Class: Rex::SSLScan::Result

Inherits:

Object

• Object
• Rex::SSLScan::Result

Defined in:

lib/rex/sslscan/result.rb

Instance Attribute Summary

• #ciphers ⇒ Object readonly

  Returns the value of attribute ciphers.

• #openssl_sslv2 ⇒ Object

  Returns the value of attribute openssl_sslv2.

• #supported_versions ⇒ Object readonly

  Returns the value of attribute supported_versions.

Instance Method Summary

• #accepted(version = :all) ⇒ Array

  Returns all accepted ciphers matching the supplied version.

• #add_cipher(version, cipher, key_length, status) ⇒ Object

  Adds the details of a cipher test to the Result object.

• #cert ⇒ Object
• #cert=(input) ⇒ Object
• #each_accepted(version = :all) ⇒ Object
• #each_rejected(version = :all) ⇒ Object
• #initialize ⇒ Result constructor

  A new instance of Result.

• #rejected(version = :all) ⇒ Array

  Returns all rejected ciphers matching the supplied version.

• #sslv2 ⇒ Object
• #sslv3 ⇒ Object
• #standards_compliant? ⇒ Boolean
• #strong_ciphers ⇒ Object
• #supports_ssl? ⇒ Boolean
• #supports_sslv2? ⇒ Boolean
• #supports_sslv3? ⇒ Boolean
• #supports_tlsv1? ⇒ Boolean
• #supports_weak_ciphers? ⇒ Boolean
• #tlsv1 ⇒ Object
• #to_s ⇒ Object
• #weak_ciphers ⇒ Object

Constructor Details

#initialize ⇒ Result

Returns a new instance of Result.

# File 'lib/rex/sslscan/result.rb', line 14

def initialize()
  @cert = nil
  @ciphers = Set.new
  @supported_versions = [:SSLv2, :SSLv3, :TLSv1]
end

Instance Attribute Details

#ciphers ⇒ Object (readonly)

Returns the value of attribute ciphers.

# File 'lib/rex/sslscan/result.rb', line 11

def ciphers
  @ciphers
end

#openssl_sslv2 ⇒ Object

Returns the value of attribute openssl_sslv2.

# File 'lib/rex/sslscan/result.rb', line 9

def openssl_sslv2
  @openssl_sslv2
end

#supported_versions ⇒ Object (readonly)

Returns the value of attribute supported_versions.

# File 'lib/rex/sslscan/result.rb', line 12

def supported_versions
  @supported_versions
end

Instance Method Details

#accepted(version = :all) ⇒ Array

Returns all accepted ciphers matching the supplied version

Parameters:

• version (Symbol, Array) (defaults to: :all) —

  The SSL Version to filter on

Returns:

• (Array) —

  An array of accepted cipher details matching the supplied versions

Raises:

• (ArgumentError) —

  if the version supplied is invalid

# File 'lib/rex/sslscan/result.rb', line 55

def accepted(version = :all)
  enum_ciphers(:accepted, version)
end

#add_cipher(version, cipher, key_length, status) ⇒ Object

Adds the details of a cipher test to the Result object.

Parameters:

• version (Symbol) —

  the SSL Version

• cipher (String) —

  the SSL cipher

• key_length (Fixnum) —

  the length of encryption key

• status (Symbol) —

  :accepted or :rejected

# File 'lib/rex/sslscan/result.rb', line 112

def add_cipher(version, cipher, key_length, status)
  unless @supported_versions.include? version
    raise ArgumentError, "Must be a supported SSL Version"
  end
  unless OpenSSL::SSL::SSLContext.new(version).ciphers.flatten.include? cipher
    raise ArgumentError, "Must be a valid SSL Cipher for #{version}!"
  end
  unless key_length.kind_of? Fixnum
    raise ArgumentError, "Must supply a valid key length"
  end
  unless [:accepted, :rejected].include? status
    raise ArgumentError, "Status must be either :accepted or :rejected"
  end

  strong_cipher_ctx = OpenSSL::SSL::SSLContext.new(version)
  # OpenSSL Directive For Strong Ciphers
  # See: http://www.rapid7.com/vulndb/lookup/ssl-weak-ciphers
  strong_cipher_ctx.ciphers = "ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM"

  if strong_cipher_ctx.ciphers.flatten.include? cipher
    weak = false
  else
    weak = true
  end

  cipher_details = {:version => version, :cipher => cipher, :key_length => key_length, :weak => weak, :status => status}
  @ciphers << cipher_details
end

#cert ⇒ Object

# File 'lib/rex/sslscan/result.rb', line 20

def cert
  @cert
end

#cert=(input) ⇒ Object

# File 'lib/rex/sslscan/result.rb', line 24

def cert=(input)
  unless input.kind_of? OpenSSL::X509::Certificate or input.nil?
    raise ArgumentError, "Must be an X509 Cert!"
  end
  @cert = input
end

#each_accepted(version = :all) ⇒ Object

# File 'lib/rex/sslscan/result.rb', line 67

def each_accepted(version = :all)
  accepted(version).each do |cipher_result|
    yield cipher_result
  end
end

#each_rejected(version = :all) ⇒ Object

# File 'lib/rex/sslscan/result.rb', line 73

def each_rejected(version = :all)
  rejected(version).each do |cipher_result|
    yield cipher_result
  end
end

#rejected(version = :all) ⇒ Array

Returns all rejected ciphers matching the supplied version

Parameters:

• version (Symbol, Array) (defaults to: :all) —

  The SSL Version to filter on

Returns:

• (Array) —

  An array of rejected cipher details matching the supplied versions

Raises:

• (ArgumentError) —

  if the version supplied is invalid

# File 'lib/rex/sslscan/result.rb', line 63

def rejected(version = :all)
  enum_ciphers(:rejected, version)
end

#sslv2 ⇒ Object

# File 'lib/rex/sslscan/result.rb', line 31

def sslv2
  @ciphers.reject{|cipher| cipher[:version] != :SSLv2 }
end

#sslv3 ⇒ Object

# File 'lib/rex/sslscan/result.rb', line 35

def sslv3
  @ciphers.reject{|cipher| cipher[:version] != :SSLv3 }
end

#standards_compliant? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/rex/sslscan/result.rb', line 99

def standards_compliant?
  if supports_ssl?
    return false if supports_sslv2?
    return false if supports_weak_ciphers?
  end
  true
end

#strong_ciphers ⇒ Object

# File 'lib/rex/sslscan/result.rb', line 47

def strong_ciphers
  accepted.reject{|cipher| cipher[:weak] }
end

#supports_ssl? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/rex/sslscan/result.rb', line 91

def supports_ssl?
  supports_sslv2? or supports_sslv3? or supports_tlsv1?
end

#supports_sslv2? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/rex/sslscan/result.rb', line 79

def supports_sslv2?
  !(accepted(:SSLv2).empty?)
end

#supports_sslv3? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/rex/sslscan/result.rb', line 83

def supports_sslv3?
  !(accepted(:SSLv3).empty?)
end

#supports_tlsv1? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/rex/sslscan/result.rb', line 87

def supports_tlsv1?
  !(accepted(:TLSv1).empty?)
end

#supports_weak_ciphers? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/rex/sslscan/result.rb', line 95

def supports_weak_ciphers?
  !(weak_ciphers.empty?)
end

#tlsv1 ⇒ Object

# File 'lib/rex/sslscan/result.rb', line 39

def tlsv1
  @ciphers.reject{|cipher| cipher[:version] != :TLSv1 }
end

#to_s ⇒ Object

# File 'lib/rex/sslscan/result.rb', line 141

def to_s
  unless supports_ssl?
    return "Server does not appear to support SSL on this port!"
  end
  table = Rex::Ui::Text::Table.new(
    'Header'      => 'SSL Ciphers',
    'Indent'       => 1,
    'Columns'   => ['Status', 'Weak', 'SSL Version', 'Key Length', 'Cipher'],
    'SortIndex'  => -1
  )
  ciphers.each do |cipher|
    if cipher[:weak]
      weak = '*'
    else
      weak = ' '
    end
    table << [cipher[:status].to_s.capitalize, weak , cipher[:version], cipher[:key_length], cipher[:cipher]]
  end

  # Sort by SSL Version, then Key Length, and then Status
  table.rows.sort_by!{|row| [row[0],row[2],row[3]]}
  text = "#{table.to_s}"
  if @cert
    text << " \n\n #{@cert.to_text}"
  end
  if openssl_sslv2 == false
    text << "\n\n *** WARNING: Your OS hates freedom! Your OpenSSL libs are compiled without SSLv2 support!"
  end
  text
end

#weak_ciphers ⇒ Object

# File 'lib/rex/sslscan/result.rb', line 43

def weak_ciphers
  accepted.reject{|cipher| cipher[:weak] == false }
end