Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

enumerate ciphers based on security level and optimizations #177

Merged
merged 14 commits into from
Feb 21, 2023
Merged

enumerate ciphers based on security level and optimizations #177

merged 14 commits into from
Feb 21, 2023

Conversation

tarunKoyalwar
Copy link
Member

@tarunKoyalwar tarunKoyalwar commented Jan 31, 2023
edited by ehsandeep
Loading

Proposed Changes

  • refactor and optimize cipher enum logic
  • color code cipher results based on security level
  • adds option to specify cipher levels while enumerating ciphers
   -ct, -cipher-type value  ciphers types to enumerate (all/secure/insecure/weak) (default 0)

closes #169

@tarunKoyalwar tarunKoyalwar marked this pull request as draft January 31, 2023 15:35
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 31, 2023
View reviewed changes
pkg/tlsx/tls/tls.go
if err != nil {
return enumeratedCiphers, errorutil.NewWithErr(err).WithTag("ctls")
}
baseCfg.CipherSuites = []uint16{tlsCiphers[v]}

Check failure

Code scanning / CodeQL

Insecure TLS configuration

Use of an insecure cipher suite: TLS_RSA_WITH_RC4_128_SHA. Use of an insecure cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256. Use of an insecure cipher suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA. Use of an insecure cipher suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA. Use of an insecure cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256. Use of an insecure cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256.
pkg/tlsx/tls/tls.go
if err != nil {
return nil, errorutil.NewWithTag("ctls", "could not get tls ciphers").Wrap(err)
}
c.tlsConfig.CipherSuites = customCiphers

Check failure

Code scanning / CodeQL

Insecure TLS configuration

Use of an insecure cipher suite: TLS_RSA_WITH_RC4_128_SHA. Use of an insecure cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256. Use of an insecure cipher suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA. Use of an insecure cipher suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA. Use of an insecure cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256. Use of an insecure cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256.
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 31, 2023
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 12, 2023
View reviewed changes
pkg/tlsx/ztls/ztls.go
}
defer conn.Close() //internally done by conn.Close() so just a placeholder

Check warning

Code scanning / SonarCloud

<!--SONAR_ISSUE_KEY:AYZE6hHw_1Vop0QXa-en-->Deferring unsafe method "Close" on type "net.Conn" <p>See more on <a href="https://sonarcloud.io/project/issues?id=projectdiscovery_tlsx&issues=AYZE6hHw_1Vop0QXa-en&open=AYZE6hHw_1Vop0QXa-en&pullRequest=177">SonarCloud</a></p>

<!--SONAR_ISSUE_KEY:AYZE6hHw_1Vop0QXa-en-->Deferring unsafe method "Close" on type "net.Conn" <p>See more on <a href="https://sonarcloud.io/project/issues?id=projectdiscovery_tlsx&issues=AYZE6hHw_1Vop0QXa-en&open=AYZE6hHw_1Vop0QXa-en&pullRequest=177">SonarCloud</a></p>
@tarunKoyalwar
Copy link
Member Author 

$ ./tlsx -u scanme.sh -sm openssl -ce -v
  

  _____ _    _____  __
 |_   _| |  / __\ \/ /
   | | | |__\__ \>  < 
   |_| |____|___/_/\_\	v1.0.5

		projectdiscovery.io

[INF] Processing input scanme.sh:443
[LibreSSL3.6.1] Starting cipher enumeration with 48 ciphers in tls12
[LibreSSL3.6.1] Starting cipher enumeration with 48 ciphers in tls10
[LibreSSL3.6.1] Starting cipher enumeration with 48 ciphers in tls11
scanme.sh:443 [tls12] [ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA]
scanme.sh:443 [tls10] [ECDHE-ECDSA-AES256-SHA,ECDHE-ECDSA-AES128-SHA]
scanme.sh:443 [tls11] [ECDHE-ECDSA-AES256-SHA,ECDHE-ECDSA-AES128-SHA]

@tarunKoyalwar
Copy link
Member Author

Screenshot 2023-02-14 at 8 09 05 PM
Screenshot 2023-02-14 at 8 09 44 PM

@tarunKoyalwar tarunKoyalwar linked an issue Feb 14, 2023 that may be closed by this pull request
Enumerate Ciphers based on security level (weak ,secure , insecure etc ) #169
Closed
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 14, 2023
View reviewed changes
cmd/update-cipherstatus/main.go
if err != nil {
log.Fatal(err)
}
defer res.Body.Close()

Check warning

Code scanning / SonarCloud

<!--SONAR_ISSUE_KEY:AYZQXzoYcck3lv4CKqd5-->Deferring unsafe method "Close" on type "io.ReadCloser" <p>See more on <a href="https://sonarcloud.io/project/issues?id=projectdiscovery_tlsx&issues=AYZQXzoYcck3lv4CKqd5&open=AYZQXzoYcck3lv4CKqd5&pullRequest=177">SonarCloud</a></p>

<!--SONAR_ISSUE_KEY:AYZQXzoYcck3lv4CKqd5-->Deferring unsafe method "Close" on type "io.ReadCloser" <p>See more on <a href="https://sonarcloud.io/project/issues?id=projectdiscovery_tlsx&issues=AYZQXzoYcck3lv4CKqd5&open=AYZQXzoYcck3lv4CKqd5&pullRequest=177">SonarCloud</a></p>
cmd/update-cipherstatus/main.go
}

func FetchAndLoadCiphers(url string) {
res, err := http.Get(url)

Check warning

Code scanning / SonarCloud

<!--SONAR_ISSUE_KEY:AYZQXzoYcck3lv4CKqd4-->Potential HTTP request made with variable url <p>See more on <a href="https://sonarcloud.io/project/issues?id=projectdiscovery_tlsx&issues=AYZQXzoYcck3lv4CKqd4&open=AYZQXzoYcck3lv4CKqd4&pullRequest=177">SonarCloud</a></p>

<!--SONAR_ISSUE_KEY:AYZQXzoYcck3lv4CKqd4-->Potential HTTP request made with variable url <p>See more on <a href="https://sonarcloud.io/project/issues?id=projectdiscovery_tlsx&issues=AYZQXzoYcck3lv4CKqd4&open=AYZQXzoYcck3lv4CKqd4&pullRequest=177">SonarCloud</a></p>
@tarunKoyalwar tarunKoyalwar marked this pull request as ready for review February 14, 2023 14:42
@tarunKoyalwar tarunKoyalwar self-assigned this Feb 14, 2023
Mzack9999
Mzack9999 requested changes Feb 15, 2023
View reviewed changes
Copy link
Member

@Mzack9999 Mzack9999 left a comment
edited by tarunKoyalwar
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm. todo:

  • Few suggested changes
  • merge conflicts

Mzack9999
Mzack9999 requested changes Feb 15, 2023
View reviewed changes
Copy link
Member

@Mzack9999 Mzack9999 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nil crash if the tls engine is not specified:

$ go run -u scanme.sh -ce -v            
panic: runtime error: invalid memory address or nil pointer dereference
[signal 0xc0000005 code=0x0 addr=0x8 pc=0x7ff724e30660]

goroutine 38 [running]:
github.com/projectdiscovery/tlsx/pkg/tlsx/openssl.(*Client).getOpenSSLopts(0x0, {0xc0003c7fc0, 0x9}, {0x0, 0x0}, {0x7ff7251e1691, 0x3}, {{0x0, 0x0}, {0x7ff7251e4bda, ...}, ...})
        C:/Users/marco/go/src/github.com/projectdiscovery/tlsx/pkg/tlsx/openssl/openssl.go:142 +0x120
github.com/projectdiscovery/tlsx/pkg/tlsx/openssl.(*Client).EnumerateCiphers(0xc00038a240?, {0xc0003c7fc0, 0x9}, {0x0, 0x0}, {0x7ff7251e1691, 0x3}, {{0x0, 0x0}, {0x7ff7251e4bda, ...}, ...})
        C:/Users/marco/go/src/github.com/projectdiscovery/tlsx/pkg/tlsx/openssl/openssl.go:110 +0x13d
github.com/projectdiscovery/tlsx/pkg/tlsx/auto.(*Client).EnumerateCiphers.func1({0x7ff725386d38?, 0x0?})
        C:/Users/marco/go/src/github.com/projectdiscovery/tlsx/pkg/tlsx/auto/auto.go:79 +0xf8
created by github.com/projectdiscovery/tlsx/pkg/tlsx/auto.(*Client).EnumerateCiphers
        C:/Users/marco/go/src/github.com/projectdiscovery/tlsx/pkg/tlsx/auto/auto.go:77 +0x375
exit status 2

@tarunKoyalwar
Copy link
Member Author

@Mzack9999 I am not able to reproduce the panic ? can you verify it again with latest commit

$ go run . -u scanme.sh -ce -v                                                            1 ↵
  

  _____ _    _____  __
 |_   _| |  / __\ \/ /
   | | | |__\__ \>  < 
   |_| |____|___/_/\_\	v1.0.5

		projectdiscovery.io

[INF] Processing input scanme.sh:443
[ztls] Starting cipher enumeration with 345 ciphers in tls12
[LibreSSL3.6.1] Starting cipher enumeration with 48 ciphers in tls12
[ctls] Starting cipher enumeration with 28 ciphers and version tls12
[ztls] Starting cipher enumeration with 345 ciphers in tls10
[ctls] Starting cipher enumeration with 28 ciphers and version tls10
[LibreSSL3.6.1] Starting cipher enumeration with 48 ciphers in tls10
[ctls] Starting cipher enumeration with 28 ciphers and version tls11
[ztls] Starting cipher enumeration with 345 ciphers in tls11
[LibreSSL3.6.1] Starting cipher enumeration with 48 ciphers in tls11
scanme.sh:443 [tls12] [TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA]
scanme.sh:443 [tls10] [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,ECDHE-ECDSA-AES256-SHA,ECDHE-ECDSA-AES128-SHA]
scanme.sh:443 [tls11] [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,ECDHE-ECDSA-AES256-SHA,ECDHE-ECDSA-AES128-SHA]
[INF] Connections made using crypto/tls: 89, zcrypto/tls: 1035, openssl: 144

@Mzack9999
Copy link
Member

@tarunKoyalwar I think we should add openssl only if it's available on the system in auto.go => EnumerateCiphers

allClients := []clients.Implementation{c.opensslClient, c.tlsClient, c.ztlsClient}

Otherwise, it will face nil pointer exceptions

@tarunKoyalwar
Copy link
Member Author

tarunKoyalwar commented Feb 16, 2023
edited
Loading

@Mzack9999 , thanks for pointing it out

ehsandeep
ehsandeep reviewed Feb 18, 2023
View reviewed changes
Copy link
Member

@ehsandeep ehsandeep left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tarunKoyalwar, do you think it would be a good idea to update json output to differentiate cipher types?

....
{
  "version": "tls11",
  "ciphers": {
    "weak": [
      "ECDHE-RSA-AES256-SHA",
      "CAMELLIA128-SHA",
      "ECDHE-RSA-DES-CBC3-SHA",
      "DES-CBC3-SHA"
    ],
    "secure": [
      "ECDHE-RSA-AES256-SHA",
      "DHE-RSA-AES256-SHA",
      "DES-CBC3-SHA"
    ]
  }
}

@tarunKoyalwar tarunKoyalwar mentioned this pull request Feb 20, 2023
Closed
@tarunKoyalwar
Copy link
Member Author 

$ ./tlsx -u scanme.sh -ce -v -sm openssl 
  

  _____ _    _____  __
 |_   _| |  / __\ \/ /
   | | | |__\__ \>  < 
   |_| |____|___/_/\_\	v1.0.5

		projectdiscovery.io

[INF] Processing input scanme.sh:443
[INF] Started TLS Cipher Enumeration using openssl mode
[LibreSSL3.3.6] Starting cipher enumeration with 48 ciphers in tls12
[LibreSSL3.3.6] Starting cipher enumeration with 48 ciphers in tls10
[LibreSSL3.3.6] Starting cipher enumeration with 48 ciphers in tls11
[tls12] [ECDHE-ECDSA-AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES128-GCM-SHA256]
[tls10] [ECDHE-ECDSA-AES256-SHA,ECDHE-ECDSA-AES128-SHA]
[tls11] [ECDHE-ECDSA-AES256-SHA,ECDHE-ECDSA-AES128-SHA]
$ ./tlsx -u scanme.sh -ce  -sm openssl -silent  -json | jq 
{
  "timestamp": "2023-02-20T20:44:29.360091+05:30",
  "host": "scanme.sh",
  "ip": "128.199.158.128",
  "port": "443",
  "probe_status": true,
  "tls_version": "tls12",
  "cipher": "ECDHE-ECDSA-CHACHA20-POLY1305",
  "self_signed": true,
  "mismatched": true,
  "not_before": "2022-06-07T15:18:51Z",
  "not_after": "2032-06-04T15:18:51Z",
  "subject_dn": "CN=scanme, O=pd",
  "subject_cn": "scanme",
  "subject_org": [
    "pd"
  ],
  "issuer_dn": "CN=scanme, O=pd",
  "issuer_cn": "scanme",
  "issuer_org": [
    "pd"
  ],
  "fingerprint_hash": {
    "md5": "eacf1e9b4acca9168b43f84a9bfaa7c5",
    "sha1": "550837ef878d58c92820e9498e3807c6bd7184ec",
    "sha256": "ebbf69a9e7ba65b51fa12cd44105055c2c2c250706e9795fab219d3d5dff5fac"
  },
  "tls_connection": "openssl",
  "sni": "scanme.sh",
  "version_enum": [
    "tls12",
    "tls10",
    "tls11"
  ],
  "cipher_enum": [
    {
      "version": "tls12",
      "ciphers": {
        "weak": [
          "ECDHE-ECDSA-AES256-SHA",
          "ECDHE-ECDSA-AES128-SHA"
        ],
        "secure": [
          "ECDHE-ECDSA-CHACHA20-POLY1305",
          "ECDHE-ECDSA-AES256-GCM-SHA384",
          "ECDHE-ECDSA-AES128-GCM-SHA256"
        ]
      }
    },
    {
      "version": "tls10",
      "ciphers": {
        "weak": [
          "ECDHE-ECDSA-AES256-SHA",
          "ECDHE-ECDSA-AES128-SHA"
        ]
      }
    },
    {
      "version": "tls11",
      "ciphers": {
        "weak": [
          "ECDHE-ECDSA-AES256-SHA",
          "ECDHE-ECDSA-AES128-SHA"
        ]
      }
    }
  ]
}

ehsandeep
ehsandeep requested changes Feb 20, 2023
View reviewed changes
Copy link
Member

@ehsandeep ehsandeep left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • missing input hostname in output
  • removing unused -ac option

@tarunKoyalwar
Copy link
Member Author 

./tlsx -u scanme.sh -ce -v -sm openssl
  

  _____ _    _____  __
 |_   _| |  / __\ \/ /
   | | | |__\__ \>  < 
   |_| |____|___/_/\_\	v1.0.5

		projectdiscovery.io

[INF] Processing input scanme.sh:443
[INF] Started TLS Cipher Enumeration using openssl mode
[LibreSSL3.3.6] Starting cipher enumeration with 48 ciphers in tls12
[LibreSSL3.3.6] Starting cipher enumeration with 48 ciphers in tls10
[LibreSSL3.3.6] Starting cipher enumeration with 48 ciphers in tls11
scanme.sh:443 [tls12] [ECDHE-ECDSA-AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES128-GCM-SHA256]
scanme.sh:443 [tls10] [ECDHE-ECDSA-AES256-SHA,ECDHE-ECDSA-AES128-SHA]
scanme.sh:443 [tls11] [ECDHE-ECDSA-AES256-SHA,ECDHE-ECDSA-AES128-SHA]

@tarunKoyalwar
Copy link
Member Author

@ehsandeep ,

Non-Breaking Changes

  • remove flag -ac i.e all-ciphers
  • marked Options.AllCiphers as deprecated to avoid breaking changes
    -This will be detected by golangci in any project/repo that uses above option

github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 21, 2023
View reviewed changes
pkg/tlsx/tls/tls.go
} else {
// unless explicitly specified client should advertise all supported ciphers
// Note: Go stdlib by default only advertises a safe/default list of ciphers
c.tlsConfig.CipherSuites = AllCiphers

Check failure

Code scanning / CodeQL

Insecure TLS configuration

Use of an insecure cipher suite: TLS_RSA_WITH_RC4_128_SHA. Use of an insecure cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256. Use of an insecure cipher suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA. Use of an insecure cipher suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA. Use of an insecure cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256. Use of an insecure cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256.
ehsandeep
ehsandeep approved these changes Feb 21, 2023
View reviewed changes
Copy link
Member

@ehsandeep ehsandeep left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

./tlsx -u scanme.sh -ce -sm openssl
  

  _____ _    _____  __
 |_   _| |  / __\ \/ /
   | | | |__\__ \>  < 
   |_| |____|___/_/\_\	v1.0.5

		projectdiscovery.io

[INF] Started TLS Cipher Enumeration using openssl mode
scanme.sh:443 [tls12] [ECDHE-ECDSA-AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES128-GCM-SHA256]
scanme.sh:443 [tls10] [ECDHE-ECDSA-AES256-SHA,ECDHE-ECDSA-AES128-SHA]
scanme.sh:443 [tls11] [ECDHE-ECDSA-AES256-SHA,ECDHE-ECDSA-AES128-SHA]

@ehsandeep ehsandeep merged commit efc2df4 into dev Feb 21, 2023
@ehsandeep ehsandeep deleted the issue-169-insecure-ciphers branch February 21, 2023 15:27
@sonarqubecloud
Copy link

SonarCloud Quality Gate failed.    Quality Gate failed

Bug A 0 Bugs
Vulnerability C 4 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 4 Code Smells

9.7% 9.7% Coverage
15.6% 15.6% Duplication

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ehsandeep ehsandeep ehsandeep approved these changes

@Mzack9999 Mzack9999 Mzack9999 approved these changes

Assignees

@tarunKoyalwar tarunKoyalwar

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Enumerate Ciphers based on security level (weak ,secure , insecure etc )
3 participants
@tarunKoyalwar @Mzack9999 @ehsandeep