def doVerify(self):
hosts = self.get_hosts()
if hosts == None:
print("getHosts failed. aborting verification.")
return
if self.num_hosts < len(hosts):
hosts = random.sample(hosts,
self.num_hosts)
for host in hosts:
ips = Verifier.resolve_ips(host)
if not ips:
self.logger.error(VerifyFailureMsg(host, 0, "Could not resolve hostname."))
return
for ip in ips:
try:
print("Retrieving chain for %s (hostname %s)" % (ip, host))
chain = get_chain(ip, 443)
cvr = CertVerifyReq()
# TODO: Find out whether we are behind an SSL proxy
cvr.createFromValues(0, chain, host, ip, 443)
response = self.send_verify(self.cert, self.cbhostname, cvr)
if response != None:
self.logger.info(VerifySuccessMsg(host, ip, response.rating, response.judgement))
except socket.gaierror as e:
print "Skipping cert verification of %s due to unsupported IP version (address: %s). Error: %s" % (host, ip, e)
self.logger.error(VerifyFailureMsg(host, ip, "Unsupported IP version"))
except socket.timeout as e:
print "Skipping cert verification of %s (IP %s) due to timeout. Error: %s" % (host, ip, e)
self.logger.error(VerifyFailureMsg(host, ip, "Timeout"))
except OpenSSL.SSL.SysCallError as e:
print "Skipping cert verification of %s (IP %s) due to OpenSSL syscall error. Error: %s" % (host, ip, e)
self.logger.error(VerifyFailureMsg(host, ip, "OpenSSL syscall error"))
def executeHT(self,ht):
"""executes a hunting task"""
ipv = 4 if ht.type == messageTypes["IPV4_SHA256_TASK"] else 6
# TODO get this to the report
if not self.freshen_pip(ipv):
self.logger.error(HTFailMsg(ht.taskID, ht.targetHost, ht.targetIP, "No PublicIP for Task"))
print "Skipping execution of task", ht.taskID, "due to the lack",\
"of fresh PublicIP for it."
return None
# TODO get this to the report
chain = get_chain(ht.targetIP,ht.targetPort)
witness = None
if ht.knownCertHashes:
ht.cccHashs = compute_chain_hashes(chain)
#print "Possible hashes are", display(ht.cccHashs)
for cHash in ht.cccHashs:
if any(sHash == cHash for sHash in ht.knownCertHashes):
witness = cHash
break
# TODO get this to report
#print "Tracerouting!"
trace = self.tracer.traceroute(self.hts["pip"][ipv]["not"].publicIPString, ht.targetIP)
if witness:
# TODO get this to report
rep = HTRepKnownCert()
rep.createFromValues(ht.taskID,
self.hts["cs"].currentServTime(),
self.hts["pip"][ipv]["not"].hmac,
witness,
trace)
else:
# TODO get this to report
rep = HTRepNewCert()
rep.createFromValues(ht.taskID,
self.hts["cs"].currentServTime(),
self.hts["pip"][ipv]["not"].hmac,
chain,
trace)
return rep
def executeHT(self, ht):
"""executes a hunting task"""
ipv = 4 if ht.type == messageTypes["IPV4_SHA256_TASK"] else 6
# TODO get this to the report
if not self.freshen_pip(ipv):
self.logger.error(
HTFailMsg(ht.taskID, ht.targetHost, ht.targetIP,
"No PublicIP for Task"))
print "Skipping execution of task", ht.taskID, "due to the lack",\
"of fresh PublicIP for it."
return None
# TODO get this to the report
chain = get_chain(ht.targetIP, ht.targetPort)
witness = None
if ht.knownCertHashes:
ht.cccHashs = compute_chain_hashes(chain)
#print "Possible hashes are", display(ht.cccHashs)
for cHash in ht.cccHashs:
if any(sHash == cHash for sHash in ht.knownCertHashes):
witness = cHash
break
# TODO get this to report
#print "Tracerouting!"
trace = self.tracer.traceroute(
self.hts["pip"][ipv]["not"].publicIPString, ht.targetIP)
if witness:
# TODO get this to report
rep = HTRepKnownCert()
rep.createFromValues(ht.taskID, self.hts["cs"].currentServTime(),
self.hts["pip"][ipv]["not"].hmac, witness,
trace)
else:
# TODO get this to report
rep = HTRepNewCert()
rep.createFromValues(ht.taskID, self.hts["cs"].currentServTime(),
self.hts["pip"][ipv]["not"].hmac, chain,
trace)
return rep
def doVerify(self):
hosts = self.get_hosts()
if hosts == None:
print("getHosts failed. aborting verification.")
return
if self.num_hosts < len(hosts):
hosts = random.sample(hosts, self.num_hosts)
for host in hosts:
ips = Verifier.resolve_ips(host)
if not ips:
self.logger.error(
VerifyFailureMsg(host, 0, "Could not resolve hostname."))
return
for ip in ips:
try:
print("Retrieving chain for %s (hostname %s)" % (ip, host))
chain = get_chain(ip, 443)
cvr = CertVerifyReq()
# TODO: Find out whether we are behind an SSL proxy
cvr.createFromValues(0, chain, host, ip, 443)
response = self.send_verify(self.cert, self.cbhostname,
cvr)
if response != None:
self.logger.info(
VerifySuccessMsg(host, ip, response.rating,
response.judgement))
except socket.gaierror as e:
print "Skipping cert verification of %s due to unsupported IP version (address: %s). Error: %s" % (
host, ip, e)
self.logger.error(
VerifyFailureMsg(host, ip, "Unsupported IP version"))
except socket.timeout as e:
print "Skipping cert verification of %s (IP %s) due to timeout. Error: %s" % (
host, ip, e)
self.logger.error(VerifyFailureMsg(host, ip, "Timeout"))
except OpenSSL.SSL.SysCallError as e:
print "Skipping cert verification of %s (IP %s) due to OpenSSL syscall error. Error: %s" % (
host, ip, e)
self.logger.error(
VerifyFailureMsg(host, ip, "OpenSSL syscall error"))
