FilesExpand file tree

 master

/

ssl-enum.c

Copy path

Blame

More file actions

Blame

More file actions

Latest commit

 

History

History

History

237 lines (212 loc) · 7.47 KB

 master

/

ssl-enum.c

Top

File metadata and controls

• Code
• Blame

237 lines (212 loc) · 7.47 KB

Raw

Copy raw file

Download raw file

Open symbols panel

Edit and raw actions

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

/*

* SSL Enumerator (ssl-enum) is Copyright (C) 2009-2014 David Kierznowski

* (https://github.com/davidkierznowski/ssl-enum).

*

* This program is free software; you can redistribute it and/or

* modify it under the terms of the GNU General Public License

* as published by the Free Software Foundation; either version 2

* of the License, or (at your option) any later version.

*

* This program is distributed in the hope that it will be useful,

* but WITHOUT ANY WARRANTY; without even the implied warranty of

* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

* GNU General Public License for more details.

*

* You should have received a copy of the GNU General Public License

* along with this program; if not, write to the Free Software

* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

*

* You must obey the GNU General Public License in all respects

* for all of the code used other than OpenSSL. If you modify

* file(s) with this exception, you may extend this exception to your

* version of the file(s), but you are not obligated to do so. If you

* do not wish to do so, delete this exception statement from your

* version.

*

*/

#include "ssl-enum.h"

int

main ( int argc, char *argv[] )

{

int sock;

char *servIP;

unsigned short sslPort=0;

struct sockaddr_in sa;

struct hostent *h;

char *pkt_in;

int totalBytesRcvd;

int struct_len;

char *cipher;

char *cipherfile;

int default_file=0;

unsigned char *finished_hello;

int opt;

int opterr=0;

int verbose=0;

int cipher_arg=0;

int kflag=0;

FILE *fp;

char fbuf[MAXLINE];

char *cipherlist[3];

while ( ( opt=getopt ( argc,argv, "s:p:c:v:f:k" ) ) != -1 )

{

switch ( opt )

{

case 's':

servIP = optarg;

opterr++;

break;

case 'p':

sslPort = atoi ( optarg );

break;

case 'f':

cipherfile = optarg;

default_file = 1;

break;

case 'c':

cipher = optarg;

cipher_arg = 1;

break;

case 'v':

verbose = atoi ( optarg );

break;

case 'k':

kflag=1;

break;

default:

break;

}

}

if ( opterr < 1 )

DieWithError ( "usage: ./ssl-enum -s hostname/ip (opt: -p 8443 -f otherciphers,-v1,-v2,-k)" );

if ( !sslPort )

sslPort = 443;

/*

Access cipher list or die

*/

if ( !default_file )

cipherfile = "weak-ciphers.txt";

if ( ( fp=fopen ( cipherfile, "r" ) ) == NULL )

DieWithError ( "fopen() failed" );

printf("ssl-enum started: target %s, port %d, cipher file %s\n\n", servIP, sslPort, cipherfile);

/*

Loop around ciphers and test each one

*/

/*

call socket

*/

if ( ( h=gethostbyname ( servIP ) ) ==NULL )

DieWithError ( "gethostbyname() failed" );

while ( fgets ( fbuf, MAXLINE, fp ) != 0 )

{

if ( ( sock = socket ( AF_INET, SOCK_STREAM, IPPROTO_TCP ) ) < 0 )

DieWithError ( "socket() failed" );

/* Construct the server address structure */

bzero ( ( char * ) &sa, sizeof ( sa ) ); /* Zero out structure */

sa.sin_family=AF_INET; /* Internet address family */

bcopy ( ( char * ) h->h_addr, ( char * ) &sa.sin_addr.s_addr,h->h_length );

//s->sin_addr.s_addr = inet_addr(servIP); /* Server IP address */

sa.sin_port=htons ( sslPort ); /* Server port */

//sock=new_socket(&sa, &h, sslPort);

/*

Skip blank lines and comments

*/

if ( fbuf[0] == '#' || fbuf[0] == '\n' || fbuf[0] == '\r' )

continue;

/*

Tokenise cipherlist file

*/

if ( ( cipherlist[0]=strtok ( fbuf, "\t" ) ) == NULL ) /* Hex value */

DieWithError ( "strtok() failed: invalid cipherlist format in file" );

if ( ( cipherlist[1]=strtok ( NULL, "\t" ) ) == NULL ) /* Description */

DieWithError ( "strtok() failed: invalid cipherlist format in file" );

if ( ( cipherlist[2]=strtok ( NULL, "\t" ) ) == NULL ) /* Export */

DieWithError ( "strtok() failed: invalid cipherlist format in file" );

/*

We initialise our client_hello struct

and build the byte stream ready to send.

*/

/*

Decimal value for 1 in TLS1 is 49 (man ascii)

We use this for comparison as it saves us having

to use string compare functions.

*/

if ( ( int ) cipherlist[1][3] == 50 )

{

struct ssl2_client_hello ppkt_out;

struct_len = sizeof ( struct ssl2_client_hello );

finished_hello=build_ssl2_hello_msg ( &ppkt_out, cipher_arg, cipherlist[0], cipherlist[1] );

}

else

{

struct tls1_ssl3_client_hello ppkt_out;

struct_len = sizeof ( struct tls1_ssl3_client_hello );

finished_hello=build_hello_msg ( &ppkt_out, cipher_arg, cipherlist[0], cipherlist[1] );

}

/*

Display our client hello request if

verbose is on

*/

if ( verbose>2 )

make_ssl_debug ( finished_hello, "Sent", struct_len );

/*

call connect

*/

if ( connect ( sock, ( struct sockaddr * ) &sa,sizeof ( sa ) ) < 0 )

DieWithError ( "ERROR connecting" );

//new_connect(&sa, sock);

/*

call send

*/

new_write ( sock, finished_hello, struct_len );

/*

call recv

*/

struct getBytes gb;

new_read ( sock, &gb, struct_len );

/*

retreive recv data

*/

totalBytesRcvd=gb.totalBytesRcvd;

pkt_in=malloc ( totalBytesRcvd );

memset ( pkt_in, 0, totalBytesRcvd );

pkt_in=gb.recv_data;

/*

Display received data in hex

for debugging

*/

if ( verbose>2 )

make_ssl_debug ( ( unsigned char* ) pkt_in, "Recv", totalBytesRcvd );

/*

Check for server hello OR

Check for SSL Error

Some SSL/TLS services don't respond with errors so we assume its

an UNSUPPORTED cipher.

To complicate matters, some Apache web servers respond with an ASCII

error text message so we can't check if we are really talking to an

SSL/TLS service.

So we'll use a cautious flag. If the flag is set, we'll stop scanning,

however, the default will be to scan all ciphers in file.

todo: might want to make this a bit smarter

*/

if ( pkt_in[0] == SSLHANDSHAKE ||

pkt_in[10] == SSL2_SERVERHELLOBYTE )

process_ssl_hello ( pkt_in, cipherlist[0], cipherlist[1], cipherlist[2], verbose );

else if ( pkt_in[0] == SSLALERT && totalBytesRcvd == 7 )

process_ssl_alert ( pkt_in, cipherlist[0], cipherlist[1], cipherlist[2], verbose );

else if ( kflag == 1 )

DieWithError ( "-k flag set: recv SSL/TLS data not recognised, stopping scan.\n" );

/*

Clean up - more work here.

*/

free ( finished_hello );

/* todo: having trouble free'ing, so we null it instead */

memset ( gb.recv_data, 0, totalBytesRcvd );

/*

Close file pointer

*/

close (sock);

}

fclose (fp);

return 0;

}