sempervictus
diff --git a/‎lib/rex.rb
Lines changed: 4 additions & 0 deletions b/‎lib/rex.rb
Lines changed: 4 additions & 0 deletions
diff --git a/‎lib/rex/socket/parameters.rb
Lines changed: 11 additions & 1 deletion b/‎lib/rex/socket/parameters.rb
Lines changed: 11 additions & 1 deletion
diff --git a/‎lib/rex/socket/ssl_tcp.rb
Lines changed: 6 additions & 4 deletions b/‎lib/rex/socket/ssl_tcp.rb
Lines changed: 6 additions & 4 deletions
diff --git a/‎lib/rex/sslscan/result.rb
Lines changed: 200 additions & 0 deletions b/‎lib/rex/sslscan/result.rb
Lines changed: 200 additions & 0 deletions
@@ -88,6 +88,10 @@ module Rex
 # Platforms
 require 'rex/platforms'
 
+# SSLScan 
+require 'rex/sslscan/scanner'
+require 'rex/sslscan/result'
+
 
 # Overload the Kernel.sleep() function to be thread-safe
 Kernel.class_eval("
 
@@ -140,10 +140,15 @@ def initialize(hash)
 			self.ssl = false
 		end
 
-		if (hash['SSLVersion'] and hash['SSLVersion'].to_s =~ /^(SSL2|SSL3|TLS1)$/i)
+		supported_ssl_versions = ['SSL2', 'SSL23', 'TLS1', 'SSL3', :SSLv2, :SSLv3, :SSLv23, :TLSv1]
+		if (hash['SSLVersion'] and supported_ssl_versions.include? hash['SSLVersion'])
 			self.ssl_version = hash['SSLVersion']
 		end
 
+		if (hash['SSLCipher'])
+			self.ssl_cipher = hash['SSLCipher']
+		end
+
 		if (hash['SSLCert'] and ::File.file?(hash['SSLCert']))
 			begin
 				self.ssl_cert = ::File.read(hash['SSLCert'])
@@ -338,6 +343,11 @@ def v6?
 	#
 	attr_accessor :ssl_version
 	#
+	# What specific SSL Cipher(s) to use, may be a string containing the cipher name
+	# or an array of strings containing cipher names e.g. ["DHE-RSA-AES256-SHA", "DHE-DSS-AES256-SHA"]
+	#
+	attr_accessor :ssl_cipher
+	#
 	# The SSL certificate, in pem format, stored as a string.  See +SslTcpServer#make_ssl+
 	#
 	attr_accessor :ssl_cert
 
@@ -1,6 +1,5 @@
 # -*- coding: binary -*-
 require 'rex/socket'
-
 ###
 #
 # This class provides methods for interacting with an SSL TCP client
@@ -60,11 +59,11 @@ def initsock(params = nil)
 		version = :SSLv3
 		if(params)
 			case params.ssl_version
-			when 'SSL2'
+			when 'SSL2', :SSLv2
 				version = :SSLv2
-			when 'SSL23'
+			when 'SSL23', :SSLv23
 				version = :SSLv23
-			when 'TLS1'
+			when 'TLS1', :TLSv1
 				version = :TLSv1
 			end
 		end
@@ -81,6 +80,9 @@ def initsock(params = nil)
 		#  VERIFY_PEER
 		self.sslctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
 		self.sslctx.options = OpenSSL::SSL::OP_ALL
+		if params.ssl_cipher
+			self.sslctx.ciphers = params.ssl_cipher
+		end
 
 		# Set the verification callback
 		self.sslctx.verify_callback = Proc.new do |valid, store|
 
@@ -0,0 +1,200 @@
+
+require 'rex/socket'
+require 'rex/ui/text/table'
+
+module Rex::SSLScan
+class Result
+
+	attr_accessor :openssl_sslv2
+
+	attr_reader :ciphers
+	attr_reader :supported_versions
+
+	def initialize()
+		@cert = nil
+		@ciphers = Set.new
+		@supported_versions = [:SSLv2, :SSLv3, :TLSv1]
+	end
+
+	def cert
+		@cert
+	end
+
+	def cert=(input)
+		unless input.kind_of? OpenSSL::X509::Certificate or input.nil?
+			raise ArgumentError, "Must be an X509 Cert!"
+		end
+		@cert = input
+	end
+
+	def sslv2
+		@ciphers.reject{|cipher| cipher[:version] != :SSLv2 }
+	end
+
+	def sslv3
+		@ciphers.reject{|cipher| cipher[:version] != :SSLv3 }
+	end
+
+	def tlsv1
+		@ciphers.reject{|cipher| cipher[:version] != :TLSv1 }
+	end
+
+	def weak_ciphers
+		accepted.reject{|cipher| cipher[:weak] == false }
+	end
+
+	def strong_ciphers
+		accepted.reject{|cipher| cipher[:weak] }
+	end
+
+	# Returns all accepted ciphers matching the supplied version
+	# @param version [Symbol, Array] The SSL Version to filter on
+	# @raise [ArgumentError] if the version supplied is invalid
+	# @return [Array] An array of accepted cipher details matching the supplied versions
+	def accepted(version = :all)
+		enum_ciphers(:accepted, version)
+	end
+
+	# Returns all rejected ciphers matching the supplied version
+	# @param version [Symbol, Array] The SSL Version to filter on
+	# @raise [ArgumentError] if the version supplied is invalid
+	# @return [Array] An array of rejected cipher details matching the supplied versions
+	def rejected(version = :all)
+		enum_ciphers(:rejected, version)
+	end
+
+	def each_accepted(version = :all)
+		accepted(version).each do |cipher_result|
+			yield cipher_result
+		end
+	end
+
+	def each_rejected(version = :all)
+		rejected(version).each do |cipher_result|
+			yield cipher_result
+		end
+	end
+
+	def supports_sslv2?
+		!(accepted(:SSLv2).empty?)
+	end
+
+	def supports_sslv3?
+		!(accepted(:SSLv3).empty?)
+	end
+
+	def supports_tlsv1?
+		!(accepted(:TLSv1).empty?)
+	end
+
+	def supports_ssl?
+		supports_sslv2? or supports_sslv3? or supports_tlsv1?
+	end
+
+	def supports_weak_ciphers?
+		!(weak_ciphers.empty?)
+	end
+
+	def standards_compliant?
+		if supports_ssl?
+			return false if supports_sslv2?
+			return false if supports_weak_ciphers?
+		end
+		true
+	end
+
+	# Adds the details of a cipher test to the Result object.
+	# @param version [Symbol] the SSL Version
+	# @param cipher [String] the SSL cipher
+	# @param key_length [Fixnum] the length of encryption key
+	# @param status [Symbol] :accepted or :rejected
+	def add_cipher(version, cipher, key_length, status)
+		unless @supported_versions.include? version
+			raise ArgumentError, "Must be a supported SSL Version"
+		end
+		unless OpenSSL::SSL::SSLContext.new(version).ciphers.flatten.include? cipher
+			raise ArgumentError, "Must be a valid SSL Cipher for #{version}!"
+		end
+		unless key_length.kind_of? Fixnum
+			raise ArgumentError, "Must supply a valid key length"
+		end
+		unless [:accepted, :rejected].include? status
+			raise ArgumentError, "Status must be either :accepted or :rejected"
+		end
+
+		strong_cipher_ctx = OpenSSL::SSL::SSLContext.new(version)
+		# OpenSSL Directive For Strong Ciphers
+		# See: http://www.rapid7.com/vulndb/lookup/ssl-weak-ciphers
+		strong_cipher_ctx.ciphers = "ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM"
+
+		if strong_cipher_ctx.ciphers.flatten.include? cipher
+			weak = false
+		else
+			weak = true
+		end
+
+		cipher_details = {:version => version, :cipher => cipher, :key_length => key_length, :weak => weak, :status => status}
+		@ciphers << cipher_details
+	end
+
+	def to_s
+		unless supports_ssl?
+			return "Server does not appear to support SSL on this port!"
+		end
+		table = Rex::Ui::Text::Table.new(
+			'Header'      => 'SSL Ciphers',
+			'Indent'       => 1,
+			'Columns'   => ['Status', 'Weak', 'SSL Version', 'Key Length', 'Cipher'],
+			'SortIndex'  => -1
+		)
+		ciphers.each do |cipher|
+			if cipher[:weak]
+				weak = '*'
+			else
+				weak = ' '
+			end
+			table << [cipher[:status].to_s.capitalize, weak , cipher[:version], cipher[:key_length], cipher[:cipher]]
+		end
+
+		# Sort by SSL Version, then Key Length, and then Status
+		table.rows.sort_by!{|row| [row[0],row[2],row[3]]}
+		text = "#{table.to_s}"
+		if @cert
+			text << " \n\n #{@cert.to_text}"
+		end
+		if openssl_sslv2 == false
+			text << "\n\n *** WARNING: Your OS hates freedom! Your OpenSSL libs are compiled without SSLv2 support!"
+		end
+		text
+	end
+
+	protected
+
+	# @param state [Symbol] Either :accepted or :rejected
+	# @param version [Symbol, Array] The SSL Version to filter on (:SSLv2, :SSLv3, :TLSv1, :all)
+	# @return [Set] The Set of cipher results matching the filter criteria
+	def enum_ciphers(state, version = :all)
+		case version
+		when Symbol
+			case version
+			when :all
+				return @ciphers.select{|cipher| cipher[:status] == state}
+			when :SSLv2, :SSLv3, :TLSv1
+				return @ciphers.select{|cipher| cipher[:status] == state and cipher[:version] == version}
+			else
+				raise ArgumentError, "Invalid SSL Version Supplied: #{version}"
+			end
+		when Array
+			version = version.reject{|v| !(@supported_versions.include? v)}
+			if version.empty?
+				return @ciphers.select{|cipher| cipher[:status] == state}
+			else
+				return @ciphers.select{|cipher| cipher[:status] == state and version.include? cipher[:version]}
+			end
+		else
+			raise ArgumentError, "Was expecting Symbol or Array and got #{version.class}"
+		end
+	end
+
+end
+end