While Nessus is a wonderful vulnerability scanner, sometimes it is too slow and resource heavy for individual issues. The following 2 equivalent scripts perform checks for the following SSL related Nessus plugins:
The first is the curl version:
#!/bin/bash
# phaas at redspin.com: Never us a 'sh when a bash is necessary
# Checks the Equivalent of Nessus Plugin 20007, 26928 and 31705 (10863+21643)
if [ $# -lt 1 ]
then
echo "List SSL Weakness present for a given website"
echo "Usage: `basename $0` website {port}"
exit 1
fi
web=${1-'www.redspin.com'}
port=${2-'443'}
# Check for the insecure SSLv2 version
curl -m1 -Ik "https://$web:$port" --ciphers sslv2 &> /dev/null
if [[ "$?" -eq 0 ]]; then echo -e "$web:$port: (ssl2) Weak SSLv2 encryption enabled"; fi
# Enumerate weak SSL ciphers using curl
IFS=$'\n' # Loop across lines, rather than words
ciphers='LOW:EXP:eNULL:aNULL' # Include EXP (Export Ciphers)
for line in `openssl ciphers -v $ciphers | tr -s ' '`; do
version=`echo "$line" | cut -d' ' -f2 | tr [:upper:] [:lower:]`
cipher=`echo "$line" | cut -d' ' -f1`
auth=`echo "$line" | tr -s ' ' | grep -o "Au=[^ ]*" | cut -d'=' -f2`
strength=`echo "$line" | sed 's#Kx=[^ ]*##' | grep -o '([0-9]*)' | tr -d '()' | grep -v 'None'`
if [[ "$auth" == 'None' ]]; then auth="no"; fi
if [[ -z "$strength" ]]; then strength="without encryption"; else strength="at $strength bit encryption"; fi
#echo "curl -m1 -Ik https://$web:$port --ciphers $cipher -$version &> /dev/null"
curl -m1 -Ik "https://$web:$port" --ciphers "$cipher" -$version &> /dev/null
if [[ "$?" -eq 0 ]]; then
echo -e "$web:$port: ($version) $cipher = Supported $strength with $auth authentication support"
fi
done
And the following is the openssl version:
#!/bin/bash
# phaas at redspin.com: Never us a 'sh when a bash is necessary
# Checks the Equivalent of Nessus Plugin 20007, 26928 and 31705 (10863+21643)
if [ $# -lt 1 ]
then
echo "List SSL Weakness present for a given website"
echo "Usage: `basename $0` website {port}"
exit 1
fi
web=${1-'www.redspin.com'}
port=${2-'443'}
# Check for the insecure SSLv2 version
sslv2=`echo -e '' | openssl s_client -connect $web:$port -ssl2 -no_ssl3 -no_tls1 2>/dev/null | grep -i 'SSLv2'`
if [ -n "$sslv2" ]; then echo -e "$web:$port: (ssl2) Weak SSLv2 encryption enabled"; fi
# Enumerate weak SSL ciphers using openssl
IFS=$'\n' # Loop across lines, rather than words
ciphers='LOW:EXP:eNULL:aNULL' # Include EXP (Export Ciphers)
for line in `openssl ciphers -v $ciphers | tr -s ' '`; do
version=`echo "$line" | cut -d' ' -f2 | tr [:upper:] [:lower:] | tr -d 'v'`
cipher=`echo "$line" | cut -d' ' -f1`
auth=`echo "$line" | tr -s ' ' | grep -o "Au=[^ ]*" | cut -d'=' -f2`
strength=`echo "$line" | sed 's#Kx=[^ ]*##' | grep -o '([0-9]*)' | tr -d '()' | grep -v 'None'`
if [[ "$auth" == 'None' ]]; then auth="no"; fi
if [[ -z "$strength" ]]; then strength="without encryption"; else strength="at $strength bit encryption"; fi
#echo "openssl s_client -connect $web:$port -$version -cipher $cipher"
supported=`echo "" | openssl s_client -connect $web:$port -$version -cipher $cipher 2>&1 | grep DONE`
if [[ -n "$supported" ]]; then
echo -e "$web:$port: ($version) $cipher = Supported $strength with $auth authentication support"
fi
done
I decided to include both because while openssl is usually included by default on most Linux distributions, curl is easier to obtain on Windows machines.
Credit to Paul Haas and Jason Haddix from the Redspin Engineering Team.