forked from canada-ca/tracker
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathssl_scanner.py
More file actions
executable file
·345 lines (272 loc) · 10.8 KB
/
ssl_scanner.py
File metadata and controls
executable file
·345 lines (272 loc) · 10.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
import os
import sys
import time
import requests
import logging
import json
import emoji
import asyncio
import traceback
import scapy
import datetime as dt
from enum import Enum
from multiprocessing import Process, Queue
from OpenSSL import SSL
from starlette.applications import Starlette
from starlette.routing import Route, Mount, WebSocketRoute
from starlette.responses import Response
from socket import gaierror
from sslyze.server_connectivity import ServerConnectivityTester
from sslyze.errors import ConnectionToServerFailed, ServerHostnameCouldNotBeResolved
from sslyze.plugins.scan_commands import ScanCommand
from sslyze.connection_helpers.tls_connection import SslConnection
from sslyze.scanner import Scanner, ServerScanRequest
from sslyze.server_setting import (
ServerNetworkLocation,
ServerNetworkLocationViaDirectConnection,
ServerNetworkConfiguration,
)
logging.basicConfig(stream=sys.stdout, level=logging.INFO)
TIMEOUT = 80 # 80 second scan timeout
RES_QUEUE = Queue()
QUEUE_URL = os.getenv(
"RESULT_QUEUE_URL", "http://result-queue.scanners.svc.cluster.local"
)
OTS_QUEUE_URL = os.getenv(
"OTS_RESULT_QUEUE_URL", "http://ots-result-queue.scanners.svc.cluster.local"
)
DEST_URL = lambda ots : OTS_QUEUE_URL if ots else QUEUE_URL
class ScanTimeoutException(BaseException):
pass
class TlsVersionEnum(Enum):
"""SSL version constants. (Sourced from OpenSSL)"""
SSLV2 = 1
SSLV3 = 2
TLSV1 = 3
TLSV1_1 = 4
TLSV1_2 = 5
def dispatch_results(payload, client, ots):
client.post(DEST_URL(ots) + "/ssl", json=json.dumps(payload))
logging.info("Scan results dispatched to result queue")
def get_server_info(domain):
"""
Retrieve server connectivity info by performing a connection test
:param domain: Domain to be assessed
:return: Server connectivity information
"""
# Retrieve server information, look-up IP address
server_location = ServerNetworkLocationViaDirectConnection.with_ip_address_lookup(
domain, 443
)
server_tester = ServerConnectivityTester()
logging.info(
f"Testing connectivity with {server_location.hostname}:{server_location.port}..."
)
# Test connection to server and retrieve info
server_info = server_tester.perform(server_location)
logging.info("Server Info %s\n" % server_info)
return server_info
def get_supported_tls(highest_supported, domain):
supported = [highest_supported]
for version, method in {
"SSL_2_0": TlsVersionEnum.SSLV2,
"SSL_3_0": TlsVersionEnum.SSLV3,
"TLS_1_0": TlsVersionEnum.TLSV1,
"TLS_1_1": TlsVersionEnum.TLSV1_1,
"TLS_1_2": TlsVersionEnum.TLSV1_2,
}.items():
# Only test SSL/TLS connections with lesser versions
if highest_supported == version:
break
try:
# Attempt connection
# If connection fails, exception will be raised, causing the failure to be
# logged and the version to not be appended to the supported list
ctx = ServerNetworkLocationViaDirectConnection.with_ip_address_lookup(
domain, 443
)
cfg = ServerNetworkConfiguration(domain)
connx = SslConnection(ctx, cfg, method, True)
connx.connect(domain)
supported.append(version)
except Exception as e:
logging.info(f"Failed to connect using %{version}: ({type(e)}) - {e}")
return supported
def scan_ssl(domain):
try:
server_info = get_server_info(domain)
highest_tls_supported = str(
server_info.tls_probing_result.highest_tls_version_supported
).split(".")[1]
tls_supported = get_supported_tls(highest_tls_supported, domain)
except ConnectionToServerFailed as e:
logging.error(f"Failed to connect to {domain}: {e}")
RES_QUEUE.put({})
return
except ServerHostnameCouldNotBeResolved as e:
logging.error(f"{domain} could not be resolved: {e}")
RES_QUEUE.put({})
return
except gaierror as e:
logging.error(f"Could not retrieve address info for {domain} {e}")
RES_QUEUE.put({})
return
scanner = Scanner()
designated_scans = set()
# Scan for common vulnerabilities, certificate info, elliptic curves
designated_scans.add(ScanCommand.OPENSSL_CCS_INJECTION)
designated_scans.add(ScanCommand.HEARTBLEED)
designated_scans.add(ScanCommand.CERTIFICATE_INFO)
designated_scans.add(ScanCommand.ELLIPTIC_CURVES)
# Test supported SSL/TLS
if "SSL_2_0" in tls_supported:
designated_scans.add(ScanCommand.SSL_2_0_CIPHER_SUITES)
elif "SSL_3_0" in tls_supported:
designated_scans.add(ScanCommand.SSL_3_0_CIPHER_SUITES)
elif "TLS_1_0" in tls_supported:
designated_scans.add(ScanCommand.TLS_1_0_CIPHER_SUITES)
elif "TLS_1_1" in tls_supported:
designated_scans.add(ScanCommand.TLS_1_1_CIPHER_SUITES)
elif "TLS_1_2" in tls_supported:
designated_scans.add(ScanCommand.TLS_1_2_CIPHER_SUITES)
elif "TLS_1_3" in tls_supported:
designated_scans.add(ScanCommand.TLS_1_3_CIPHER_SUITES)
scan_request = ServerScanRequest(
server_info=server_info, scan_commands=designated_scans
)
scanner.start_scans([scan_request])
# Wait for asynchronous scans to complete
# get_results() returns a generator with a single "ServerScanResult". We only want that object
scan_results = [x for x in scanner.get_results()][0]
logging.info("Scan results retrieved from generator")
res = {
"TLS": {
"supported": tls_supported,
"accepted_cipher_list": [],
"rejected_cipher_list": [],
}
}
# Parse scan results for required info
for name, result in scan_results.scan_commands_results.items():
# If CipherSuitesScanResults
if name.endswith("suites"):
logging.info("Parsing Cipher Suite Scan results...")
for c in result.accepted_cipher_suites:
res["TLS"]["accepted_cipher_list"].append(c.cipher_suite.name)
for c in result.rejected_cipher_suites:
res["TLS"]["rejected_cipher_list"].append(c.cipher_suite.name)
elif name == "openssl_ccs_injection":
logging.info("Parsing OpenSSL CCS Injection Vulnerability Scan results...")
res[
"is_vulnerable_to_ccs_injection"
] = result.is_vulnerable_to_ccs_injection
elif name == "heartbleed":
logging.info("Parsing Heartbleed Vulnerability Scan results...")
res["is_vulnerable_to_heartbleed"] = result.is_vulnerable_to_heartbleed
elif name == "certificate_info":
logging.info("Parsing Certificate Info Scan results...")
try:
res["signature_algorithm"] = (
result.certificate_deployments[0]
.verified_certificate_chain[0]
.signature_hash_algorithm.__class__.__name__
)
except TypeError:
res["signature_algorithm"] = None
else:
logging.info("Parsing Elliptic Curve Scan results...")
res["supports_ecdh_key_exchange"] = result.supports_ecdh_key_exchange
res["supported_curves"] = []
if result.supported_curves is not None:
for curve in result.supported_curves:
res["supported_curves"].append(curve.name)
RES_QUEUE.put(res)
def process_results(results):
logging.info("Processing SSL scan results...")
report = {}
if results == {}:
report = {"error": "unreachable"}
else:
for version in [
"SSL_2_0",
"SSL_3_0",
"TLS_1_0",
"TLS_1_1",
"TLS_1_2",
"TLS_1_3",
]:
if version in results["TLS"]["supported"]:
report[version] = True
else:
report[version] = False
report["cipher_list"] = results["TLS"]["accepted_cipher_list"]
report["signature_algorithm"] = results.get("signature_algorithm", "unknown")
report["heartbleed"] = results.get("is_vulnerable_to_heartbleed", False)
report["openssl_ccs_injection"] = results.get(
"is_vulnerable_to_ccs_injection", False
)
report["supports_ecdh_key_exchange"] = results.get(
"supports_ecdh_key_exchange", False
)
report["supported_curves"] = results.get("supported_curves", [])
logging.info(f"Processed SSL scan results: {str(report)}")
return report
def Server(server_client=requests):
def wait_timeout(proc, seconds):
proc.start()
start = time.time()
end = start + seconds
interval = min(seconds / 1000.0, .25)
while True:
result = proc.is_alive()
if not result:
proc.join()
return
if time.time() >= end:
proc.terminate()
proc.join()
logging.error("Timeout while scanning")
raise ScanTimeoutException("Scan timed out")
time.sleep(interval)
async def scan(scan_request):
logging.info("Scan request received")
inbound_payload = await scan_request.json()
start_time = dt.datetime.now()
try:
domain = inbound_payload["domain"]
user_key = inbound_payload["user_key"]
domain_key = inbound_payload["domain_key"]
shared_id = inbound_payload["shared_id"]
except KeyError:
logging.error(f"Invalid scan request format received: {str(inbound_payload)}")
return Response("Invalid Format", status_code=400)
logging.info("Performing scan...")
p = Process(target=scan_ssl, args=(domain,))
wait_timeout(p, TIMEOUT)
scan_results = RES_QUEUE.get()
processed_results = process_results(scan_results)
outbound_payload = {
"results": processed_results,
"scan_type": "ssl",
"user_key": user_key,
"domain_key": domain_key,
"shared_id": shared_id
}
logging.info(f"Scan results: {str(scan_results)}")
end_time = dt.datetime.now()
elapsed_time = end_time - start_time
dispatch_results(outbound_payload, server_client, (user_key is not None))
logging.info(f"SSL scan completed in {elapsed_time.total_seconds()} seconds.")
return Response("Scan completed")
async def startup():
logging.info(emoji.emojize("ASGI server started :rocket:"))
async def shutdown():
logging.info(emoji.emojize("ASGI server shutting down..."))
routes = [
Route("/", scan, methods=["POST"]),
]
starlette_app = Starlette(
debug=True, routes=routes, on_startup=[startup], on_shutdown=[shutdown]
)
return starlette_app
app = Server()