diff --git a/README.md b/README.md index ec83b81..25af63c 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,7 @@ Cygwin dependencies: Usage: -bash httpsscan.sh [target] [port] [option] +bash httpsscan.sh [target_file] -p [ports] [option] Options: diff --git a/httpsscan.sh b/httpsscan.sh index a77f206..0253fe7 100644 --- a/httpsscan.sh +++ b/httpsscan.sh @@ -42,7 +42,9 @@ VERSION=1.8.2 function Help { echo "-------------------------------" -echo "Use: ./httpsscan IP PORT OP" +echo "Use: ./httpsscan TARGET_FILE -p TARGET_PORTs OP" +echo "Ex: $0 /tmp/hosts -p 443 ssl2" +echo "Ex: $0 /tmp/hosts -p 443,4443 ssl2" echo -e "OP: all, --all, a ssl2, --ssl2 @@ -68,220 +70,310 @@ echo "#+# #+# #+# #+# #+# #+# #+##+# #+##+# #+## echo "### ### ### ### ### ######## ######## ######## ### ###### #### " echo "V. $VERSION by Alexos Core Labs " -if [ $# -ne 3 ]; then - echo Usage: $0 IP PORT OP +if [ $# -ne 4 ]; then + echo Usage: $0 TARGET_FILE -p TARGET_PORTs OP + echo "Ex: $0 /tmp/hosts -p 443 ssl2" + echo "Ex: $0 /tmp/hosts -p 443,4443 ssl2" Help exit fi - -HOST=$1 -PORT=$2 -TARGET=$HOST:$PORT -OP=$3 +TARGET_PORTS="$3"; PORTS=`echo $TARGET_PORTS | sed -e 's/,/ /g'` +OP=$4 red=`tput setaf 1 2>/dev/null` +green=`tput setaf 2 2>/dev/null` reset=`tput sgr0 2>/dev/null` timeout_bin=`which timeout 2>/dev/null` -function ssl2 { + +function ssl2() { echo echo "${red}==> ${reset} Checking SSLv2 (CVE-2011-1473) (CVE-2016-0800)" +for HOST in `cat $1`; do + for PORT in ${PORTS[@]}; do + TARGET=$HOST:$PORT ssl="`echo 'Q' | ${timeout_bin:+$timeout_bin 5} openssl s_client -ssl2 -connect "$TARGET" 2>/dev/null`" proto=`echo "$ssl" | grep '^ *Protocol *:' | awk '{ print $3 }'` cipher=`echo "$ssl" | grep '^ *Cipher *:' | awk '{ print $3 }'` + +echo -e "\n Checking $HOST:$PORT... \n" if [ "$cipher" = '' ]; then - echo 'Not vulnerable. Failed to establish SSLv2 connection.' + echo "${green}Not vulnerable.${reset} Failed to establish SSLv2 connection." else echo "${red}Vulnerable!${reset} SSLv2 connection established using $proto/$cipher" fi + done +done } function crime { echo echo "${red}==> ${reset} Checking CRIME (CVE-2012-4929)" +for HOST in `cat $1`; do + for PORT in ${PORTS[@]}; do + TARGET=$HOST:$PORT ssl="`echo 'Q' | ${timeout_bin:+$timeout_bin 5} openssl s_client -connect "$TARGET" 2>/dev/null`" compr=`echo "$ssl" |grep 'Compression: ' | awk '{ print $2 } '` +echo -e "\n Checking $HOST:$PORT... \n" + if [ "$compr" = 'NONE' ] || [ "$compr" = "" ]; then - echo 'Not vulnerable. TLS Compression is not enabled.' + echo "${green}Not vulnerable.${reset} TLS Compression is not enabled." else echo "${red}Vulnerable!${reset} Connection established using $compr compression." fi + done +done } function rc4 { echo echo "${red}==> ${reset} Checking RC4 (CVE-2013-2566)" +for HOST in `cat $1`; do + for PORT in ${PORTS[@]}; do + TARGET=$HOST:$PORT ssl="`echo 'Q' | ${timeout_bin:+$timeout_bin 5} openssl s_client -cipher RC4 -connect "$TARGET" 2>/dev/null`" proto=`echo "$ssl" | grep '^ *Protocol *:' | awk '{ print $3 }'` cipher=`echo "$ssl" | grep '^ *Cipher *:' | awk '{ print $3 }'` + +echo -e "\n Checking $HOST:$PORT... \n" + if [ "$cipher" = '' ]; then -echo 'Not vulnerable. Failed to establish RC4 connection.' +echo "${green}Not vulnerable.${reset} Failed to establish RC4 connection." else echo "${red}Vulnerable!${reset} Connection established using $proto/$cipher" fi + done +done } function heartbleed { echo echo "${red}==> ${reset} Checking Heartbleed (CVE-2014-0160)" +for HOST in `cat $1`; do + for PORT in ${PORTS[@]}; do + TARGET=$HOST:$PORT ssl="`echo "QUIT"|openssl s_client -connect "$TARGET" -tlsextdebug 2>&1|grep 'server extension "heartbeat" (id=15)' || echo safe 2>/dev/null`" +echo -e "\n Checking $HOST:$PORT... \n" + if [ "$ssl" = 'safe' ]; then - echo 'The host is not vulnerable to Heartbleed attack.' + echo "The host is ${green}not vulnerable${reset} to Heartbleed attack." else echo "${red}Vulnerable!${reset} The host is vulnerable to Heartbleed attack." fi + done +done } function poodle { echo echo "${red}==> ${reset} Checking Poodle (CVE-2014-3566)" +for HOST in `cat $1`; do + for PORT in ${PORTS[@]}; do + TARGET=$HOST:$PORT ssl="`echo 'Q' | ${timeout_bin:+$timeout_bin 5} openssl s_client -ssl3 -connect "$TARGET" 2>/dev/null`" proto=`echo "$ssl" | grep '^ *Protocol *:' | awk '{ print $3 }'` cipher=`echo "$ssl" | grep '^ *Cipher *:' | awk '{ print $3 }'` +echo -e "\n Checking $HOST:$PORT... \n" + if [ "$cipher" = '0000' -o "$cipher" = '(NONE)' ] || [ "$cipher" = "" ]; then - echo 'Not vulnerable. Failed to establish SSLv3 connection.' + echo "${green}Not vulnerable.${reset} Failed to establish SSLv3 connection." else echo "${red}Vulnerable!${reset} SSLv3 connection established using $proto/$cipher" fi + done +done } function freak { echo echo "${red}==> ${reset} Checking FREAK (CVE-2015-0204)" +for HOST in `cat $1`; do + for PORT in ${PORTS[@]}; do + TARGET=$HOST:$PORT ssl="`echo 'Q' | ${timeout_bin:+$timeout_bin 5} openssl s_client -cipher EXPORT -connect "$TARGET" 2>/dev/null`" cipher=`echo "$ssl" | grep '^ *Cipher *:' | awk '{ print $3 }'` + +echo -e "\n Checking $HOST:$PORT... \n" + if [ "$cipher" = '' ]; then - echo 'Not vulnerable. Failed to establish connection with an EXPORT cipher.' + echo "${green}Not vulnerable.${reset} Failed to establish connection with an EXPORT cipher." else echo "${red}Vulnerable!${reset} Connection established using $cipher" fi + done +done } function null { echo echo "${red}==> ${reset}Checking NULL Cipher" +for HOST in `cat $1`; do + for PORT in ${PORTS[@]}; do + TARGET=$HOST:$PORT ssl="`echo 'Q' | ${timeout_bin:+$timeout_bin 5} openssl s_client -cipher NULL -connect "$TARGET" 2>/dev/null`" cipher=`echo "$ssl" | grep '^ *Cipher *:' | awk '{ print $3 }'` + +echo -e "\n Checking $HOST:$PORT... \n" + if [ "$cipher" = '' ]; then - echo 'Not vulnerable. Failed to establish connection with a NULL cipher.' + echo "${green}Not vulnerable.${reset} Failed to establish connection with a NULL cipher." else echo "${red}Vulnerable!${reset} Connection established using $cipher" fi + done +done } - function weak40 { echo echo "${red}==> ${reset} Checking Weak Ciphers" +for HOST in `cat $1`; do + for PORT in ${PORTS[@]}; do + TARGET=$HOST:$PORT ssl="`echo 'Q' | ${timeout_bin:+$timeout_bin 5} openssl s_client -cipher EXPORT40 -connect "$TARGET" 2>/dev/null`" cipher=`echo "$ssl" | grep '^ *Cipher *:' | awk '{ print $3 }'` +echo -e "\n Checking $HOST:$PORT... \n" + if [ "$cipher" = '' ]; then - echo 'Not vulnerable. Failed to establish connection with 40 bit cipher.' + echo "${green}Not vulnerable.${reset} Failed to establish connection with 40 bit cipher." else echo "${red}Vulnerable!${reset} Connection established using 40 bit cipher" fi + done +done } function weak56 { echo echo "${red}==> ${reset} Checking Weak Ciphers" +for HOST in `cat $1`; do + for PORT in ${PORTS[@]}; do + TARGET=$HOST:$PORT ssl="`echo 'Q' | ${timeout_bin:+$timeout_bin 5} openssl s_client -cipher EXPORT56 -connect "$TARGET" 2>/dev/null`" cipher=`echo "$ssl" | grep '^ *Cipher *:' | awk '{ print $3 }'` +echo -e "\n Checking $HOST:$PORT... \n" + if [ "$cipher" = '' ]; then - echo 'Not vulnerable. Failed to establish connection with 56 bit cipher.' + echo "${green}Not vulnerable.${reset} Failed to establish connection with 56 bit cipher." else echo "${red}Vulnerable!${reset} Connection established using 56 bit cipher" fi + done +done } function forward { echo echo "${red}==> ${reset}Checking Forward Secrecy" +for HOST in `cat $1`; do + for PORT in ${PORTS[@]}; do + TARGET=$HOST:$PORT ssl="`echo 'Q' | ${timeout_bin:+$timeout_bin 5} openssl s_client -cipher 'ECDH:DH' -connect "$TARGET" 2>/dev/null`" proto=`echo "$ssl" | grep '^ *Protocol *:' | awk '{ print $3 }'` cipher=`echo "$ssl" | grep '^ *Cipher *:' | awk '{ print $3 }'` +echo -e "\n Checking $HOST:$PORT... \n" + if [ "$cipher" = '' -o "$cipher" = '(NONE)' ]; then echo 'Forward Secrecy is not enabled.' else echo "Enabled! Established using $proto/$cipher" fi + done +done } -function online { -ssl="`echo Q | openssl s_client -connect "$TARGET" 2>/dev/null | wc -l`" +function online() { +for HOST in `cat $1`; do + for PORT in ${PORTS[@]}; do + TARGET=$HOST:$PORT +ssl="`echo Q | ${timeout_bin:+$timeout_bin 5} openssl s_client -connect "$TARGET" 2>/dev/null | wc -l`" if [ "$ssl" -lt 5 ]; then - echo "Host $TARGET is unreachable. Halting test." - exit -1 + echo + echo "Host $TARGET is unreachable." fi + done +done } #---------------------------------------------------------------------------------------------------------------------------------- -online echo -echo [*] Analyzing SSL/TLS Vulnerabilities on $HOST:$PORT ... +echo [*] Analyzing SSL/TLS Vulnerabilities... echo echo Generating Report...Please wait +online $1 + # Nova chamada das funções: -case $3 in +case $4 in "--help"|"help") Help;; "all"|"--all"|"a") - ssl2 - crime - rc4 - heartbleed - poodle - freak - null - weak40 - weak56 - forward;; + ssl2 $1 + crime $1 + rc4 $1 + heartbleed $1 + poodle $1 + freak $1 + null $1 + weak40 $1 + weak56 $1 + forward $1 + ;; "ssl2"|"--ssl2") - ssl2;; + ssl2 $1 + ;; "crime"|"--crime") - crime;; + crime $1 + ;; "rc4"|"--rc4") - rc4;; + rc4 $1 + ;; "heartbleed"|"--heartbleed") - heartbleed;; + heartbleed $1 + ;; "poodle"|"--poodle") - poodle;; + poodle $1 + ;; "freak"|"--freak") - freak;; + freak $1 + ;; "null"|"--null") - null;; + null $1 + ;; "weak40"|"--weak40") - weak40;; + weak40 $1 + ;; "weak56"|"--weak56") - weak56;; + weak56 $1 + ;; "forward"|"--forward") - forward;; + forward $1 + ;; *) echo -e "${red}Parameter invalid, check --help${reset}" esac