def Connect(self, host, port=_OVERLORD_HTTP_PORT, ssh_pid=None,
username=None, password=None, orig_host=None):
self._state.username = username
self._state.password = password
self._state.host = host
self._state.port = port
self._state.ssl = False
self._state.ssl_self_signed = False
self._state.orig_host = orig_host
self._state.ssh_pid = ssh_pid
self._state.selected_mid = None
tls_enabled = self._TLSEnabled()
if tls_enabled:
result = self._CheckTLSCertificate()
if not result:
if self._state.ssl_self_signed:
return ('SSLCertificateChanged', ssl.get_server_certificate(
(self._state.host, self._state.port)))
else:
return ('SSLVerifyFailed', ssl.get_server_certificate(
(self._state.host, self._state.port)))
try:
self._state.ssl = tls_enabled
UrlOpen(self._state, '%s:%d' % (host, port))
except urllib2.HTTPError as e:
return ('HTTPError', e.getcode(), str(e), e.read().strip())
except Exception as e:
return str(e)
else:
return True
def https_open(self, req):
ca_certs = config.get('http.ca_certs_file', DEFAULT_CA_CERTS)
if config.get('http.verify_server_certificates', True) and os.path.exists(ca_certs):
frags = urlparse.urlparse(req.get_full_url())
ssl.get_server_certificate((frags.hostname, frags.port or 443),
ca_certs=ca_certs)
return self.do_open(httplib.HTTPSConnection, req)
def get_fingerprint(host, port=443, external=None, log_prefix=''):
tls_error = None
fingerprint_error = None
cert = None
logging.debug("%sGetting TLS certificate "
"for %s:%d." % (log_prefix, host, port))
try:
cert = ssl.get_server_certificate((host, port),
ssl_version=ssl.PROTOCOL_TLSv1)
# if this fails, there's a possibility that SSLv3 handshake was
# attempted and rejected by the server. Use TLSv1 instead.
except ssl.SSLError:
# exception could also happen here
try:
cert = ssl.get_server_certificate((host, port),
ssl_version=ssl.PROTOCOL_SSLv23)
except Exception as exp:
tls_error = str(exp)
except Exception as exp:
tls_error = str(exp)
# this comes out as unicode, but m2crypto breaks if it gets
# something other than a string, so convert to ascii
if type(cert) == unicode:
cert = cert.encode('ascii', 'ignore')
if tls_error is None and m2crypto_imported:
try:
x509 = M2Crypto.X509.load_cert_string(cert,
M2Crypto.X509.FORMAT_PEM)
fingerprint = x509.get_fingerprint('sha1')
except Exception as exp:
fingerprint_error = str(exp)
if not m2crypto_imported:
fingerprint_error = "M2Crypto could not be imported."
# the external result is used when threading to store
# the results in the list container provided.
row = "%s:%s" % (host, port)
# handle return value based on exception types
if tls_error is None and fingerprint_error is None:
if external is not None and type(external) is dict:
external[row] = {"cert": cert,
"fingerprint": fingerprint.lower()}
return fingerprint.lower(), cert
elif tls_error is None and fingerprint_error is not None:
if external is not None and type(external) is dict:
external[row] = {"cert": cert,
"fingerprint_error": fingerprint_error}
return fingerprint_error, cert
else:
if external is not None and type(external) is dict:
external[row] = {"tls_error": tls_error,
"fingerprint_error": fingerprint_error}
return fingerprint_error, tls_error
def fromHost(host, port, certtype='U', ssl_version=None):
logging.info("Getting certificate from %s:%d" % (host, port))
if ssl_version is None:
cert = ssl.get_server_certificate((host, port))
else:
cert = ssl.get_server_certificate((host, port), ssl_version=ssl_version)
x509 = X509.load_cert_string(cert.encode('ascii', 'ignore'))
return CertOverrideEntry(host, port, x509=x509, certtype=certtype)
def https_open(self, req):
ca_certs = self.SSL_CA_CERTS
frags = urlparse.urlparse(req.get_full_url())
ssl.get_server_certificate(
(frags.hostname, frags.port or 443),
ca_certs=ca_certs
)
return self.do_open(httplib.HTTPSConnection, req)
def clickedLocal(self):
"""
docstring
"""
# Validate input and parse the URL
try:
if ( self.URLtext.get().isalpha() ) or \
( self.URLtext.get().isdigit() ):
raise ValueError
else:
self.parsedURL = urlparse(self.URLtext.get())
# print (self.parsedURL)
# print (self.parsedURL.geturl())
# print (self.parsedURL.port())
# obtain ceritificate through local interface
# this is pretty automagical, prob need to look at sockets
# how do we bind a stream to a specific interface?
print("Attempting to obtain cert on local interface "
"for %s\n" % (self.URLtext.get()))
try:
# if the user inputs www.url.com
self.cert = ssl.get_server_certificate(
(self.parsedURL.path,443))
print ("Obtained cert for %s on local interface\n" %
(self.URLtext.get()))
print (self.cert)
except:
# if the user inputs http://www.url.com
self.cert = ssl.get_server_certificate(
(self.parsedURL.netloc,443))
print ("Obtained cert for %s on local interface\n" %
(self.URLtext.get()))
print (self.cert)
# validate that the certificate has been signed by a CA?
global cert_Length
cert_Length = len(self.cert) #set global variable to length
print ("set cert_Length to ", len(self.cert))
# store cert in variable for checking
self.localcert = self.cert
# update the cert label in GUI
self.label2text.set(self.URLtext.get())
if self.vpncert:
self.certChecker()
except ValueError:
print("Input a valid URL\n")
except ConnectionRefusedError:
print("Connection refused. Check the URL.\n")
def _validate_server_ssl_cert(self):
if not self.validate_host:
return
try:
ssl.get_server_certificate((self._real_host, self._real_port))
except ssl.SSLError:
raise InvalidHostSSLCertificate('Cannot verify host <%s> with ca cert: %s' %
(self._real_host, self.ca_cert_file))
def check_ssl(self, hostname, port, cafile_local):
try:
open(cafile_local,'r')
except :
print "Error in check_ssl (open function)"
raise
try:
ssl.get_server_certificate((hostname, port), ca_certs=cafile_local)
except ssl.SSLError:
print "Error in check_ssl (ssl.get_server_certificate function)"
raise ssl.SSLError('SSL cert of Host:'+str(hostname)+' Port:'+str(port)+' is invalid')
def get_ssl_number_of_hosts(remote_host):
'''Get number of Alternative names for a (SAN) Cert
'''
for ssl_version in ssl_versions:
try:
cert = ssl.get_server_certificate((remote_host, 443),
ssl_version=ssl_version)
except ssl.SSLError:
# This exception m
continue
x509 = crypto.load_certificate(crypto.FILETYPE_PEM, cert)
sans = []
for idx in range(0, x509.get_extension_count()):
extension = x509.get_extension(idx)
if extension.get_short_name() == 'subjectAltName':
sans = [san.replace('DNS:', '') for san
in str(extension).split(',')]
break
# We can actually print all the Subject Alternative Names
# for san in sans:
# print san
result = len(sans)
break
else:
raise ValueError('Get remote host certificate info failed...')
return result
def install_trusted_ca(self):
'''
Add the CA that signed the certificate for self.url as trusted.
'''
import ssl
import subprocess
# parse the url
res = urlparse(self.url)
if res.scheme.lower() != "https":
return
port = res.port or 443
# get the PEM-encoded certificate
cert = ssl.get_server_certificate((res.hostname, port))
# the returned cert maybe messed up because of python-ssl bug Issue8086
if not cert.endswith("\n-----END CERTIFICATE-----\n"):
cert = cert.replace("-----END CERTIFICATE-----",
"\n-----END CERTIFICATE-----\n")
# dump it in the directory, and run make
with open(os.path.join(settings.XMLRPC_TRUSTED_CA_PATH,
res.hostname+"-ca.crt"),
'w') as cert_file:
cert_file.write(cert)
# TODO: Don't run make here. Do the linking manually.
subprocess.Popen(['make', '-C', settings.XMLRPC_TRUSTED_CA_PATH],
stdin=subprocess.PIPE,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
)
def getcert(a):
"""Get SSL Cert CN"""
refPorts = open("config/ports.txt", "r").readlines()
for port in refPorts:
# Make sure we don't have any extra characters like \n or \r
port = port.rstrip()
try:
# time to connect!
cert = ssl.get_server_certificate((a, port))
except Exception, e:
# If it can't connect go to the next iteration so we don't waste time
continue
try:
# use openssl to pull cert information
c = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, cert)
subj = c.get_subject()
comp = subj.get_components()
for data in comp:
if "CN" in data:
out[a] = a, data[1]
elif "CN" not in data:
continue
else:
continue
except Exception, e:
# if openssl fails to get information, return nothing
continue
def create_cert(hostname):
"""Create self-signed certificate."""
# Fetch the X509 certificate to get all values for our fake certificate
target_cert = ssl.get_server_certificate((hostname, 443))
target_x509 = M2Crypto.X509.load_cert_string(target_cert)
# create a key pair
k = crypto.PKey()
k.generate_key(crypto.TYPE_RSA, 1024)
# create a self-signed cert
cert = crypto.X509()
if target_x509.get_subject().C:
cert.get_subject().C = str(target_x509.get_subject().C)
if target_x509.get_subject().ST:
cert.get_subject().ST = str(target_x509.get_subject().ST)
if target_x509.get_subject().L:
cert.get_subject().L = str(target_x509.get_subject().L)
if target_x509.get_subject().O:
cert.get_subject().O = str(target_x509.get_subject().O)
if target_x509.get_subject().CN:
cert.get_subject().CN = str(target_x509.get_subject().CN)
cert.set_serial_number(target_x509.get_serial_number())
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(10*365*24*60*60)
cert.set_issuer(cert.get_subject())
cert.set_pubkey(k)
cert.sign(k, 'sha1')
return (cert,k)
def test_revoked_cert_is_revoked(self):
hostname = "revoked.stripe.com"
cert = ssl.get_server_certificate((hostname, 444))
der_cert = ssl.PEM_cert_to_DER_cert(cert)
self.assertRaises(APIError,
lambda: certificate_blacklist.verify(
hostname, der_cert))
def poll(self):
import socket, ssl
self.port = self.port or ports.ssl
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.resolve(self.site), self.port))
sslSocket = socket.ssl(s)
if self.v:
issuer_details = sslSocket.issuer().replace('/', '\n')
server_details = sslSocket.server().replace('/', '\n')
self.v_out += issuer_details
self.v_out += server_details
if sslSocket.cipher():
status = "%s-%s-%s" % (sslSocket.cipher()[0], sslSocket.cipher()[1], sslSocket.cipher()[2])
else:
status = 'unavailable'
if self.vv:
self.vv_out += 'remote pem certificate\n'
self.vv_out += ssl.get_server_certificate(('74.125.225.85', 443))
return 0, status
except socket.error, e:
if self.v or self.vv:
print 'socket error', e
return 1, e
def main(argv):
if len(argv) != 1 and len(argv) != 2:
print "Usage: pin.py [<certificate_path> | <host> <port>]"
return
if (len(argv) == 1):
cert = X509.load_cert(argv[0])
else:
peerCert = ssl.get_server_certificate((argv[0], int(argv[1])))
cert = X509.load_cert_string(peerCert)
pubkey = cert.get_pubkey().as_der()
digest = hashlib.sha256()
digest.update(pubkey)
sha256 = digest.digest()
print "Calculating PIN for certificate: " + cert.get_subject().as_text()
print "\n"
print "Public Key Pins:"
print "----------------"
print "SHA256:" + binascii.hexlify(sha256)
print "PLAIN:" + binascii.hexlify(pubkey)
print "\n"
print "Certificate Pins:"
print "-----------------"
print "CERTSHA256:" + cert.get_fingerprint('sha256')
print "CERTPLAIN:" + binascii.hexlify(cert.as_der())
def submit(request):
ip_input = request.POST['iprange']
if '/' in ip_input:
ip_split = ip_input.split(",")
ips = IPSet(ip_split)
elif '-' in ip_input:
ip_split = ip_input.split("-")
ips = IPRange(ip_split[0], ip_split[1])
else:
pass
certs = []
for idx, ip in enumerate(ips):
try:
sock = socket.socket()
sock.settimeout(0.1) #filter hosts with long response
sock.connect((str(ip), 443)) #check if host responses
cert = ssl.get_server_certificate((str(ip), 443))
x509 = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, cert)
for i in range(x509.get_extension_count()):
if x509.get_extension(i).get_short_name() == b'subjectAltName':
alt_names = x509.get_extension(i)
else:
pass
subject = x509.get_subject().CN
issuer = x509.get_issuer().CN
sign_algorithm = x509.get_signature_algorithm()
valid_from = str(x509.get_notBefore(), encoding="utf-8")
valid_from = valid_from[:4] + "/" + valid_from[4:6] + "/" + valid_from[6:8] + " " + valid_from[8:10] + ":" + valid_from[10:12] + ":" + valid_from[12:14]
valid_until = str(x509.get_notAfter(), encoding="utf-8")
valid_until = valid_until[:4] + "/" + valid_until[4:6] + "/" + valid_until[6:8] + " " + valid_until[8:10] + ":" + valid_until[10:12] + ":" + valid_until[12:14]
certs.append([str(ip), subject, issuer, sign_algorithm, valid_from, valid_until, str(alt_names)])
except Exception as e:
pass
return render(request, 'test_ssl/result.html', {'ips': ips, 'certs': certs})
def scan(d):
with term.location(*location):
print term.bold_red_on_bright_green("Scanning: "+d)
if(sslp=="yes"):
s_ = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s = ssl.wrap_socket(s_, ca_certs='/usr/local/lib/python2.7/dist-packages/requests/cacert.pem',cert_reqs=ssl.CERT_OPTIONAL)
s.settimeout(0.1)
d=str(d)
try:
result = s.connect_ex((d, int(port)))
except Exception, e:
message = "Error: "+d.rstrip()+","+getrev(d)
message += str(e)
try:
cert = ssl.get_server_certificate((d, 443), ssl_version=ssl.PROTOCOL_TLSv1)
x509 = M2Crypto.X509.load_cert_string(cert)
r = x509.get_subject().as_text()
val = r.split(",")
for i, j in enumerate(val):
if j.find("CN=") != -1:
val[i]=j.replace("CN=","")
val[i]=val[i].strip()
message += ","+val[i]
return message
except Exception, e:
return d.rstrip()+","+getrev(d)+","+"CERT ERROR!"
def do_pki_trust(self, url_CA, ca_engine, check_fqdn, user_fprint, reg_protocol, engine_fqdn, engine_port):
"""
Download CA from Engine and save in the filesystem if ca_file is
specified
"""
self.logger.debug("Collecting CA data from Engine...")
temp_ca_file = None
cert_exists = None
if ca_engine is None:
ca_dir = "/tmp"
temp_ca_file = True
else:
ca_dir = os.path.dirname(ca_engine)
if ca_engine and os.path.exists(ca_engine):
self._pem_data(ca_engine)
calculated_fprint = self._collect_fingerprint(ca_engine)
cert_exists = True
else:
if not os.path.exists(ca_dir):
os.makedirs(ca_dir, 0o755)
system.silent_restorecon(ca_dir)
system.NodeImage().persist(ca_dir)
if reg_protocol == "legacy":
# REQUIRED_FOR: Engine 3.3
res = ssl.get_server_certificate((engine_fqdn, int(engine_port)))
else:
res = HTTP().execute_request(
url=url_CA, ca_engine=ca_engine, cert_validation=False, check_fqdn=check_fqdn
)
with tempfile.NamedTemporaryFile(dir=ca_dir, delete=False) as f:
f.write(res)
self._pem_data(f.name)
calculated_fprint = self._collect_fingerprint(f.name)
if user_fprint and user_fprint.lower() != calculated_fprint.lower():
msg = (
"The fingeprints doesn't match:\n"
"Calculated fingerprint: [{c}]\n"
"Fingerprint provided: [{a}]".format(c=calculated_fprint, a=user_fprint)
)
self.logger.error(msg)
raise RuntimeError(msg)
if not cert_exists and not temp_ca_file:
shutil.move(f.name, ca_engine)
system.NodeImage().persist(ca_engine)
if temp_ca_file:
ca_engine = f.name
self.logger.debug("Calculated fingerprint: {f}".format(f=self.pem_fingerprint))
return ca_engine, temp_ca_file
def check_virtual_host_certificate(step):
for host_hash in step.hashes:
obj = getattr(world, host_hash['source_name'])
cert_key = DEFAULT_SSL_CERTS.get(host_hash['key'])
# hostname handler
if host_hash['source'] == 'domain':
key = cert_key.get('key_name')
url = 'https://%s' % obj.name
for _ in xrange(10):
try:
res = requests.get(url, verify=key)
LOG.debug('Remote host %s request result: %s' % (url, res.text))
break
except exceptions.SSLError as e:
raise RuntimeError('Can not verify remote cert with local key: %s\n%s' % (key, e.message))
except Exception as e:
LOG.error('%s' % e.message)
time.sleep(3)
else:
raise AssertionError('Can not retrieve content from remote host: %s.' % url)
# ip handler
elif host_hash['source'] == 'server':
server_cert = ssl.get_server_certificate((obj.public_ip, 443))
LOG.debug('Server %s SSL certifacate: %s' % (obj.public_ip, server_cert))
assert server_cert == cert_key.get('cert'), 'Sever %s certificate do not match local' % obj.public_ip
def _get_cert(self, version): try: cert = ssl.get_server_certificate((self.address, 443), ssl_version=version) except ssl.SSLError: return None else: return cert
def get_certificate(target):
"""Attempt to collect SSL/TLS certificate information for the given host.
Parameters:
target The domain name to be used for certificate collection
"""
# Attempt to connect over port 443
try:
cert = ssl.get_server_certificate((target,443))
# If it can't connect, return nothing/fail
except:
return None
# Try to use OpenSSL to pull certificate information
try:
certificate = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM,cert)
subj = certificate.get_subject()
comp = subj.get_components()
for i in comp:
if 'CN' in i[0].decode("utf-8"):
return i[1].decode("utf-8")
elif 'CN' not in i[0].decode("utf-8"):
continue
else:
return None
# If OpenSSL fails to get information, return nothing/fail
except:
return None
def connect_trusted_root(self, sock, root_cert, crl_certs):
self.ca_path = self.cert_path + "ca/"
server_cert = ssl.get_server_certificate(addr=(self.host, self.port))
global flag
if self.cert_file:
f = verify(server_cert, crl_certs, flag)
if not f:
flag = 1
elif f == 1:
raise Exception(1)
else:
import time
time.sleep(0.1)
try:
if self.FORCE_SSL_VERSION:
add = {"ssl_version": self.FORCE_SSL_VERSION}
else:
add = {}
add["cert_reqs"] = ssl.CERT_REQUIRED
# try to use PyOpenSSL by default
if PYOPENSSL_AVAILABLE:
wrap_class = PyOpenSSLSocket
add["keyobj"] = self.keyobj
add["certobj"] = self.certobj
add["keyfile"] = self.key_file
add["certfile"] = self.cert_file
else:
wrap_class = ssl.SSLSocket
self.sock = wrap_class(sock, ca_certs=self.ca_certs, **add)
return 0
except:
return 1
def checkCert(url):
"""Takes domain as input and gets information from the certificate.
Grabs the CN from the Cert to check that it matches.
Grabs the AltSubjects to see other possible targets.
"""
certdict = {}
alts = []
host = re.search("https://([^/:]*)",url).groups()[0]
try:
cert = ssl.get_server_certificate((host, 443),ssl_version=ssl.PROTOCOL_SSLv23)
except Exception as e:
bad_print("Error Requesting Certificate from " + host)
# print e
return {}
if cert:
x509 = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, cert)
cn = x509.get_subject().commonName
for extension in range(x509.get_extension_count()):
if x509.get_extension(extension).get_short_name() == "subjectAltName":
alts = str(x509.get_extension(extension)).split()
if cn != host:
good_print("Hostname from cert: " + str(cn))
certdict['cn'] = cn
if len(alts) > 1:
good_print("Alternate Subjects from Cert: " + str(len(alts)) + ("\t(Run with -s to display)" if not args.subjects else ""))
clean_alts = [alt.replace("DNS:","").replace(",","") for alt in alts]
certdict['altsubjectnames'] = clean_alts
if args.subjects == True:
for alt in alts:
good_print("\tAlternate "+alt.replace(",",""))
return certdict
def _check_ssl_cert(self):
"""Preflight the SSL certificate presented by the backend.
This isn't 100% bulletproof, in that we're not actually validating the
transport used to communicate with Ping++, merely that the first
attempt to does not use a revoked certificate.
Unfortunately the interface to OpenSSL doesn't make it easy to check
the certificate before sending potentially sensitive data on the wire.
This approach raises the bar for an attacker significantly."""
from pingpp import verify_ssl_certs
if verify_ssl_certs and not self._CERTIFICATE_VERIFIED:
uri = urlparse.urlparse(pingpp.api_base)
try:
certificate = ssl.get_server_certificate(
(uri.hostname, uri.port or 443), ssl_version=3)
der_cert = ssl.PEM_cert_to_DER_cert(certificate)
except socket.error, e:
raise error.APIConnectionError(e)
except TypeError:
# The Google App Engine development server blocks the C socket
# module which causes a type error when using the SSL library
if util.is_appengine_dev():
self._CERTIFICATE_VERIFIED = True
warnings.warn(
'We were unable to verify Ping++\'s SSL certificate '
'due to a bug in the Google App Engine development '
'server. Please alert us immediately at '
'[email protected] if this message appears in your '
'production logs.')
return
else:
raise
def verify_ssl_cn(server, port):
"""
*Availability: Must have the OpenSSL Python module installed.*
Verify the SSL certificate given by the ``server`` when connecting on the
given ``port``. This returns ``None`` if OpenSSL is not available or
'NoCertFound' if there was no certificate given. Otherwise, a two-tuple
containing a boolean of whether the certificate is valid and the
certificate information is returned.
"""
if not ssl:
return None
cert = None
for version in (ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv23):
try:
cert = ssl.get_server_certificate((server, port), ssl_version=version)
break
except Exception as e:
pass
if cert is None:
return 'NoCertFound'
valid = False
x509 = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, cert)
cret_info = x509.get_subject().get_components()
cn = x509.get_subject().commonName
if cn == server:
valid = True
elif '*' in cn:
cn = cn.replace('*.', '')
if re.match('(.*)%s' % cn, server, re.IGNORECASE) is not None:
valid = True
return (valid, cret_info)
def download_file(self, url):
injectd_url = self.extract_url(urllib2.unquote(url))
try:
req = urllib2.Request(injectd_url)
# Set User-Agent to look more credible
req.add_unredirected_header('User-Agent', '-')
# FIXME: We need a timeout on read here
injected_file = urllib2.urlopen(req, timeout=4).read()
# If the file is hosted on a SSL enabled host get the certificate
if re.match('^https', injectd_url, re.IGNORECASE):
proto, rest = urllib2.splittype(injectd_url)
host, rest = urllib2.splithost(rest)
host, port = urllib2.splitport(host)
if port is None:
port = 443
cert_file = ssl.get_server_certificate((host, int(port)))
cert_name = self.store_file(cert_file)
except IOError as e:
logger.exception("Failed to fetch injected file, I/O error: {0}".format(e))
# TODO: We want to handle the case where we can't download
# the injected file but pretend to be vulnerable.
file_name = None
else:
file_name, file_sha256 = self.store_file(injected_file)
return file_name, file_sha256
def download_cert(host, port, options, logfile):
"""Download an SSL certificate and append it to the logfile."""
try:
cert = ssl.get_server_certificate((host, port))
append_logs(logfile, options, cert, "")
except ssl.SSLError:
pass
def test_https_cert_invalid(self):
"""Verify vikidia SSL certificate is invalid."""
try:
from pyasn1_modules import pem, rfc2459
from pyasn1.codec.der import decoder
except ImportError:
raise unittest.SkipTest('pyasn1 and pyasn1_modules not available.')
import ssl
import io
cert = ssl.get_server_certificate(addr=('en.vikidia.org', 443))
s = io.StringIO(unicode(cert))
substrate = pem.readPemFromFile(s)
cert = decoder.decode(substrate, asn1Spec=rfc2459.Certificate())[0]
tbs_cert = cert.getComponentByName('tbsCertificate')
issuer = tbs_cert.getComponentByName('issuer')
organisation = None
for rdn in issuer.getComponent():
for attr in rdn:
attr_type = attr.getComponentByName('type')
if attr_type == rfc2459.id_at_organizationName:
value, _ = decoder.decode(attr.getComponentByName('value'),
asn1Spec=rfc2459.X520name())
organisation = str(value.getComponent())
break
self.assertEqual(organisation, 'TuxFamily.org non-profit organization')
def get_server_certificate(hostname, port=443):
cert=ssl.get_server_certificate((hostname, port))
x509 = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, cert)
expire_date_str = x509.get_notAfter().decode()[:-1] # 20181107235959Z, 去掉最后的字母Z
expire_date = datetime.datetime.strptime(expire_date_str, "%Y%m%d%H%M%S")
expire_date = expire_date + datetime.timedelta(hours=8) # 默认的时间是0时区的时间, 需要加8个小时
print(hostname, expire_date)
def connect_trusted_root(self, sock, root_cert, crl_certs):
self.ca_path = self.cert_path + "ca/"
server_cert = ssl.get_server_certificate(addr=(self.host, self.port))
global flag
if self.cert_file:
f = verify(server_cert, crl_certs, flag)
if not f:
flag = 1
elif f == 1:
sys.exit()
else:
import time
time.sleep(1)
try:
self.sock = ssl.wrap_socket(
sock,
certfile=self.cert_file,
keyfile=self.key_file,
ca_certs=root_cert,
ssl_version=ssl.PROTOCOL_SSLv23,
cert_reqs=ssl.CERT_REQUIRED,
)
dercert_after_connect = self.sock.getpeercert(True)
cert_after_connect = ssl.DER_cert_to_PEM_cert(dercert_after_connect)
if not server_cert == cert_after_connect:
print "\n" + _("WARNING! %s trying to replace the certificate!") % self.host + "\n"
self.sock.close()
return 2
return 0
except:
return 1
def CarbonCopy(host, port, signee, signed):
try:
#Fetching Details
ogcert = ssl.get_server_certificate((host, int(port)))
x509 = crypto.load_certificate(crypto.FILETYPE_PEM, ogcert)
certDir = Path('certs')
certDir.mkdir(exist_ok=True)
#Creating Fake Certificate
CNCRT = certDir / (host + ".crt")
CNKEY = certDir / (host + ".key")
PFXFILE = certDir / (host + ".pfx")
#Creating Keygen
k = crypto.PKey()
k.generate_key(crypto.TYPE_RSA, ((x509.get_pubkey()).bits()))
cert = crypto.X509()
#Setting Cert details from loaded from the original Certificate
cert.set_version(x509.get_version())
cert.set_serial_number(x509.get_serial_number())
cert.set_subject(x509.get_subject())
cert.set_issuer(x509.get_issuer())
cert.set_notBefore(x509.get_notBefore())
cert.set_notAfter(x509.get_notAfter())
cert.set_pubkey(k)
cert.sign(k, 'sha256')
CNCRT.write_bytes(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
CNKEY.write_bytes(crypto.dump_privatekey(crypto.FILETYPE_PEM, k))
try:
pfx = crypto.PKCS12()
except AttributeError:
pfx = crypto.PKCS12Type()
pfx.set_privatekey(k)
pfx.set_certificate(cert)
pfxdata = pfx.export()
PFXFILE.write_bytes(pfxdata)
if platform == "win32":
shutil.copy(signee, signed)
subprocess.check_call([
"signtool.exe", "sign", "/v", "/f", PFXFILE, "/d",
"MozDef Corp", "/tr", TIMESTAMP_URL, "/td", "SHA256", "/fd",
"SHA256", signed
])
else:
args = ("osslsigncode", "sign", "-pkcs12", PFXFILE, "-n",
"Notepad Benchmark Util", "-i", TIMESTAMP_URL, "-in",
signee, "-out", signed)
subprocess.check_call(args)
except Exception as ex:
print("[X] Something Went Wrong!\n[X] Exception: " + str(ex))
def console(self, name, tunnel=False, web=False):
si = self.si
dc = self.dc
vcip = self.vcip
vmFolder = dc.vmFolder
vm = findvm(si, vmFolder, name)
if vm is None:
print("VM %s not found" % name)
return
elif vm.runtime.powerState == "poweredOff":
print("VM down")
return
extraconfig = vm.config.extraConfig
vncfound = False
for extra in extraconfig:
key, value = extra.key, extra.value
if 'vnc' in key and 'port' in key:
vncfound = True
vncport = value
break
else:
continue
if vncfound:
host = vm.runtime.host.name
url = "vnc://%s:%s" % (host, vncport)
consolecommand = "remote-viewer %s &" % (url)
if web:
return url
if self.debug or os.path.exists("/i_am_a_container"):
print(consolecommand)
if not os.path.exists("/i_am_a_container"):
os.popen(consolecommand)
else:
content = si.RetrieveContent()
sgid = content.about.instanceUuid
cert = get_server_certificate((self.vcip, 443))
cert_deserialize = x509.load_pem_x509_certificate(cert.encode(), default_backend())
finger_print = hexlify(cert_deserialize.fingerprint(hashes.SHA1())).decode('utf-8')
sha1 = ":".join([finger_print[i: i + 2] for i in range(0, len(finger_print), 2)])
vcenter_data = content.setting
vcenter_settings = vcenter_data.setting
for item in vcenter_settings:
key = getattr(item, 'key')
if key == 'VirtualCenter.FQDN':
fqdn = getattr(item, 'value')
sessionmanager = si.content.sessionManager
session = sessionmanager.AcquireCloneTicket()
vmid = vm._moId
vmurl = "https://%s/ui/webconsole.html?" % vcip
vmurl += "vmId=%s&vmName=%s&serverGuid=%s&host=%s&sessionTicket=%s&thumbprint=%s" % (vmid, name, sgid, fqdn,
session, sha1)
if web:
return vmurl
if self.debug or os.path.exists("/i_am_a_container"):
msg = "Open the following url:\n%s" % vmurl if os.path.exists("/i_am_a_container") else vmurl
pprint(msg)
else:
pprint("Opening url %s" % vmurl)
webbrowser.open(vmurl, new=2, autoraise=True)
def get_cn(ip: str, port: int):
dst = (ip, 443)
cert = ssl.get_server_certificate(dst).encode()
x509 = crypto.load_certificate(crypto.FILETYPE_PEM, cert)
cert_hostname = x509.get_subject().CN
for name in cert_hostname.split("\n"):
yield name
def checkSSLNOTEXPIRED(url):
try:
cert = ssl.get_server_certificate((url, 443))
except:
return False
certificate = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM,
cert)
return not certificate.has_expired()
def ssl_key(domain):
print 'domain', domain
cert = ssl.get_server_certificate((domain, 443))
x509 = crypto.load_certificate(crypto.FILETYPE_PEM, cert)
openssl_pubkey = x509.get_pubkey()
crypto_pubkey = openssl_pubkey.to_cryptography_key()
keyParams = crypto_pubkey.public_numbers()
return repr(dict(e=keyParams.e, n=keyParams.n, size=crypto_pubkey.key_size))
def main():
cert_pem = ssl.get_server_certificate(('127.0.0.1', 443),
ssl_version=ssl.PROTOCOL_TLSv1)
x509 = X509.load_cert_string(cert_pem, X509.FORMAT_PEM)
not_after = x509.get_not_after().get_datetime().strftime('%s')
now = datetime.now().strftime('%s')
cert_end_in = int(not_after) - int(now)
print('metric cert_end_in int %s' % cert_end_in)
async def _check_using_default_cert():
await asyncio.sleep(5)
server_cert = get_server_certificate(('127.0.0.1', 8443))
default_cert = _read_default_cert()
if server_cert == default_cert:
logging.warn(
'Insecure SSL private key and certificate in use. Consider generating and using your own '
'to improve security. Please see documentation.')
def get_server_cert():
cert = ssl.get_server_certificate((sys.argv[1], 443))
with open(sys.argv[1] + '.pem', 'w') as f:
f.write(cert)
f.close()
cert_text = subprocess.check_output(
["openssl", "x509", "-text", "-noout", "-in", sys.argv[1] + '.pem'])
print cert_text
def _get_cert(self, version):
try:
cert = ssl.get_server_certificate((self.address, 443),
ssl_version=version)
except ssl.SSLError:
return None
else:
return cert
def from_server(cls, host: str, port: int = 443) -> Optional['Certificate']: try: pem = ssl.get_server_certificate((host, port)) return cls.from_pem(pem) except ssl.SSLError: return None except ConnectionResetError: return None
def get_host_cert(hostname, port):
try:
cert_str = ssl.get_server_certificate((hostname, port))
cert = x509.load_pem_x509_certificate(cert_str.encode('utf-8'), default_backend())
assert isinstance(cert, x509.Certificate)
return cert
except ValueError as e:
print(f"Cert Error: {e}")
def fetch_ssl_certificate(self, url):
_url = urlparse.urlparse(url)
if _url.scheme not in ('https', ):
return
port = _url.port if _url.port else 443
certificate = ssl.get_server_certificate((_url.netloc, port))
log.ThugLogging.log_certificate(url, certificate)
def _check_ca_certificate(self):
"""
checks if the client has the certificate of AppBackend
:return: None
"""
if not os.path.exists(self._ca_certificate_path):
with open(self._ca_certificate_path, "w") as f:
f.write(ssl.get_server_certificate(("127.0.0.1", self._app_port), ssl_version=ssl.PROTOCOL_TLSv1_2))
def requestAsString(self):
output = {'code': 0}
try:
hostcert = ssl.get_server_certificate((self.server, self.port))
except socket.gaierror, E:
output['error'] = E.strerror
output['code'] = 404
return output
def _analyse_ssl_certificate(ip, host_name, port, host_port_name,
port_product):
result = None
try:
print(
"_analyse_ssl_certificate ip %s, host name %s, port %s " %
(ip, host_name, port))
cert = ssl.get_server_certificate((ip, port))
cert = crypto.load_certificate(crypto.FILETYPE_PEM, cert)
cert_issues = _cert_has_issues(cert, host_name)
cert.get_signature_algorithm().__hash__()
port_name = None
if host_port_name:
port_name = host_port_name[0]
product = None
if port_product:
product = port_product[0]
result = {
'host_ip':
ip,
'host_name':
host_name,
'port':
port,
'host_port_name':
port_name,
'port_product':
product,
'has_expired':
cert.has_expired(),
'starts_being_valid':
parser.parse(cert.get_notBefore()),
'stops being valid':
parser.parse(cert.get_notAfter()),
'serial_number':
str(cert.get_serial_number()),
'signature_algorithm':
cert.get_signature_algorithm().decode("utf-8"),
'pub_key':
_decode_pub_key(cert.get_pubkey().type()),
'pub_key_bits':
cert.get_pubkey().bits(),
'subject': {
'components':
dict((x.decode("utf-8"), y.decode("utf-8"))
for x, y in cert.get_subject().get_components())
},
'issuer':
dict((x.decode("utf-8"), y.decode("utf-8"))
for x, y in cert.get_issuer().get_components()),
'cert_issues':
cert_issues
}
except Exception as e:
print("Alerter inspect_ssl: ", e)
finally:
return result
return result
def main(argv=None):
# Do argv default this way, as doing it in the functional
# declaration sets it at compile time.
if argv is None:
argv = sys.argv
# Set up out output via logging module
output = logging.getLogger(argv[0])
output.setLevel(logging.DEBUG)
output_handler = logging.StreamHandler(sys.stdout) # Default is sys.stderr
# Set up formatter to just print message without preamble
output_handler.setFormatter(logging.Formatter("%(message)s"))
output.addHandler(output_handler)
args = parse_args(argv)
output_handler.setLevel(args.output_level)
if args.server:
hostname, port = args.server.split(":")
output.info("Getting certificate for {}:{}".format(hostname, port))
cert = ssl.get_server_certificate((hostname, int(port)))
output.debug("Got certificate, hashing...")
digest_string = cert_PEM_to_hash(cert)
output.debug("Hash is {}".format(digest_string))
elif args.cert_file:
with open(args.cert_file) as f:
lines = f.readlines()
digest_string = cert_PEM_to_hash("".join(lines))
output.debug("Hash is {}".format(digest_string))
else:
output.error("Certificate argument required.")
return (1)
query_host = "{}.certs.googlednstest.com".format(digest_string)
output.debug("Query is for {}".format(query_host))
try:
answer = resolver.query(query_host, "TXT")
except resolver.NXDOMAIN as e:
output.info("No information found.")
return (1)
for rdata in answer:
output.debug("Raw response is {}".format(rdata))
# Convert to string and remove quotes
rdata_str = str(rdata).strip("\"")
start_day_str, end_day_str, days_seen_str = rdata_str.split()
break
start_day = int(start_day_str)
end_day = int(end_day_str)
days_seen = int(days_seen_str)
start_secs = day_to_seconds(start_day)
end_secs = day_to_seconds(end_day)
fmt = "%d %B %Y"
output.info("Start date: " +
time.strftime(fmt, time.localtime(start_secs)))
output.info("End date: " + time.strftime(fmt, time.localtime(end_secs)))
output.info("Days seen: {}/{}".format(days_seen, end_day - start_day))
return (0)
def doGet(*args, **kwargs):
url = args[0]
doVhosts = kwargs.pop('vhosts' ,None)
urlQueue = kwargs.pop('urlQueue' ,None)
subs = kwargs.pop('subs' ,None)
extraHosts = kwargs.pop('extraHosts',None)
proxy = kwargs.pop('proxy',None)
kwargs['allow_redirects'] = False
session = requests.session()
if(proxy is not None):
session.proxies={'http':'socks5://'+proxy,'https':'socks5://'+proxy}
resp = session.get(url[0],**kwargs)
#If we have an https URL and we are configured to scrape hosts from the cert...
if(url[0].find('https') != -1 and url[1] == True):
#Pull hostnames from cert, add as additional URLs and flag as not to pull certs
host = urlparse(url[0]).hostname
port = urlparse(url[0]).port
if(port is None):
port = 443
names = []
try:
cert = ssl.get_server_certificate((host,port),ssl_version=ssl.PROTOCOL_SSLv23)
x509 = M2Crypto.X509.load_cert_string(cert.decode('string_escape'))
subjText = x509.get_subject().as_text()
names = re.findall("CN=([^\s]+)",subjText)
altNames = x509.get_ext('subjectAltName').get_value()
names.extend(re.findall("DNS:([^,]*)",altNames))
except:
pass
for name in names:
if(name.find('*.') != -1):
for sub in subs:
try:
sub = sub.strip()
hostname = name.replace('*.',sub+'.')
if(hostname not in extraHosts):
extraHosts[hostname] = 1
address = socket.gethostbyname(hostname)
urlQueue.put(['https://'+hostname+':'+str(port),False,url[2]])
print '[+] Discovered subdomain '+address
except:
pass
name = name.replace('*.','')
if(name not in extraHosts):
extraHosts[name] = 1
urlQueue.put(['https://'+name+':'+str(port),False,url[2]])
print '[+] Added host '+name
else:
if (name not in extraHosts):
extraHosts[name] = 1
urlQueue.put(['https://'+name+':'+str(port),False,url[2]])
print '[+] Added host '+name
return resp
else:
return resp
def lowsslcheck(self, domain, hsh):
certs = ssl.get_server_certificate((domain, 443))
certhash = hashlib.sha256(certs).hexdigest()
if self.logger:
self.logger.debug('Found %s as certificate hash' % certhash)
if isinstance(hsh, basestring):
hsh = [hsh]
if certhash not in hsh:
raise ssl.SSLError()
def _certhash(self, domain, port=443):
for proto in HTTPSConnection2._PROTOCOLS:
try:
certs = ssl.get_server_certificate((domain, port), ssl_version=proto)
except ssl.SSLError as e:
continue
else:
return hashlib.sha256(certs).hexdigest()
raise e
def onHtml(self, event, conexion, logger):
fila = self.listadoVM
for i in range(len(fila)):
if logger != None: logger.info(fila[i])
# El tercer elemento es la ip y el 9 es el UUID
vm = conexion.searchIndex.FindByUuid(None, fila[8], True)
vm_name = vm.summary.config.name
vm_moid = vm._moId
if logger != None: logger.info('void= '.format(vm_moid))
vcenter_data = conexion.setting
vcenter_settings = vcenter_data.setting
console_port = '9443'
puerto_vcenter = '443'
for item in vcenter_settings:
key = getattr(item, 'key')
#print ('key: ' + key + ' =>'+ str(getattr(item, 'value')))
if key == 'VirtualCenter.FQDN':
vcenter_fqdn = getattr(item, 'value')
#if key == 'WebService.Ports.https':
#console_port = str(getattr(item, 'value'))
host = vcenter_fqdn
session_manager = conexion.sessionManager
session = session_manager.AcquireCloneTicket()
vc_cert = ssl.get_server_certificate((host, int(puerto_vcenter)))
vc_pem = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM,
vc_cert)
vc_fingerprint = vc_pem.digest('sha1')
if logger != None: logger.info("Open the following URL in your browser to access the " \
"Remote Console.\n" \
"You have 60 seconds to open the URL, or the session" \
"will be terminated.\n")
#print(str(vcenter_data))
# Locate the version of vcenter the object .version for locate the version of vcenter
object_about = conexion.about
if logger != None:
logger.info("Vcenter version: : {}".format(object_about.version))
#For version vcenter 5.5
if object_about.version == '5.5.0':
console_portv5 = '7331'
URL5 = "http://" + host + ":" + console_portv5 + "/console/?vmId=" \
+ str(vm_moid) + "&vmName=" + vm_name + "&host=" + vcenter_fqdn \
+ "&sessionTicket=" + session + "&thumbprint=" + vc_fingerprint.decode('utf8')
webbrowser.open(URL5, new=1, autoraise=True)
#For version vcenter 6.0 and 6.5
if object_about.version == '6.0.0' or object_about.version == '6.5.0' or object_about.version == '6.7.0':
URL = "https://" + host + ":" + console_port + "/vsphere-client/webconsole.html?vmId=" \
+ str(vm_moid) + "&vmName=" + vm_name + "&host=" + vcenter_fqdn \
+ "&sessionTicket=" + session + "&thumbprint.info=" + vc_fingerprint.decode('utf-8')
if logger != None: logger.info(URL)
webbrowser.open(URL, new=1, autoraise=True)
if logger != None: logger.info("Waiting for 60 seconds, then exit")
def check_oxd_ssl_cert(self, oxd_hostname, oxd_port):
oxd_cert = ssl.get_server_certificate((oxd_hostname, oxd_port))
oxd_crt_fn = '/tmp/oxd_{}.crt'.format(str(uuid.uuid4()))
self.writeFile(oxd_crt_fn, oxd_cert)
ssl_subjects = self.get_ssl_subject(oxd_crt_fn)
if ssl_subjects['CN'] != oxd_hostname:
return ssl_subjects
def download_cert(host, port, options, logfile):
"""
Download an SSL certificate and append it to the logfile.
"""
try:
cert = ssl.get_server_certificate((host, port))
append_logs(logfile, options, cert)
except ssl.SSLError:
pass
def ssl_certificate(url):
url = re.search("(?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z0-9][a-z0-9-]{0,61}[a-z0-9]", url).group(0)
cert = ssl.get_server_certificate((url, 443))
x509 = M2Crypto.X509.load_cert_string(cert)
return x509.get_subject().as_text().replace(',', '<br/>').replace('C=', "Country: ")\
.replace('ST=', "State: ") \
.replace('L=', "Local: ") \
.replace('O=', "Organization: ") \
.replace('CN=', "Certificate Issued To: ")
def query_public_key():
""" """
print("Enter a hostname and port to query a server's public TLS key.")
print("Port 636 is commonly used for secure LDAP.")
print("Port 443 is commonly used for secure HTTP.")
hostname = input("Hostname = ")
port = input("Port = ")
certificate = get_server_certificate((hostname, port))
print(certificate)
def check_ssl(url, port=443):
"""Return True if the URL has an SSL certificate, False if not."""
try:
cert = ssl.get_server_certificate((url, port))
except Exception:
return False
if not cert:
return False
return True
def get_knox_cert():
cert = ssl.get_server_certificate(
("%s" % CONF['KNOX_HOST'], CONF['KNOX_PORT']))
# TODO make it as common module
KNOX_CERT = re.sub(r"\-----B(.+?)\-----\\n", "", cert)
KNOX_CERT = re.sub(r"\-----(.+?)\-----[\n]*", "", KNOX_CERT)
KNOX_CERT = KNOX_CERT.replace("\n", "")
logger.info("Knox Cert returned by Machine.runas command: %s" % KNOX_CERT)
return KNOX_CERT
def execute(self):
try:
logger.debug("Passive hunter is attempting to get server certificate")
addr = (str(self.event.host), self.event.port)
cert = ssl.get_server_certificate(addr)
except ssl.SSLError:
# If the server doesn't offer SSL on this port we won't get a certificate
return
self.examine_certificate(cert)
def fetch_cert(self, cert_file):
"""
Pull certificate from appliance (SSL server) and store in local appliance certificate file in PEM format
:param cert_file: The String path to the cert file
:return: None
"""
ssl_cert = ssl.get_server_certificate(self.appliance_endpoint)
with open(cert_file, 'w') as f:
f.write(ssl_cert)
def _scrape(self):
import ssl
# todo timeouts
url = (self.page.full_url.replace("http://",
"").replace("https://",
"").split("/")[0])
cert = ssl.get_server_certificate((url, 443))
return cert
def get_cert(targetDomain, targetPort):
try:
rawCert = ssl.get_server_certificate((targetDomain, targetPort))
print("[+] Got the certificate...")
return rawCert
except:
print(
"[!] Sorry, error getting certificate from {} on port {}.".format(
targetDomain, targetPort))
