Merge pull request #14 from RUB-NDS/moreAttack

More attack

Author: ic0ns

README.md

@@ -4,7 +4,7 @@ TLS-Scanner is a tool created by the Chair for Network and Data Security from th
 **Please note:**  *TLS-Scanner is a research tool intended for TLS developers, pentesters, administrators and researchers. There is no GUI. It is in the first version and may contain some bugs.*
 
 # Compiling
-In order to compile and use TLS-Scanner, you need to have Java installed, as well as [TLS-Attacker](https://github.com/RUB-NDS/TLS-Attacker) in Version 2.1
+In order to compile and use TLS-Scanner, you need to have Java installed, as well as [TLS-Attacker](https://github.com/RUB-NDS/TLS-Attacker) in Version 2.2
 
 ```bash
 $ cd TLS-Scanner
@@ -23,7 +23,7 @@ $ ./mvnw clean install
 
 For hints on installing the required libraries checkout the corresponding GitHub repositories.
 
-**Please note:**  *In order to run this tool you need TLS-Attacker version 2.1*
+**Please note:**  *In order to run this tool you need TLS-Attacker version 2.2*
 
 # Running
 In order to run TLS-Scanner you need to run the jar file in the apps/ folder.
@@ -33,39 +33,3 @@ $ java -jar apps/TLS-Scanner.jar -connect localhost:4433
 ```
 
 You can specify a host you want to scan with the -connect parameter. If you want to improve the performance of the scan you can use the -threads parameter (default=1).
-
-
-# Results
-TLS-Scanner uses the concept of "checks" which are performed after it collected configuration information. A check which results in "true" is consideres a non optimal choice and is an indicator for a pentester for a possible problem.
-
-There are currently multiple checks implemented:
-
-
-| Check                           | Meaning                                                                  	  | 
-| ------------------------------- |:-----------------------------------------------------------------------------:|
-| CERTIFICATE_EXPIRED             | Checks if the Certificate is expired yet                                	  |
-| CERTIFICATE_NOT_VALID_YET       | Checks if the Certificate is valid yet                                   	  |
-| CERTIFICATE_WEAK_HASH_FUNCTION  | Checks if the Server uses a weak Hash algorithm for its Certificate      	  |
-| CERTIFICATE_WEAK_SIGN_ALGORITHM | Checks if the Server uses a weak Signature algorithm for its Certificate	  |
-| CERTIFICATE_NOT_SENT_BY_SERVER  | Checks if the Server did sent a Certificate at all                      	  |
-| CIPHERSUITE_ANON                | Checks if the Server has Anon Ciphersuites enabled                       	  |
-| CIPHERSUITE_CBC                 | Checks if the Server has CBC Ciphersuites enabled for TLS 1.0            	  | 
-| CIPHERSUITE_EXPORT              | Checks if the Server has Export Ciphersuites enabled                    	  |
-| CIPHERSUITE_NULL                | Checks if the Server has Null Ciphersuites enabled                       	  |
-| CIPHERSUITE_RC4                 | Checks if the Server has RC4 Ciphersuites enabled                       	  |
-| CIPHERSUITEORDER_ENFORCED       | Checks if the Server does not enforce a Ciphersuite ordering             	  |
-| PROTOCOLVERSION_SSL2            | Checks if SSL 2 is enabled                                               	  |
-| PROTOCOLVERSION_SSL3            | Checks if SSL 3 is enabled                                              	  |
-| ATTACK_HEARTBLEED               | Checks if the Server is vulnerable to Heartbleed                        	  |
-| ATTACK_PADDING                  | Checks if the Server is vulnerable to a Padding_Oracle Attack (BETA)    	  |
-| ATTACK_BLEICHENBACHER           | Checks if the Server is vulnerable to the Bleichenbacher Attack (BETA)  	  |
-| ATTACK_POODLE			          | Checks if the Server is vulnerable to the Poodle Attack (BETA)           	  |
-| ATTACK_TLS_POODLE               | Checks if the Server is vulnerable to the TLS variant of Poolde (BETA)   	  |
-| ATTACK_CVE20162107              | Checks if the Server is vulnerable to CVE20162107 (BETA)			y	 	  |
-| ATTACK_INVALID_CURVE            | Checks if the Server is vulnerable to the Invalid Curve Attack (BETA)	      |
-| ATTACK_INVALID_CURVE_EPHEMERAL  | Checks if the Server is vulnerable to an Ephemeral Invalid Curve Attack(BETA) |
-
-
-
-
-**Please note:**  *A check with a _result_ of true is considered non optimal*

pom.xml

@@ -9,12 +9,12 @@
         <dependency>
             <groupId>de.rub.nds.tlsattacker</groupId>
             <artifactId>TLS-Core</artifactId>
-            <version>2.1</version>
+            <version>2.2</version>
         </dependency>
         <dependency>
             <groupId>de.rub.nds.tlsattacker</groupId>
             <artifactId>Attacks</artifactId>
-            <version>2.1</version>
+            <version>2.2</version>
         </dependency>
         <dependency>
             <groupId>junit</groupId>

src/main/java/de/rub/nds/tlsscanner/Main.java

@@ -43,7 +43,7 @@ public static void main(String[] args) throws IOException {
             }
             // Cmd was parsable
             try {
-                TLSScanner scanner = new TLSScanner(config);
+                TlsScanner scanner = new TlsScanner(config);
                 long time = System.currentTimeMillis();
                 LOGGER.info("Performing Scan, this may take some time...");
                 SiteReport report = scanner.scan();
@@ -71,7 +71,7 @@ public static void scanFile(File f) throws FileNotFoundException, IOException
         while((line = reader.readLine()) != null)
         {
             String host = line.split(",")[2];
-            TLSScanner scanner = new TLSScanner(host,false);
+            TlsScanner scanner = new TlsScanner(host,false);
             scanner.scan();
         }
         System.exit(0);

src/main/java/de/rub/nds/tlsscanner/ScanJob.java

@@ -8,7 +8,9 @@
  */
 package de.rub.nds.tlsscanner;
 
-import de.rub.nds.tlsscanner.probe.TLSProbe;
+import de.rub.nds.tlsscanner.probe.TlsProbe;
+import de.rub.nds.tlsscanner.report.after.AfterProbe;
+import java.util.LinkedList;
 import java.util.List;
 
 /**
@@ -17,13 +19,19 @@
  */
 public class ScanJob {
 
-    private final List<TLSProbe> probeList;
+    private final List<TlsProbe> probeList;
+    private final List<AfterProbe> afterList;
 
-    public ScanJob(List<TLSProbe> testList) {
+    public ScanJob(List<TlsProbe> testList, List<AfterProbe> afterList) {
         this.probeList = testList;
+        this.afterList = afterList;
     }
 
-    public List<TLSProbe> getProbeList() {
+    public List<TlsProbe> getProbeList() {
         return probeList;
     }
+
+    public List<AfterProbe> getAfterProbes() {
+        return afterList;
+    }
 }

src/main/java/de/rub/nds/tlsscanner/ScanJobExecutor.java

@@ -10,9 +10,10 @@
 
 import de.rub.nds.tlsattacker.core.config.delegate.ClientDelegate;
 import de.rub.nds.tlsscanner.config.ScannerConfig;
-import de.rub.nds.tlsscanner.report.ProbeResult;
+import de.rub.nds.tlsscanner.report.result.ProbeResult;
 import de.rub.nds.tlsscanner.report.SiteReport;
-import de.rub.nds.tlsscanner.probe.TLSProbe;
+import de.rub.nds.tlsscanner.probe.TlsProbe;
+import de.rub.nds.tlsscanner.report.after.AfterProbe;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.concurrent.ExecutionException;
@@ -38,7 +39,7 @@ public ScanJobExecutor(int threadCount) {
 
     public SiteReport execute(ScannerConfig config, ScanJob scanJob) {
         List<Future<ProbeResult>> futureResults = new LinkedList<>();
-        for (TLSProbe probe : scanJob.getProbeList()) {
+        for (TlsProbe probe : scanJob.getProbeList()) {
             futureResults.add(executor.submit(probe));
         }
         List<ProbeResult> resultList = new LinkedList<>();
@@ -54,6 +55,15 @@ public SiteReport execute(ScannerConfig config, ScanJob scanJob) {
         executor.shutdown();
         ClientDelegate clientDelegate = (ClientDelegate) config.getDelegate(ClientDelegate.class);
         String hostname = clientDelegate.getHost();
-        return new SiteReport(hostname, resultList);
+        SiteReport report = new SiteReport(hostname);
+        report.setServerIsAlive(Boolean.TRUE);
+        for (ProbeResult result : resultList) {
+            result.merge(report);
+        }
+        for(AfterProbe afterProbe : scanJob.getAfterProbes())
+        {
+            afterProbe.analyze(report);
+        }
+        return report;
     }
 }

src/main/java/de/rub/nds/tlsscanner/TLSScanner.java renamed to src/main/java/de/rub/nds/tlsscanner/TlsScanner.java

@@ -8,41 +8,45 @@
  */
 package de.rub.nds.tlsscanner;
 
+import de.rub.nds.tlsattacker.attacks.connectivity.ConnectivityChecker;
+import de.rub.nds.tlsattacker.core.config.Config;
 import de.rub.nds.tlsattacker.core.config.delegate.ClientDelegate;
 import de.rub.nds.tlsattacker.core.config.delegate.GeneralDelegate;
 import de.rub.nds.tlsscanner.config.ScannerConfig;
 import de.rub.nds.tlsscanner.probe.BleichenbacherProbe;
-import de.rub.nds.tlsscanner.report.SiteReport;
 import de.rub.nds.tlsscanner.probe.CertificateProbe;
 import de.rub.nds.tlsscanner.probe.CiphersuiteOrderProbe;
 import de.rub.nds.tlsscanner.probe.CiphersuiteProbe;
+import de.rub.nds.tlsscanner.probe.CompressionsProbe;
 import de.rub.nds.tlsscanner.probe.Cve20162107Probe;
+import de.rub.nds.tlsscanner.probe.ExtensionProbe;
 import de.rub.nds.tlsscanner.probe.HeartbleedProbe;
 import de.rub.nds.tlsscanner.probe.InvalidCurveProbe;
+import de.rub.nds.tlsscanner.probe.NamedCurvesProbe;
 import de.rub.nds.tlsscanner.probe.PaddingOracleProbe;
 import de.rub.nds.tlsscanner.probe.PoodleProbe;
+import de.rub.nds.tlsscanner.report.SiteReport;
 import de.rub.nds.tlsscanner.probe.ProtocolVersionProbe;
-import de.rub.nds.tlsscanner.probe.TLSProbe;
 import de.rub.nds.tlsscanner.probe.TlsPoodleProbe;
+import de.rub.nds.tlsscanner.probe.TlsProbe;
+import de.rub.nds.tlsscanner.report.after.AfterProbe;
+import de.rub.nds.tlsscanner.report.after.DrownAfterProbe;
+import de.rub.nds.tlsscanner.report.after.Sweet32AfterProbe;
 import java.util.LinkedList;
 import java.util.List;
 import org.apache.logging.log4j.Level;
-import org.apache.logging.log4j.LogManager;
-import org.apache.logging.log4j.core.LoggerContext;
-import org.apache.logging.log4j.core.config.Configuration;
 import org.apache.logging.log4j.core.config.Configurator;
-import org.apache.logging.log4j.core.config.LoggerConfig;
 
 /**
  *
  * @author Robert Merget - [email protected]
  */
-public class TLSScanner {
+public class TlsScanner {
 
     private final ScanJobExecutor executor;
     private final ScannerConfig config;
 
-    public TLSScanner(String websiteHost, boolean attackingScans) {
+    public TlsScanner(String websiteHost, boolean attackingScans) {
         this.executor = new ScanJobExecutor(1);
         config = new ScannerConfig(new GeneralDelegate());
         config.getGeneralDelegate().setLogLevel(Level.WARN);
@@ -51,7 +55,7 @@ public TLSScanner(String websiteHost, boolean attackingScans) {
         Configurator.setAllLevels("de.rub.nds.tlsattacker", Level.WARN);
     }
 
-    public TLSScanner(ScannerConfig config) {
+    public TlsScanner(ScannerConfig config) {
         this.executor = new ScanJobExecutor(config.getThreads());
         this.config = config;
         if (config.getGeneralDelegate().getLogLevel() == Level.ALL) {
@@ -68,23 +72,39 @@ public TLSScanner(ScannerConfig config) {
     }
 
     public SiteReport scan() {
-        List<TLSProbe> testList = new LinkedList<>();
-        testList.add(new CertificateProbe(config));
-        testList.add(new ProtocolVersionProbe(config));
-        testList.add(new CiphersuiteProbe(config));
-        testList.add(new CiphersuiteOrderProbe(config));
-        testList.add(new HeartbleedProbe(config));
-        //testList.add(new NamedCurvesProbe(websiteHost));
-        testList.add(new PaddingOracleProbe(config));
-        testList.add(new BleichenbacherProbe(config));
-        testList.add(new PoodleProbe(config));
-        testList.add(new TlsPoodleProbe(config));
-        testList.add(new Cve20162107Probe(config));
-        testList.add(new InvalidCurveProbe(config));
-        
+        List<TlsProbe> testList = new LinkedList<>();
+
+        if (prechecks()) {
+            testList.add(new NamedCurvesProbe(config));
+            testList.add(new CertificateProbe(config));
+            testList.add(new ProtocolVersionProbe(config));
+            testList.add(new CiphersuiteProbe(config));
+            testList.add(new CiphersuiteOrderProbe(config));
+            testList.add(new HeartbleedProbe(config));
+            testList.add(new PaddingOracleProbe(config));
+            testList.add(new BleichenbacherProbe(config));
+            testList.add(new PoodleProbe(config));
+            testList.add(new TlsPoodleProbe(config));
+            testList.add(new Cve20162107Probe(config));
+            testList.add(new InvalidCurveProbe(config));
+            testList.add(new ExtensionProbe(config));
+            testList.add(new CompressionsProbe(config));
+            List<AfterProbe> afterList = new LinkedList<>();
+            afterList.add(new Sweet32AfterProbe());
+            afterList.add(new DrownAfterProbe());
+            ScanJob job = new ScanJob(testList, afterList);
+            return executor.execute(config, job);
+        }
         // testList.add(new SignatureAndHashAlgorithmProbe(websiteHost));
-        ScanJob job = new ScanJob(testList);
-        return executor.execute(config, job);
+        SiteReport report = new SiteReport(config.getClientDelegate().getHost());
+        report.setServerIsAlive(false);
+        return report;
+    }
+
+    public boolean prechecks() {
+        Config tlsConfig = config.createConfig();
+        ConnectivityChecker checker = new ConnectivityChecker(tlsConfig.getDefaultClientConnection());
+        return checker.isConnectable();
     }
 
 }

src/main/java/de/rub/nds/tlsscanner/config/ScannerConfig.java

@@ -10,6 +10,7 @@
 
 import com.beust.jcommander.Parameter;
 import com.beust.jcommander.ParametersDelegate;
+import de.rub.nds.tlsattacker.core.config.Config;
 import de.rub.nds.tlsattacker.core.config.TLSDelegateConfig;
 import de.rub.nds.tlsattacker.core.config.delegate.ClientDelegate;
 import de.rub.nds.tlsattacker.core.config.delegate.GeneralDelegate;
@@ -28,9 +29,15 @@ public class ScannerConfig extends TLSDelegateConfig {
     @Parameter(names = "-threads", required = false, description = "How many threads should execute Probes")
     private int threads = 1;
 
+    @Parameter(names = "-danger", required = false, description = "Integer value (1 - 10) which specifies how aggressive the Scanner should test. Default 10")
+    private int dangerLevel = 10;
+
     @ParametersDelegate
     private GeneralDelegate generalDelegate;
 
+    @Parameter(names = "-implementation", required = false, description = "If you are interessted in the vulnerability of an implementation rather than a specific site")
+    private boolean implementation = false;
+
     public ScannerConfig(GeneralDelegate delegate) {
         super(delegate);
         this.generalDelegate = delegate;
@@ -50,4 +57,30 @@ public void setThreads(int threads) {
     public ClientDelegate getClientDelegate() {
         return clientDelegate;
     }
+
+    public int getDangerLevel() {
+        return dangerLevel;
+    }
+
+    public void setDangerLevel(int dangerLevel) {
+        this.dangerLevel = dangerLevel;
+    }
+
+    public boolean isImplementation() {
+        return implementation;
+    }
+
+    public void setImplementation(boolean implementation) {
+        this.implementation = implementation;
+    }
+
+    @Override
+    public Config createConfig() {
+        Config config = super.createConfig();
+        config.setSniHostname(clientDelegate.getHost());
+        config.getDefaultClientConnection().setTimeout(1000);
+        return config;
+    }
+    
+    
 }

src/main/java/de/rub/nds/tlsscanner/constants/AnsiColors.java

@@ -0,0 +1,35 @@
+/*
+ * To change this license header, choose License Headers in Project Properties.
+ * To change this template file, choose Tools | Templates
+ * and open the template in the editor.
+ */
+package de.rub.nds.tlsscanner.constants;
+
+/**
+ *
+ * @author Robert Merget <[email protected]>
+ */
+public class AnsiColors {
+
+    public static final String ANSI_RESET = "\u001B[0m";
+    public static final String ANSI_BLACK = "\u001B[30m";
+    public static final String ANSI_RED = "\u001B[31m";
+    public static final String ANSI_GREEN = "\u001B[32m";
+    public static final String ANSI_YELLOW = "\u001B[33m";
+    public static final String ANSI_BLUE = "\u001B[34m";
+    public static final String ANSI_PURPLE = "\u001B[35m";
+    public static final String ANSI_CYAN = "\u001B[36m";
+    public static final String ANSI_WHITE = "\u001B[37m";
+    public static final String ANSI_BLACK_BACKGROUND = "\u001B[40m";
+    public static final String ANSI_RED_BACKGROUND = "\u001B[41m";
+    public static final String ANSI_GREEN_BACKGROUND = "\u001B[42m";
+    public static final String ANSI_YELLOW_BACKGROUND = "\u001B[43m";
+    public static final String ANSI_BLUE_BACKGROUND = "\u001B[44m";
+    public static final String ANSI_PURPLE_BACKGROUND = "\u001B[45m";
+    public static final String ANSI_CYAN_BACKGROUND = "\u001B[46m";
+    public static final String ANSI_WHITE_BACKGROUND = "\u001B[47m";
+
+    private AnsiColors() {
+    }
+
+}

src/main/java/de/rub/nds/tlsscanner/constants/CipherSuiteGrade.java

@@ -0,0 +1,14 @@
+/*
+ * To change this license header, choose License Headers in Project Properties.
+ * To change this template file, choose Tools | Templates
+ * and open the template in the editor.
+ */
+package de.rub.nds.tlsscanner.constants;
+
+/**
+ *
+ * @author Robert Merget <[email protected]>
+ */
+public enum CipherSuiteGrade {
+    GOOD, LOW, MEDIUM, NONE
+}