Class: Rex::SSLScan::Result

Inherits:

Object

• Object
• Rex::SSLScan::Result

Defined in:

lib/rex/sslscan/result.rb

Instance Attribute Summary

• #ciphers ⇒ Object readonly

  Returns the value of attribute ciphers.

• #openssl_sslv2 ⇒ Object

  Returns the value of attribute openssl_sslv2.

• #supported_versions ⇒ Object readonly

  Returns the value of attribute supported_versions.

Instance Method Summary

• #accepted(version = :all) ⇒ Array

  Returns all accepted ciphers matching the supplied version.

• #add_cipher(version, cipher, key_length, status) ⇒ Object

  Adds the details of a cipher test to the Result object.

• #cert ⇒ Object
• #cert=(input) ⇒ Object
• #each_accepted(version = :all) ⇒ Object
• #each_rejected(version = :all) ⇒ Object
• #initialize ⇒ Result constructor

  A new instance of Result.

• #rejected(version = :all) ⇒ Array

  Returns all rejected ciphers matching the supplied version.

• #sslv2 ⇒ Object
• #sslv3 ⇒ Object
• #standards_compliant? ⇒ Boolean
• #strong_ciphers ⇒ Object
• #supports_ssl? ⇒ Boolean
• #supports_sslv2? ⇒ Boolean
• #supports_sslv3? ⇒ Boolean
• #supports_tlsv1? ⇒ Boolean
• #supports_tlsv1_1? ⇒ Boolean
• #supports_tlsv1_2? ⇒ Boolean
• #supports_weak_ciphers? ⇒ Boolean
• #tlsv1 ⇒ Object
• #to_s ⇒ Object
• #weak_ciphers ⇒ Object

Constructor Details

#initialize ⇒ Result

Returns a new instance of Result.

# File 'lib/rex/sslscan/result.rb', line 15

def initialize()
  @cert = nil
  @ciphers = Set.new
  @supported_versions = [:SSLv2, :SSLv3, :TLSv1, :TLSv1_1, :TLSv1_2]
  @deprecated_weak_ciphers = [
    'ECDHE-RSA-DES-CBC3-SHA',
    'ECDHE-ECDSA-DES-CBC3-SHA',
    'SRP-DSS-3DES-EDE-CBC-SHA',
    'SRP-RSA-3DES-EDE-CBC-SHA',
    'SRP-3DES-EDE-CBC-SHA',
    'EDH-RSA-DES-CBC3-SHA',
    'EDH-DSS-DES-CBC3-SHA',
    'ECDH-RSA-DES-CBC3-SHA',
    'ECDH-ECDSA-DES-CBC3-SHA',
    'DES-CBC3-SHA',
    'PSK-3DES-EDE-CBC-SHA',
    'EXP-EDH-RSA-DES-CBC-SHA',
    'EXP-EDH-DSS-DES-CBC-SHA',
    'EXP-DES-CBC-SHA',
    'EXP-RC2-CBC-MD5',
    'EXP-RC4-MD5',
    'EXP-RC4-MD5',
    'DES-CBC-SHA'
  ]
end

Instance Attribute Details

#ciphers ⇒ Object (readonly)

Returns the value of attribute ciphers.

# File 'lib/rex/sslscan/result.rb', line 12

def ciphers
  @ciphers
end

#openssl_sslv2 ⇒ Object

Returns the value of attribute openssl_sslv2.

# File 'lib/rex/sslscan/result.rb', line 10

def openssl_sslv2
  @openssl_sslv2
end

#supported_versions ⇒ Object (readonly)

Returns the value of attribute supported_versions.

# File 'lib/rex/sslscan/result.rb', line 13

def supported_versions
  @supported_versions
end

Instance Method Details

#accepted(version = :all) ⇒ Array

Returns all accepted ciphers matching the supplied version

Parameters:

• version (Symbol, Array) (defaults to: :all) —

  The SSL Version to filter on

Returns:

• (Array) —

  An array of accepted cipher details matching the supplied versions

Raises:

• (ArgumentError) —

  if the version supplied is invalid

# File 'lib/rex/sslscan/result.rb', line 76

def accepted(version = :all)
  enum_ciphers(:accepted, version)
end

#add_cipher(version, cipher, key_length, status) ⇒ Object

Adds the details of a cipher test to the Result object.

Parameters:

• version (Symbol) —

  the SSL Version

• cipher (String) —

  the SSL cipher

• key_length (Integer) —

  the length of encryption key

• status (Symbol) —

  :accepted or :rejected

# File 'lib/rex/sslscan/result.rb', line 143

def add_cipher(version, cipher, key_length, status)
  unless @supported_versions.include? version
    raise ArgumentError, "Must be a supported SSL Version"
  end
  unless OpenSSL::SSL::SSLContext.new(version).ciphers.flatten.include?(cipher) || @deprecated_weak_ciphers.include?(cipher)
    raise ArgumentError, "Must be a valid SSL Cipher for #{version}!"
  end
  unless key_length.kind_of? Integer
    raise ArgumentError, "Must supply a valid key length"
  end
  unless [:accepted, :rejected].include? status
    raise ArgumentError, "Status must be either :accepted or :rejected"
  end

  strong_cipher_ctx = OpenSSL::SSL::SSLContext.new(version)
  # OpenSSL Directive For Strong Ciphers
  # See: http://www.rapid7.com/vulndb/lookup/ssl-weak-ciphers
  strong_cipher_ctx.ciphers = "ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM"

  if strong_cipher_ctx.ciphers.flatten.include? cipher
    weak = false
  else
    weak = true
  end

  cipher_details = {:version => version, :cipher => cipher, :key_length => key_length, :weak => weak, :status => status}
  @ciphers << cipher_details
end

#cert ⇒ Object

# File 'lib/rex/sslscan/result.rb', line 41

def cert
  @cert
end

#cert=(input) ⇒ Object

# File 'lib/rex/sslscan/result.rb', line 45

def cert=(input)
  unless input.kind_of? OpenSSL::X509::Certificate or input.nil?
    raise ArgumentError, "Must be an X509 Cert!"
  end
  @cert = input
end

#each_accepted(version = :all) ⇒ Object

# File 'lib/rex/sslscan/result.rb', line 88

def each_accepted(version = :all)
  accepted(version).each do |cipher_result|
    yield cipher_result
  end
end

#each_rejected(version = :all) ⇒ Object

# File 'lib/rex/sslscan/result.rb', line 94

def each_rejected(version = :all)
  rejected(version).each do |cipher_result|
    yield cipher_result
  end
end

#rejected(version = :all) ⇒ Array

Returns all rejected ciphers matching the supplied version

Parameters:

• version (Symbol, Array) (defaults to: :all) —

  The SSL Version to filter on

Returns:

• (Array) —

  An array of rejected cipher details matching the supplied versions

Raises:

• (ArgumentError) —

  if the version supplied is invalid

# File 'lib/rex/sslscan/result.rb', line 84

def rejected(version = :all)
  enum_ciphers(:rejected, version)
end

#sslv2 ⇒ Object

# File 'lib/rex/sslscan/result.rb', line 52

def sslv2
  @ciphers.reject{|cipher| cipher[:version] != :SSLv2 }
end

#sslv3 ⇒ Object

# File 'lib/rex/sslscan/result.rb', line 56

def sslv3
  @ciphers.reject{|cipher| cipher[:version] != :SSLv3 }
end

#standards_compliant? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/rex/sslscan/result.rb', line 128

def standards_compliant?
  if supports_ssl?
    return false if supports_sslv2?
    return false if supports_sslv3?
    return false if supports_weak_ciphers?
    return false if supports_tlsv1?
  end
  true
end

#strong_ciphers ⇒ Object

# File 'lib/rex/sslscan/result.rb', line 68

def strong_ciphers
  accepted.reject{|cipher| cipher[:weak] }
end

#supports_ssl? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/rex/sslscan/result.rb', line 120

def supports_ssl?
  supports_sslv2? or supports_sslv3? or supports_tlsv1? or supports_tlsv1_1? or supports_tlsv1_2?
end

#supports_sslv2? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/rex/sslscan/result.rb', line 100

def supports_sslv2?
  !(accepted(:SSLv2).empty?)
end

#supports_sslv3? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/rex/sslscan/result.rb', line 104

def supports_sslv3?
  !(accepted(:SSLv3).empty?)
end

#supports_tlsv1? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/rex/sslscan/result.rb', line 108

def supports_tlsv1?
  !(accepted(:TLSv1).empty?)
end

#supports_tlsv1_1? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/rex/sslscan/result.rb', line 112

def supports_tlsv1_1?
  !(accepted(:TLSv1_1).empty?)
end

#supports_tlsv1_2? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/rex/sslscan/result.rb', line 116

def supports_tlsv1_2?
  !(accepted(:TLSv1_2).empty?)
end

#supports_weak_ciphers? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/rex/sslscan/result.rb', line 124

def supports_weak_ciphers?
  !(weak_ciphers.empty?)
end

#tlsv1 ⇒ Object

# File 'lib/rex/sslscan/result.rb', line 60

def tlsv1
  @ciphers.reject{|cipher| cipher[:version] != :TLSv1 }
end

#to_s ⇒ Object

# File 'lib/rex/sslscan/result.rb', line 172

def to_s
  unless supports_ssl?
    return "Server does not appear to support SSL on this port!"
  end
  table = Rex::Text::Table.new(
    'Header'      => 'SSL Ciphers',
    'Indent'       => 1,
    'Columns'   => ['Status', 'Weak', 'SSL Version', 'Key Length', 'Cipher'],
    'SortIndex'  => -1
  )
  ciphers.each do |cipher|
    if cipher[:weak]
      weak = '*'
    else
      weak = ' '
    end
    table << [cipher[:status].to_s.capitalize, weak , cipher[:version], cipher[:key_length], cipher[:cipher]]
  end

  # Sort by SSL Version, then Key Length, and then Status
  table.rows.sort_by!{|row| [row[0],row[2],row[3]]}
  text = "#{table.to_s}"
  if @cert
    text << " \n\n #{@cert.to_text}"
  end
  if openssl_sslv2 == false
    text << "\n\n *** WARNING: Your OS hates freedom! Your OpenSSL libs are compiled without SSLv2 support!"
  end
  text
end

#weak_ciphers ⇒ Object

# File 'lib/rex/sslscan/result.rb', line 64

def weak_ciphers
  accepted.reject{|cipher| cipher[:weak] == false }
end