Talk to a Security Expert Now: (800) 721-9177

Checking for SSL Vulnerabilities on the Command Line

While Nessus is a wonderful vulnerability scanner, sometimes it is too slow and resource heavy for individual issues. The following 2 equivalent scripts perform checks for the following SSL related Nessus plugins:

  • 20007: SSL Version 2 (v2) Protocol Detection
  • 26928: SSL Weak Cipher Suites Supported
  • 31705: SSL Anonymous Cipher Suites Supported

The first is the curl version:

#!/bin/bash
# phaas at redspin.com: Never us a 'sh when a bash is necessary
# Checks the Equivalent of Nessus Plugin 20007, 26928 and 31705 (10863+21643)

if [ $# -lt 1 ]
then
  echo "List SSL Weakness present for a given website"
  echo "Usage: `basename $0` website {port}"
  exit 1
fi
web=${1-'www.redspin.com'}
port=${2-'443'}

# Check for the insecure SSLv2 version
curl -m1 -Ik "https://$web:$port" --ciphers sslv2 &> /dev/null
if [[ "$?" -eq 0 ]]; then echo -e "$web:$port: (ssl2) Weak SSLv2 encryption enabled"; fi

# Enumerate weak SSL ciphers using curl
IFS=$'n' # Loop across lines, rather than words
ciphers='LOW:EXP:eNULL:aNULL' # Include EXP (Export Ciphers)
for line in `openssl ciphers -v $ciphers | tr -s ' '`; do
	version=`echo "$line" | cut -d' ' -f2 | tr [:upper:] [:lower:]`
	cipher=`echo "$line" | cut -d' ' -f1`
	auth=`echo "$line" | tr -s ' ' | grep -o "Au=[^ ]*" | cut -d'=' -f2`
	strength=`echo "$line" | sed 's#Kx=[^ ]*##' | grep -o '([0-9]*)' | tr -d '()' | grep -v 'None'`
	if [[ "$auth" == 'None' ]]; then auth="no"; fi
	if [[ -z "$strength" ]]; then strength="without encryption"; else strength="at $strength bit encryption"; fi	

	#echo "curl -m1 -Ik https://$web:$port --ciphers $cipher -$version &> /dev/null"
	curl -m1 -Ik "https://$web:$port" --ciphers "$cipher" -$version &> /dev/null
	if [[ "$?" -eq 0 ]]; then
		echo -e "$web:$port: ($version) $cipher = Supported $strength with $auth authentication support"
	fi
done

And the following is the openssl version:

#!/bin/bash
# phaas at redspin.com: Never us a 'sh when a bash is necessary
# Checks the Equivalent of Nessus Plugin 20007, 26928 and 31705 (10863+21643)

if [ $# -lt 1 ]
then
  echo "List SSL Weakness present for a given website"
  echo "Usage: `basename $0` website {port}"
  exit 1
fi
web=${1-'www.redspin.com'}
port=${2-'443'}

# Check for the insecure SSLv2 version
sslv2=`echo -e '' | openssl s_client -connect $web:$port -ssl2 -no_ssl3 -no_tls1 2>/dev/null | grep -i 'SSLv2'`
if [ -n "$sslv2" ]; then echo -e "$web:$port: (ssl2) Weak SSLv2 encryption enabled"; fi

# Enumerate weak SSL ciphers using openssl
IFS=$'n' # Loop across lines, rather than words
ciphers='LOW:EXP:eNULL:aNULL' # Include EXP (Export Ciphers)
for line in `openssl ciphers -v $ciphers | tr -s ' '`; do
	version=`echo "$line" | cut -d' ' -f2 | tr [:upper:] [:lower:] | tr -d 'v'`
	cipher=`echo "$line" | cut -d' ' -f1`
	auth=`echo "$line" | tr -s ' ' | grep -o "Au=[^ ]*" | cut -d'=' -f2`
	strength=`echo "$line" | sed 's#Kx=[^ ]*##' | grep -o '([0-9]*)' | tr -d '()' | grep -v 'None'`

	if [[ "$auth" == 'None' ]]; then auth="no"; fi
	if [[ -z "$strength" ]]; then strength="without encryption"; else strength="at $strength bit encryption"; fi	

	#echo "openssl s_client -connect $web:$port -$version -cipher $cipher"
	supported=`echo "" | openssl s_client -connect $web:$port -$version -cipher $cipher 2>&1 | grep DONE`
	if [[ -n "$supported" ]]; then
		echo -e "$web:$port: ($version) $cipher = Supported $strength with $auth authentication support"
	fi
done

I decided to include both because while openssl is usually included by default on most Linux distributions, curl is easier to obtain on Windows machines.

Leave a Reply

Your email address will not be published. Required fields are marked *