Advertisement
opexxx

cipherTest.sh

Jul 10th, 2014
382
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 6.28 KB | None | 0 0
  1. #!/usr/bin/env bash
  2.  
  3. control_c() {
  4. [ -t 1 ] && echo "\r\e[K"
  5. exit 1
  6. }
  7.  
  8. trap control_c SIGINT
  9.  
  10. if [ "z$1" = "z" -o "z$2" = "z" ]
  11. then
  12. echo "Usage: $0 <hostname> <port>" >&2
  13. echo " Behavior is undefined if hostname is invalid or not listening on the port." >&2
  14. echo " Credits: Patrick Bogen <pbogen@twitter.com>" >&2
  15. exit 2
  16. fi
  17.  
  18. HOST=$1
  19. if echo $HOST | grep -qE '^([0-9]+\.){3}[0-9]+$'
  20. then
  21. IP=$1
  22. else
  23. IP=`host $HOST | awk '/^[[:alnum:].-]+ has address/ { print $4 }'`
  24. fi
  25. PORT=$2
  26.  
  27. declare -a CIPHERS
  28. declare -a PROTOS
  29. declare -a MACS
  30. declare -a KX
  31. declare -a v2_ciphers
  32.  
  33. request='HEAD / HTTP/1.1\r\nHost: '"$HOST"'\r\nConnection: close\r\n\r\n'
  34.  
  35. CIPHERS=(`gnutls-cli -l | grep Ciphers: | cut -d' ' -f2- | tr -d ','`)
  36. PROTOS=(`gnutls-cli -l | grep Protocols: | cut -d' ' -f2- | tr -d ',' | sed 's/VERS-//'`)
  37. MACS=(`gnutls-cli -l | grep MACs: | cut -d' ' -f2- | tr -d ','`)
  38. KX=(`gnutls-cli -l | grep "^Key exchange algorithms" | cut -d' ' -f 4- | tr -d ','`)
  39. if openssl ciphers -ssl2 > /dev/null 2>&1
  40. then
  41. v2_ciphers=(`openssl ciphers -ssl2 | tr ':' ' '`)
  42. else
  43. echo "$0: your version of openssl does not appear to support sslv2" >&2
  44. echo "$0: SSLv2 testing disabled!"
  45. fi
  46.  
  47. result=""
  48. for i in ${PROTOS[@]}; do [ -z "$result" ] && result="+VERS-$i" || result="$result:+VERS-$i"; done
  49. all_protos=$result
  50.  
  51. result=""
  52. for i in ${CIPHERS[@]}; do [ -z "$result" ] && result="+$i" || result="$result:+$i"; done
  53. all_ciphers=$result
  54.  
  55. result=""
  56. for i in ${MACS[@]}; do [ -z "$result" ] && result="+$i" || result="$result:+$i"; done
  57. all_macs=$result
  58.  
  59. result=""
  60. for i in ${KX[@]}; do [ -z "$result" ] && result="+$i" || result="$result:+$i"; done
  61. all_kx=$result
  62.  
  63. cur=0
  64. total=$(( ${#CIPHERS[@]} + ${#PROTOS[@]} + ${#MACS[@]} + ${#KX[@]} ))
  65.  
  66. # Test each protocol promiscuously and remove any that will never work
  67. result=""
  68. for tgt in ${PROTOS[@]}
  69. do
  70. cur=$(( $cur + 1 ))
  71. [ -t 1 ] && echo -en "\r\e[KOptimizing... ($cur/$total)"
  72. if echo -ne $request | gnutls-cli --insecure --priority NONE:+VERS-$tgt:$all_kx:$all_macs:+COMP-NULL:$all_ciphers -p $PORT $IP > /dev/null 2>&1
  73. then
  74. [ -z "$result" ] && result="$tgt" || result="$result $tgt"
  75. fi
  76. done
  77. PROTOS=( $result )
  78. result=""
  79. for i in ${PROTOS[@]}; do [ -z "$result" ] && result="+VERS-$i" || result="$result:+VERS-$i"; done
  80. all_protos=$result
  81.  
  82. # Test each cipher promiscuously and remove any that will never work
  83. result=""
  84. for cipher in ${CIPHERS[@]}
  85. do
  86. cur=$(( $cur + 1 ))
  87. [ -t 1 ] && echo -en "\r\e[KOptimizing... ($cur/$total)"
  88. if echo -ne $request | gnutls-cli --insecure --priority NONE:$all_protos:$all_kx:$all_macs:+COMP-NULL:+$cipher -p $PORT $IP > /dev/null 2>&1
  89. then
  90. [ -z "$result" ] && result="$cipher" || result="$result $cipher"
  91. fi
  92. done
  93. CIPHERS=( $result )
  94. result=""
  95. for i in ${CIPHERS[@]}; do [ -z "$result" ] && result="+$i" || result="$result:+$i"; done
  96. all_ciphers=$result
  97.  
  98. # Test each MAC promiscuously and remove any that will never work
  99. result=""
  100. for tgt in ${MACS[@]}
  101. do
  102. cur=$(( $cur + 1 ))
  103. [ -t 1 ] && echo -en "\r\e[KOptimizing... ($cur/$total)"
  104. if echo -ne $request | gnutls-cli --insecure --priority NONE:$all_protos:$all_kx:+$tgt:+COMP-NULL:$all_ciphers -p $PORT $IP > /dev/null 2>&1
  105. then
  106. [ -z "$result" ] && result="$tgt" || result="$result $tgt"
  107. fi
  108. done
  109. MACS=( $result )
  110. result=""
  111. for i in ${MACS[@]}; do [ -z "$result" ] && result="+$i" || result="$result:+$i"; done
  112. all_macs=$result
  113.  
  114. # Test each KX promiscuously and remove any that will never work
  115. result=""
  116. for tgt in ${KX[@]}
  117. do
  118. cur=$(( $cur + 1 ))
  119. [ -t 1 ] && echo -en "\r\e[KOptimizing... ($cur/$total)"
  120. if echo -ne $request | gnutls-cli --insecure --priority NONE:$all_protos:+$tgt:$all_macs:+COMP-NULL:$all_ciphers -p $PORT $IP > /dev/null 2>&1
  121. then
  122. [ -z "$result" ] && result="$tgt" || result="$result $tgt"
  123. fi
  124. done
  125. KX=( $result )
  126. result=""
  127. for i in ${KX[@]}; do [ -z "$result" ] && result="+$i" || result="$result:+$i"; done
  128. all_kx=$result
  129.  
  130. total=$(( ${#PROTOS[@]} * ${#KX[@]} * ${#CIPHERS[@]} * ${#MACS[@]} + ${#v2_ciphers[@]} ))
  131. i=0
  132.  
  133. [ -t 1 ] && echo -en '\r\e[K'
  134. printf '%-7s %-17s %-10s %-11s\n' "Proto" "Cipher" "MAC" "KeX"
  135. echo "------------------------------------------------"
  136. for v2_cipher in ${v2_ciphers[@]}
  137. do
  138. i=$(( $i + 1 ))
  139. OK=0
  140. _mac=`openssl ciphers -v -ssl2 | grep ^$v2_cipher | grep -Eo 'Mac=[^ ]+' | cut -d'=' -f2`
  141. _kx=`openssl ciphers -v -ssl2 | grep ^$v2_cipher | grep -Eo 'Kx=[^( ]+' | cut -d'=' -f2`
  142. [ -t 1 ] && printf '\r\e[K%-7s %-17s %-10s %-11s (%d / %d)' "SSL2.0" $v2_cipher $_mac $_kx $i $total
  143. echo -ne $request | openssl s_client -quiet -connect $HOST:$PORT -ssl2 -cipher $v2_cipher 2>&1 | grep -q 'ssl handshake failure\|write:errno=104' || OK=1
  144. if [ $OK -eq 1 ]
  145. then
  146. [ -t 1 ] && echo -en '\r\e[K'
  147. printf '%-7s %-17s %-10s %-11s\n' "SSL2.0" $v2_cipher $_mac $_kx
  148. # openssl ciphers -v -ssl2 | grep ^$i || echo "No match for $i"
  149. fi
  150. done
  151.  
  152. for proto in ${PROTOS[@]}
  153. do
  154. [ -t 1 ] && printf '\r\e[K%-7s %-17s %-10s %-11s (%d / %d)' $proto "" "" "" $i $total
  155. echo -ne $request | gnutls-cli --insecure --priority NONE:+VERS-$proto:$all_kx:$all_macs:+COMP-NULL:$all_ciphers -p $PORT $IP > /dev/null 2>&1
  156. [ $? -eq 0 ] || { i=$(( $i + ${#KX[@]} * ${#CIPHERS[@]} * ${#MACS[@]} )); continue; }
  157.  
  158. for kx in ${KX[@]}
  159. do
  160. [ -t 1 ] && printf '\r%-7s %-17s %-10s %-11s (%d / %d)' $proto "" "" $kx $i $total
  161. echo -ne $request | gnutls-cli --insecure --priority NONE:+VERS-$proto:+$kx:$all_macs:+COMP-NULL:$all_ciphers -p $PORT $IP > /dev/null 2>&1
  162. [ $? -eq 0 ] || { i=$(( $i + ${#CIPHERS[@]} * ${#MACS[@]} )); continue; }
  163. for cipher in ${CIPHERS[@]}
  164. do
  165. [ -t 1 ] && printf '\r%-7s %-17s %-10s %-11s (%d / %d)' $proto $cipher "" $kx $i $total
  166. echo -ne $request | gnutls-cli --insecure --priority NONE:+VERS-$proto:+$kx:$all_macs:+COMP-NULL:+$cipher -p $PORT $IP > /dev/null 2>&1
  167. [ $? -eq 0 ] || { i=$(( $i + ${#MACS[@]} )); continue; }
  168. for mac in ${MACS[@]}
  169. do
  170. i=$(( $i + 1 ))
  171. [ -t 1 ] && printf '\r%-7s %-17s %-10s %-11s (%d / %d)' $proto $cipher $mac $kx $i $total
  172. # printf "%-7s %-17s %-10s %-11s " $proto $cipher $mac $kx
  173. echo -ne $request | gnutls-cli --insecure --priority NONE:+VERS-$proto:+$kx:+$mac:+COMP-NULL:+$cipher -p $PORT $IP > /dev/null 2>&1
  174. if [ $? -eq 0 ]
  175. then
  176. [ -t 1 ] && echo -en "\r\e[K"
  177. printf "%-7s %-17s %-10s %-11s\n" $proto $cipher $mac $kx
  178. fi
  179. done
  180. done
  181. done
  182. done
  183.  
  184. [ -t 1 ] && printf "\r%80s\r" ""
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement