Пример #1
0
    def start(self):
        version = getHighestTLSVersion(self._result)

        vuln = 0  # Not vulnerable
        for version in [0, 1]:
            if isTLSVersionSupport(self._result, version):
                hello = ClientHello()
                hello.ciphersuite = cbc_cipher
                hello.version = version
                hello = addNecessaryExtensionToHelloObject(hello, self._host)
                if tryHandshake(self._host, self._port,
                                hello.createAsHex()) == version:
                    # Vulnerable
                    print(
                        "[BEAST] Vulnerable, handshake success with version %d"
                        % version)
                    vuln = 1

        if getHighestTLSVersion(self._result) <= 1 and vuln == 1:
            vuln = 2  # TLS1.0 is highest protocol

        self._result.addResult('beast', vuln)
        if vuln == 2:
            self._result.addVulnerability('beast')
            for cipherHex in splitCipherHexStringTLS(cbc_cipher):
                for supportedVersion in getSupportedTLSVersion(self._result):
                    if supportedVersion > 1:
                        continue
                    self._result.addVulnerabilityToCipher(
                        cipherHex, versionIntToString(supportedVersion),
                        '<b style="color:orange;">BEAST</b>')
Пример #2
0
 def testTLS(self, cipher, version):
     # Easy
     hello = ClientHello()
     hello.ciphersuite = cipher
     hello.version = version
     return tryHandshake(
         self._host, self._port,
         addNecessaryExtensionToHelloObject(
             hello, self._host).createAsHex()) == version
    def startExport(self):
        vuln = False
        for version in getSupportedTLSVersion(self._result):
            # Try handshake with dh_export cipher
            hello = ClientHello()
            hello.ciphersuite = dh_export
            hello.version = version
            hello = addNecessaryExtensionToHelloObject(hello, self._host)
            if tryHandshake(self._host, self._port,
                            hello.createAsHex()) == version:
                # vulnerable,
                vuln = True
                for cipherHex in splitCipherHexStringTLS(dh_export):
                    self._result.addVulnerabilityToCipher(
                        cipherHex, versionIntToString(version),
                        '<b style="color:red;">LOGJAM</b>')

        self._result.addResult('logjam_export', vuln)
        if vuln:
            self._result.addVulnerability('logjam_export')
Пример #4
0
    def start(self):
        version = getHighestTLSVersion(self._result)
        if version == -1:
            print("[CRIME] No valid TLS version found")
            self._result.addResult('crime_tls', False)
        else:
            print("[CRIME] Testing CRIME (TLS) with TLS version ", version)

            hello = ClientHello()
            hello.compression = '0100'  # DEFLATE & null
            hello.version = version
            hello = addNecessaryExtensionToHelloObject(hello, self._host)
            hellohex = hello.createAsHex()

            serverHello = getServerHelloObject(self._host, self._port,
                                               hellohex)

            self._result.addResult('crime_tls',
                                   serverHello.compressionMethod == '01')
            if self._result.getResult('crime_tls'):
                self._result.addVulnerability('crime_tls')
Пример #5
0
    def start(self):
        version = getHighestTLSVersion(self._result)
        if version == -1:
            print("[LUCKY13] No valid TLS version found")
            self._result.addResult('lucky13', False)
            return
        print("Testing LUCKY13 with TLS version ", version)

        hello1 = ClientHello()
        hello1.ciphersuite = cbc_cipher1
        hello1hex = hello1.createAsHex()

        hello2 = ClientHello()
        hello2.ciphersuite = cbc_cipher2
        hello2hex = hello2.createAsHex()

        self._result.addResult(
            'lucky13',
            tryHandshake(
                self._host, self._port,
                addNecessaryExtensionToHello(
                    modifyHelloVersion(hello1hex, version), self._host)) >= 0
            or tryHandshake(
                self._host, self._port,
                addNecessaryExtensionToHello(
                    modifyHelloVersion(hello2hex, version), self._host)) >= 0)
        if self._result.getResult(
                'lucky13'
        ) and self.scan_accuracy != 'minimise_false_positives':
            self._result.addVulnerability('lucky13')
            # for each cipher
            for cipherHex in splitCipherHexStringTLS(
                    cbc_cipher1) + splitCipherHexStringTLS(cbc_cipher2):
                for supportedVersion in getSupportedTLSVersion(self._result):
                    self._result.addVulnerabilityToCipher(
                        cipherHex, versionIntToString(supportedVersion),
                        '<b style="color:orange;">LUCKY13</b>')
        def testForVersion(version):
            hello = ClientHello()
            hello.ciphersuite = all_dh_ciphers
            hello.version = version
            hello = addNecessaryExtensionToHelloObject(hello, self._host)
            # do full handshake until received key exchange
            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            s.settimeout(5)
            vuln = False
            try:
                s.connect((self._host, self._port))
                s.sendall(hello.createAsHex().decode('hex'))
                recvBuffer = ''
                while True:
                    rec = s.recv(1024 * 10)
                    if rec == None: break
                    recvBuffer += rec
                    # Check for TLS Record
                    breakConnection = False
                    while len(recvBuffer) >= 5:
                        if ord(recvBuffer[0]) == 0x15:
                            # Alert ...
                            #print("[LOGJAM] Received some ALERT")
                            breakConnection = True
                        elif ord(recvBuffer[0]) == 0x16:
                            # Handshake message
                            recvVersion = ord(recvBuffer[2])
                            messageLen = ord(recvBuffer[3]) * 256 + ord(
                                recvBuffer[4])
                            # Check if enough message to consume
                            #print("[LOGJAM] Buffer %d, Expected message length %d" % (len(recvBuffer),messageLen))
                            if len(recvBuffer) >= 5 + messageLen:
                                # consume !
                                #print("[LOGJAM] Consuming handshake message")
                                recordHeader, messageBuffer, recvBuffer = recvBuffer[
                                    0:5], recvBuffer[5:5 +
                                                     messageLen], recvBuffer[
                                                         5 + messageLen:]
                                while len(messageBuffer) >= 6:
                                    #print("[LOGJAM] Message Buffer %d" % len(messageBuffer))
                                    msgLen = int(
                                        messageBuffer[1:4].encode('hex'),
                                        16) + 4  # ([P][LEN]<msgLen>)
                                    #print("[LOGJAM] Message length %d" % msgLen)
                                    handshakeMessage, messageBuffer = messageBuffer[
                                        0:msgLen], messageBuffer[msgLen:]
                                    # Check protocol
                                    if ord(handshakeMessage[0]) == 0x0c:
                                        print("[LOGJAM] Received KeyExchange")
                                        # Key exchange protocol
                                        msgLen = int(
                                            handshakeMessage[1:4].encode(
                                                'hex'), 16)
                                        pLen = int(
                                            handshakeMessage[4:6].encode(
                                                'hex'), 16)
                                        p = handshakeMessage[6:6 +
                                                             pLen].encode(
                                                                 'hex')

                                        print("prime : %s" % p)
                                        # Check with common prime list
                                        if p in self.commonPrime:
                                            print(
                                                "[LOGJAM] Found common prime : %s (%d-bit)"
                                                % (self.commonPrime[p],
                                                   len(p) * 4))
                                            if len(p) * 4 <= 1024:
                                                vuln = True

                                        else:
                                            print(
                                                "[LOGJAM] Common prime not found"
                                            )
                                        breakConnection = True
                                    elif ord(handshakeMessage[0]) == 0x0e:
                                        print(
                                            "[LOGJAM] Received ServerHelloDone"
                                        )
                                        breakConnection = True
                                    elif ord(handshakeMessage[0]) == 0x0b:
                                        print("[LOGJAM] Received Certificate")
                                        pass
                                    elif ord(handshakeMessage[0]) == 0x02:
                                        pass
                                        print("[LOGJAM] Received ServerHello")
                                    else:
                                        print("[LOGJAM] Received protocol %d" %
                                              ord(handshakeMessage[0]))
                            else:
                                # Need more data
                                break
                        else:
                            print("[LOGJAM] Received unknown record %d " %
                                  ord(recvBuffer[0]))
                            breakConnection = True
                        if breakConnection: break
                    if breakConnection: break
            except socket.timeout as e:
                print("[LOGJAM] Socket timeout")
            except socket.error as e:
                print("[LOGJAM] Socket error")
            except BaseException as e:
                print("[LOGJAM] Error:", e)
            finally:
                s.close()
            return vuln