def doVerify(self): hosts = self.get_hosts() if hosts == None: print("getHosts failed. aborting verification.") return if self.num_hosts < len(hosts): hosts = random.sample(hosts, self.num_hosts) for host in hosts: ips = Verifier.resolve_ips(host) if not ips: self.logger.error(VerifyFailureMsg(host, 0, "Could not resolve hostname.")) return for ip in ips: try: print("Retrieving chain for %s (hostname %s)" % (ip, host)) chain = get_chain(ip, 443) cvr = CertVerifyReq() # TODO: Find out whether we are behind an SSL proxy cvr.createFromValues(0, chain, host, ip, 443) response = self.send_verify(self.cert, self.cbhostname, cvr) if response != None: self.logger.info(VerifySuccessMsg(host, ip, response.rating, response.judgement)) except socket.gaierror as e: print "Skipping cert verification of %s due to unsupported IP version (address: %s). Error: %s" % (host, ip, e) self.logger.error(VerifyFailureMsg(host, ip, "Unsupported IP version")) except socket.timeout as e: print "Skipping cert verification of %s (IP %s) due to timeout. Error: %s" % (host, ip, e) self.logger.error(VerifyFailureMsg(host, ip, "Timeout")) except OpenSSL.SSL.SysCallError as e: print "Skipping cert verification of %s (IP %s) due to OpenSSL syscall error. Error: %s" % (host, ip, e) self.logger.error(VerifyFailureMsg(host, ip, "OpenSSL syscall error"))
def executeHT(self,ht): """executes a hunting task""" ipv = 4 if ht.type == messageTypes["IPV4_SHA256_TASK"] else 6 # TODO get this to the report if not self.freshen_pip(ipv): self.logger.error(HTFailMsg(ht.taskID, ht.targetHost, ht.targetIP, "No PublicIP for Task")) print "Skipping execution of task", ht.taskID, "due to the lack",\ "of fresh PublicIP for it." return None # TODO get this to the report chain = get_chain(ht.targetIP,ht.targetPort) witness = None if ht.knownCertHashes: ht.cccHashs = compute_chain_hashes(chain) #print "Possible hashes are", display(ht.cccHashs) for cHash in ht.cccHashs: if any(sHash == cHash for sHash in ht.knownCertHashes): witness = cHash break # TODO get this to report #print "Tracerouting!" trace = self.tracer.traceroute(self.hts["pip"][ipv]["not"].publicIPString, ht.targetIP) if witness: # TODO get this to report rep = HTRepKnownCert() rep.createFromValues(ht.taskID, self.hts["cs"].currentServTime(), self.hts["pip"][ipv]["not"].hmac, witness, trace) else: # TODO get this to report rep = HTRepNewCert() rep.createFromValues(ht.taskID, self.hts["cs"].currentServTime(), self.hts["pip"][ipv]["not"].hmac, chain, trace) return rep
def executeHT(self, ht): """executes a hunting task""" ipv = 4 if ht.type == messageTypes["IPV4_SHA256_TASK"] else 6 # TODO get this to the report if not self.freshen_pip(ipv): self.logger.error( HTFailMsg(ht.taskID, ht.targetHost, ht.targetIP, "No PublicIP for Task")) print "Skipping execution of task", ht.taskID, "due to the lack",\ "of fresh PublicIP for it." return None # TODO get this to the report chain = get_chain(ht.targetIP, ht.targetPort) witness = None if ht.knownCertHashes: ht.cccHashs = compute_chain_hashes(chain) #print "Possible hashes are", display(ht.cccHashs) for cHash in ht.cccHashs: if any(sHash == cHash for sHash in ht.knownCertHashes): witness = cHash break # TODO get this to report #print "Tracerouting!" trace = self.tracer.traceroute( self.hts["pip"][ipv]["not"].publicIPString, ht.targetIP) if witness: # TODO get this to report rep = HTRepKnownCert() rep.createFromValues(ht.taskID, self.hts["cs"].currentServTime(), self.hts["pip"][ipv]["not"].hmac, witness, trace) else: # TODO get this to report rep = HTRepNewCert() rep.createFromValues(ht.taskID, self.hts["cs"].currentServTime(), self.hts["pip"][ipv]["not"].hmac, chain, trace) return rep
def doVerify(self): hosts = self.get_hosts() if hosts == None: print("getHosts failed. aborting verification.") return if self.num_hosts < len(hosts): hosts = random.sample(hosts, self.num_hosts) for host in hosts: ips = Verifier.resolve_ips(host) if not ips: self.logger.error( VerifyFailureMsg(host, 0, "Could not resolve hostname.")) return for ip in ips: try: print("Retrieving chain for %s (hostname %s)" % (ip, host)) chain = get_chain(ip, 443) cvr = CertVerifyReq() # TODO: Find out whether we are behind an SSL proxy cvr.createFromValues(0, chain, host, ip, 443) response = self.send_verify(self.cert, self.cbhostname, cvr) if response != None: self.logger.info( VerifySuccessMsg(host, ip, response.rating, response.judgement)) except socket.gaierror as e: print "Skipping cert verification of %s due to unsupported IP version (address: %s). Error: %s" % ( host, ip, e) self.logger.error( VerifyFailureMsg(host, ip, "Unsupported IP version")) except socket.timeout as e: print "Skipping cert verification of %s (IP %s) due to timeout. Error: %s" % ( host, ip, e) self.logger.error(VerifyFailureMsg(host, ip, "Timeout")) except OpenSSL.SSL.SysCallError as e: print "Skipping cert verification of %s (IP %s) due to OpenSSL syscall error. Error: %s" % ( host, ip, e) self.logger.error( VerifyFailureMsg(host, ip, "OpenSSL syscall error"))