winshock_test.sh

1. #!/bin/bash
2. #
3. # winshock_test.sh
4. #
5. # This script tries to determine whether the target system has the
6. # winshock (MS14-066) patches applied or not.
7. # This is done by checking if the SSL ciphers introduced by MS14-066 are
8. # available on the system.
9. #
10. #
11. # Authors:
12. # Stephan Peijnik <speijnik@anexia-it.com>
13. #
14. # The MIT License (MIT)
15. #
16. # Copyright (c) 2014 ANEXIA Internetdienstleistungs GmbH
17. #
18. # Permission is hereby granted, free of charge, to any person obtaining a copy
19. # of this software and associated documentation files (the "Software"), to deal
20. # in the Software without restriction, including without limitation the rights
21. # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
22. # copies of the Software, and to permit persons to whom the Software is
23. # furnished to do so, subject to the following conditions:
24. #
25. # The above copyright notice and this permission notice shall be included in all
26. # copies or substantial portions of the Software.
27. #
28. # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
29. # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
30. # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
31. # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
32. # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
33. # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
34. # SOFTWARE.
35.  
36. VERSION=0.2.1
37. HOST=$1
38. PORT=${2:-443}
39.  
40. if [ -z "$HOST" -o -z "$PORT" ]
41. then
42. echo "Usage: $0 host [port]"
43. echo "port defaults to 443."
44. exit 1
45. fi
46.  
47. echo "Checking if script is up-to-date..."
48. REMOTE_VERSION=$(curl -k https://raw.githubusercontent.com/anexia-it/winshock-test/master/winshock_test.sh 2>/dev/null | grep '^VERSION=' | sed -e 's/^VERSION=//g')
49.  
50. if [[ "$REMOTE_VERSION" != "$VERSION" ]]
51. then
52. echo -e "\033[91mYou are running an outdated version of this script."
53. echo "The most recent version is $REMOTE_VERSION."
54. echo -e "It is highly recommended to update your script first.\033[0m"
55. read -p "Do you want to continue? (y/N) " -n 1 -r
56. if [[ ! "$REPLY" =~ ^[Yy]$ ]]
57. then
58. exit 2
59. fi
60. else
61. echo "Script is up-to-date."
62. fi
63.  
64. echo -e "\n\033[91m"
65. cat <<IMP
66. *** IMPORTANT ***
67. This script is intended to give you a hint on whether the MS14-66 patches
68. have been installed or not.
69.  
70. Please do NOT rely on the results this script is giving, as the correctness
71. of the results can be impacted by manual modifications of cipher suites
72. with tools like IIS Crypto or load balancers or SSL-offloaders between
73. you and the target host.
74.  
75. Also, this script is unreliable if the target system is running
76. Windows Server 2012 R2, as the ciphers this script is testing for were present
77. on Windows Server 2012 R2 without the MS14-066 updates as well.
78. If the checks are executed against IIS the result for Windows Server 2012 R2
79. will be presented as "UNKNOWN".
80. IMP
81.  
82. echo -e "\033[93m"
83.  
84. cat <<WARN
85. *** WARNING ***
86. A negative result presented by this script does NOT mean that you do not
87. have to install the MS14-66 patches on the target system.
88. Make sure to update all your Windows installations, regardless of the
89. results this script gives you.
90.  
91. WARN
92.  
93. echo -e "\033[0m"
94. read -p "I have read and understood the messages above. (y/N) " -n 1 -r
95. if [[ ! "$REPLY" =~ ^[yY]$ ]]
96. then
97. echo -e "\n\033[91mAborting. Please re-run and confirm that you have read and understood the messages above.\033[0m"
98. exit 4
99. fi
100. echo ""
101.  
102. # According to https://technet.microsoft.com/library/security/ms14-066 the
103. # following ciphers were added with the patch:
104. # * TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
105. # * TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
106. # * TLS_RSA_WITH_AES_256_GCM_SHA384
107. # * TLS_RSA_WITH_AES_128_GCM_SHA256
108. #
109. # The OpenSSL cipher names for these ciphers are:
110. MS14_066_CIPHERS="DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-GCM-SHA256"
111. # Ciphers supported by Windows Server 2012R2
112. WINDOWS_SERVER_2012R2_CIPHERS="ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA"
113.  
114. # Test if OpenSSL does support the ciphers we're checking for...
115. echo -n "Testing if OpenSSL supports the ciphers we are checking for: "
116. openssl_ciphers=$(openssl ciphers)
117.  
118. for c in $MS14_066_CIPHERS
119. do
120. if ! echo $openssl_ciphers | grep -q $c 2>&1 >/dev/null
121. then
122. echo -e "\033[91mNO (OpenSSL does not support $c cipher.)\033[0m"
123. echo -e "\033[91mAborting."
124. exit 5
125. fi
126. done
127.  
128. echo -e "\033[92mYES\033[0m"
129.  
130. SERVER=$HOST:$PORT
131.  
132. echo -e "\n\033[94mTesting ${SERVER} for availability of SSL ciphers added in MS14-066...\033[0m"
133.  
134. patched="no"
135. for cipher in ${MS14_066_CIPHERS}
136. do
137. echo -en "Testing cipher ${cipher}: "
138. result=$(echo -n | openssl s_client -cipher "$cipher" -connect $SERVER 2>&1)
139. if [[ "$result" =~ "connect:errno=" ]]
140. then
141. err=$(echo $result | grep ^connect: \
142. | sed -e 's/connect:errno=.*//g' -e 's/connect: //g')
143. echo -e "\033[93mConnection error: $err"
144. echo -e "Aborting checks.\033[0m"
145. exit 1
146. elif [[ "$result" =~ "SSL23_GET_SERVER_HELLO:unknown protocol" ]]
147. then
148. echo -e "\033[93mNo SSL/TLS support on target port."
149. echo -e "Aborting checks.\033[0m"
150. exit 1
151. elif [[ "$result" =~ "SSL_CTX_set_cipher_list:no cipher match" ]]
152. then
153. echo -e "\033[93mYour version of OpenSSL is not supported."
154. echo -e "Aborting checks.\033[39m"
155. exit 1
156. elif [[ "$result" =~ "Cipher is ${cipher}" || "$result" =~ "Cipher : ${cipher}" ]]
157. then
158. echo -e "\033[92mSUPPORTED\033[0m"
159. if [[ "$patched" == "no" ]]
160. then
161. patched="yes"
162. fi
163. else
164. echo -e "\033[91mUNSUPPORTED\033[0m"
165. fi
166. done
167.  
168. windows_server_2012_or_later="no"
169. windows_server_2012_r2="no"
170. iis_detected="no"
171. # added by @stoep: check whether a 443 port runs IIS
172. if [[ "$PORT" == "443" ]]
173. then
174. iis=$(curl -k -I https://$SERVER 2> /dev/null | grep "Server" )
175. echo -n "Testing if IIS is running on port 443: "
176. if [[ $iis == *Microsoft-IIS* ]]
177. then
178. iis_version=$(echo $iis | sed -e 's|Server: Microsoft-IIS/||g')
179. iis_detected="yes"
180. echo -e "\033[92mYES - Version ${iis_version}\033[0m"
181. if [[ $iis_version == *8.5* ]]
182. then
183. echo -e "\033[91mWindows Server 2012 R2 detected. Results of this script will be inconclusive.\033[0m"
184. windows_server_2012_or_later="yes"
185. windows_server_2012_r2="yes"
186. elif [[ $iis_version == *8.0* ]]
187. then
188. windows_server_2012_or_later="yes"
189. windows_server_2012_r2="no"
190. fi
191. else
192. echo -e "\033[91mNO\033[0m"
193. fi
194. fi
195.  
196. # Check if Windows Server 2012 or later is running on the remote system...
197. if [[ "$windows_server_2012_or_later" == "no" && "$iis_detected" == "no" ]]
198. then
199. echo -e "\033[94mChecking if target system is running Windows Server 2012 or later...\033[0m"
200. for cipher in ${WINDOWS_SERVER_2012R2_CIPHERS}
201. do
202. echo -en "Testing cipher ${cipher}: "
203. result=$(echo -n | openssl s_client -cipher "$cipher" -connect $SERVER 2>&1)
204. if [[ "$result" =~ "connect:errno=" ]]
205. then
206. err=$(echo $result | grep ^connect: \
207. | sed -e 's/connect:errno=.*//g' -e 's/connect: //g')
208. echo -e "\033[93mConnection error: $err"
209. echo -e "Aborting checks.\033[0m"
210. exit 1
211. elif [[ "$result" =~ "SSL23_GET_SERVER_HELLO:unknown protocol" ]]
212. then
213. echo -e "\033[93mNo SSL/TLS support on target port."
214. echo -e "Aborting checks.\033[0m"
215. exit 1
216. elif [[ "$result" =~ "Cipher is ${cipher}" || "$result" =~ "Cipher : ${cipher}" ]]
217. then
218. echo -e "\033[92mSUPPORTED\033[0m"
219. if [[ "$windows_server_2012_or_later" == "no" ]]
220. then
221. windows_server_2012_or_later="yes"
222. break
223. fi
224. else
225. echo -e "\033[91mUNSUPPORTED\033[0m"
226. fi
227. done
228. fi
229.  
230. if [[ "$patched" == "yes" && "$windows_server_2012_or_later" == "no" ]]
231. then
232. patched="\033[92mYES\033[0m"
233. elif [[ "$patched" == "yes" ]]
234. then
235. patched="\033[93mUNKNOWN"
236. if [[ "$windows_server_2012_r2" == "yes" ]]
237. then
238. patched="$patched: Windows Server 2012 R2 detected."
239. else
240. patched="$patched: Windows Server 2012 or later detected."
241. fi
242. else
243. patched="\033[91mNO\033[0m"
244. fi
245.  
246. echo -e "\033[94m$SERVER is patched: $patched\033[0m"
247. echo -e "\n\033[93m"
248. cat <<EOF
249. *** IMPORTANT ***
250.  
251. Please keep in mind that the patch-status reported above is only a hint and
252. may generate both false-positive and false-negative results in some cases.
253.  
254. If Windows Server 2012 R2 is reported above results WIIL BE incorrect.
255. If Windows Server 2012 or later is reported above results MAY BE incorrect,
256. please test again against IIS running on port 443.
257.  
258. The information above may be incorrect if:
259.  
260. * the available SSL ciphers have been modified manually
261. * you are not directly connecting to the target system
262. * the target system is running Windows Server 2012 R2
263.  
264. Please do apply the MS14-066 patches to all your systems regardless
265. of the results presented above!
266.  
267. EOF
268. echo -en "\033[0m"
269. exit 0