default on most Linux distributions, curl is easier to obtain on Windows machines.
August 24th, 2009 on 6:24 pm
[...] about the SSL certificates. (If all this is nothing new to you, see The Shell Shakespeare’s post on SSL vulnerabilities – that guy could make meatloaf with nothing but emacs and a bash [...]