Advertisement
keeganjacobson

winshock_test.sh

Aug 24th, 2015
232
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.96 KB | None | 0 0
  1. #!/bin/bash
  2. #
  3. # winshock_test.sh
  4. #
  5. # This script tries to determine whether the target system has the
  6. # winshock (MS14-066) patches applied or not.
  7. # This is done by checking if the SSL ciphers introduced by MS14-066 are
  8. # available on the system.
  9. #
  10. #
  11. # Authors:
  12. # Stephan Peijnik <speijnik@anexia-it.com>
  13. #
  14. # The MIT License (MIT)
  15. #
  16. # Copyright (c) 2014 ANEXIA Internetdienstleistungs GmbH
  17. #
  18. # Permission is hereby granted, free of charge, to any person obtaining a copy
  19. # of this software and associated documentation files (the "Software"), to deal
  20. # in the Software without restriction, including without limitation the rights
  21. # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
  22. # copies of the Software, and to permit persons to whom the Software is
  23. # furnished to do so, subject to the following conditions:
  24. #
  25. # The above copyright notice and this permission notice shall be included in all
  26. # copies or substantial portions of the Software.
  27. #
  28. # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  29. # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  30. # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
  31. # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
  32. # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
  33. # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  34. # SOFTWARE.
  35.  
  36. VERSION=0.2.1
  37. HOST=$1
  38. PORT=${2:-443}
  39.  
  40. if [ -z "$HOST" -o -z "$PORT" ]
  41. then
  42. echo "Usage: $0 host [port]"
  43. echo "port defaults to 443."
  44. exit 1
  45. fi
  46.  
  47. echo "Checking if script is up-to-date..."
  48. REMOTE_VERSION=$(curl -k https://raw.githubusercontent.com/anexia-it/winshock-test/master/winshock_test.sh 2>/dev/null | grep '^VERSION=' | sed -e 's/^VERSION=//g')
  49.  
  50. if [[ "$REMOTE_VERSION" != "$VERSION" ]]
  51. then
  52. echo -e "\033[91mYou are running an outdated version of this script."
  53. echo "The most recent version is $REMOTE_VERSION."
  54. echo -e "It is highly recommended to update your script first.\033[0m"
  55. read -p "Do you want to continue? (y/N) " -n 1 -r
  56. if [[ ! "$REPLY" =~ ^[Yy]$ ]]
  57. then
  58. exit 2
  59. fi
  60. else
  61. echo "Script is up-to-date."
  62. fi
  63.  
  64. echo -e "\n\033[91m"
  65. cat <<IMP
  66. *** IMPORTANT ***
  67. This script is intended to give you a hint on whether the MS14-66 patches
  68. have been installed or not.
  69.  
  70. Please do NOT rely on the results this script is giving, as the correctness
  71. of the results can be impacted by manual modifications of cipher suites
  72. with tools like IIS Crypto or load balancers or SSL-offloaders between
  73. you and the target host.
  74.  
  75. Also, this script is unreliable if the target system is running
  76. Windows Server 2012 R2, as the ciphers this script is testing for were present
  77. on Windows Server 2012 R2 without the MS14-066 updates as well.
  78. If the checks are executed against IIS the result for Windows Server 2012 R2
  79. will be presented as "UNKNOWN".
  80. IMP
  81.  
  82. echo -e "\033[93m"
  83.  
  84. cat <<WARN
  85. *** WARNING ***
  86. A negative result presented by this script does NOT mean that you do not
  87. have to install the MS14-66 patches on the target system.
  88. Make sure to update all your Windows installations, regardless of the
  89. results this script gives you.
  90.  
  91. WARN
  92.  
  93. echo -e "\033[0m"
  94. read -p "I have read and understood the messages above. (y/N) " -n 1 -r
  95. if [[ ! "$REPLY" =~ ^[yY]$ ]]
  96. then
  97. echo -e "\n\033[91mAborting. Please re-run and confirm that you have read and understood the messages above.\033[0m"
  98. exit 4
  99. fi
  100. echo ""
  101.  
  102. # According to https://technet.microsoft.com/library/security/ms14-066 the
  103. # following ciphers were added with the patch:
  104. # * TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  105. # * TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  106. # * TLS_RSA_WITH_AES_256_GCM_SHA384
  107. # * TLS_RSA_WITH_AES_128_GCM_SHA256
  108. #
  109. # The OpenSSL cipher names for these ciphers are:
  110. MS14_066_CIPHERS="DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-GCM-SHA256"
  111. # Ciphers supported by Windows Server 2012R2
  112. WINDOWS_SERVER_2012R2_CIPHERS="ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA"
  113.  
  114. # Test if OpenSSL does support the ciphers we're checking for...
  115. echo -n "Testing if OpenSSL supports the ciphers we are checking for: "
  116. openssl_ciphers=$(openssl ciphers)
  117.  
  118. for c in $MS14_066_CIPHERS
  119. do
  120. if ! echo $openssl_ciphers | grep -q $c 2>&1 >/dev/null
  121. then
  122. echo -e "\033[91mNO (OpenSSL does not support $c cipher.)\033[0m"
  123. echo -e "\033[91mAborting."
  124. exit 5
  125. fi
  126. done
  127.  
  128. echo -e "\033[92mYES\033[0m"
  129.  
  130. SERVER=$HOST:$PORT
  131.  
  132. echo -e "\n\033[94mTesting ${SERVER} for availability of SSL ciphers added in MS14-066...\033[0m"
  133.  
  134. patched="no"
  135. for cipher in ${MS14_066_CIPHERS}
  136. do
  137. echo -en "Testing cipher ${cipher}: "
  138. result=$(echo -n | openssl s_client -cipher "$cipher" -connect $SERVER 2>&1)
  139. if [[ "$result" =~ "connect:errno=" ]]
  140. then
  141. err=$(echo $result | grep ^connect: \
  142. | sed -e 's/connect:errno=.*//g' -e 's/connect: //g')
  143. echo -e "\033[93mConnection error: $err"
  144. echo -e "Aborting checks.\033[0m"
  145. exit 1
  146. elif [[ "$result" =~ "SSL23_GET_SERVER_HELLO:unknown protocol" ]]
  147. then
  148. echo -e "\033[93mNo SSL/TLS support on target port."
  149. echo -e "Aborting checks.\033[0m"
  150. exit 1
  151. elif [[ "$result" =~ "SSL_CTX_set_cipher_list:no cipher match" ]]
  152. then
  153. echo -e "\033[93mYour version of OpenSSL is not supported."
  154. echo -e "Aborting checks.\033[39m"
  155. exit 1
  156. elif [[ "$result" =~ "Cipher is ${cipher}" || "$result" =~ "Cipher : ${cipher}" ]]
  157. then
  158. echo -e "\033[92mSUPPORTED\033[0m"
  159. if [[ "$patched" == "no" ]]
  160. then
  161. patched="yes"
  162. fi
  163. else
  164. echo -e "\033[91mUNSUPPORTED\033[0m"
  165. fi
  166. done
  167.  
  168. windows_server_2012_or_later="no"
  169. windows_server_2012_r2="no"
  170. iis_detected="no"
  171. # added by @stoep: check whether a 443 port runs IIS
  172. if [[ "$PORT" == "443" ]]
  173. then
  174. iis=$(curl -k -I https://$SERVER 2> /dev/null | grep "Server" )
  175. echo -n "Testing if IIS is running on port 443: "
  176. if [[ $iis == *Microsoft-IIS* ]]
  177. then
  178. iis_version=$(echo $iis | sed -e 's|Server: Microsoft-IIS/||g')
  179. iis_detected="yes"
  180. echo -e "\033[92mYES - Version ${iis_version}\033[0m"
  181. if [[ $iis_version == *8.5* ]]
  182. then
  183. echo -e "\033[91mWindows Server 2012 R2 detected. Results of this script will be inconclusive.\033[0m"
  184. windows_server_2012_or_later="yes"
  185. windows_server_2012_r2="yes"
  186. elif [[ $iis_version == *8.0* ]]
  187. then
  188. windows_server_2012_or_later="yes"
  189. windows_server_2012_r2="no"
  190. fi
  191. else
  192. echo -e "\033[91mNO\033[0m"
  193. fi
  194. fi
  195.  
  196. # Check if Windows Server 2012 or later is running on the remote system...
  197. if [[ "$windows_server_2012_or_later" == "no" && "$iis_detected" == "no" ]]
  198. then
  199. echo -e "\033[94mChecking if target system is running Windows Server 2012 or later...\033[0m"
  200. for cipher in ${WINDOWS_SERVER_2012R2_CIPHERS}
  201. do
  202. echo -en "Testing cipher ${cipher}: "
  203. result=$(echo -n | openssl s_client -cipher "$cipher" -connect $SERVER 2>&1)
  204. if [[ "$result" =~ "connect:errno=" ]]
  205. then
  206. err=$(echo $result | grep ^connect: \
  207. | sed -e 's/connect:errno=.*//g' -e 's/connect: //g')
  208. echo -e "\033[93mConnection error: $err"
  209. echo -e "Aborting checks.\033[0m"
  210. exit 1
  211. elif [[ "$result" =~ "SSL23_GET_SERVER_HELLO:unknown protocol" ]]
  212. then
  213. echo -e "\033[93mNo SSL/TLS support on target port."
  214. echo -e "Aborting checks.\033[0m"
  215. exit 1
  216. elif [[ "$result" =~ "Cipher is ${cipher}" || "$result" =~ "Cipher : ${cipher}" ]]
  217. then
  218. echo -e "\033[92mSUPPORTED\033[0m"
  219. if [[ "$windows_server_2012_or_later" == "no" ]]
  220. then
  221. windows_server_2012_or_later="yes"
  222. break
  223. fi
  224. else
  225. echo -e "\033[91mUNSUPPORTED\033[0m"
  226. fi
  227. done
  228. fi
  229.  
  230. if [[ "$patched" == "yes" && "$windows_server_2012_or_later" == "no" ]]
  231. then
  232. patched="\033[92mYES\033[0m"
  233. elif [[ "$patched" == "yes" ]]
  234. then
  235. patched="\033[93mUNKNOWN"
  236. if [[ "$windows_server_2012_r2" == "yes" ]]
  237. then
  238. patched="$patched: Windows Server 2012 R2 detected."
  239. else
  240. patched="$patched: Windows Server 2012 or later detected."
  241. fi
  242. else
  243. patched="\033[91mNO\033[0m"
  244. fi
  245.  
  246. echo -e "\033[94m$SERVER is patched: $patched\033[0m"
  247. echo -e "\n\033[93m"
  248. cat <<EOF
  249. *** IMPORTANT ***
  250.  
  251. Please keep in mind that the patch-status reported above is only a hint and
  252. may generate both false-positive and false-negative results in some cases.
  253.  
  254. If Windows Server 2012 R2 is reported above results WIIL BE incorrect.
  255. If Windows Server 2012 or later is reported above results MAY BE incorrect,
  256. please test again against IIS running on port 443.
  257.  
  258. The information above may be incorrect if:
  259.  
  260. * the available SSL ciphers have been modified manually
  261. * you are not directly connecting to the target system
  262. * the target system is running Windows Server 2012 R2
  263.  
  264. Please do apply the MS14-066 patches to all your systems regardless
  265. of the results presented above!
  266.  
  267. EOF
  268. echo -en "\033[0m"
  269. exit 0
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement