infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

More support for various checks

bug/bundler_fix
David Maloney 2013-02-08 13:25:49 -06:00
parent dfc7ce9381
commit 3295157f78
2 changed files with 236 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

80
lib/rex/sslscan/result.rb
View File

@ -28,32 +28,20 @@ class Result
@ciphers.reject{|cipher| cipher[:version] != :SSLv2 }
end
def add_cipher(version, cipher, key_length, status)
unless @supported_versions.include? version
raise ArgumentError, "Must be a supported SSL Version"
end
unless OpenSSL::SSL::SSLContext.new(version).ciphers.flatten.include? cipher
raise ArgumentError, "Must be a valid SSL Cipher for #{version}!"
end
unless key_length.kind_of? Fixnum
raise ArgumentError, "Must supply a valid key length"
end
unless [:accepted, :rejected].include? status
raise ArgumentError, "status Must be either :accepted or :rejected"
end
def sslv3
@ciphers.reject{|cipher| cipher[:version] != :SSLv3 }
end
strong_cipher_ctx = OpenSSL::SSL::SSLContext.new(version)
strong_cipher_ctx.ciphers = "ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM"
if strong_cipher_ctx.ciphers.flatten.include? cipher
weak = false
else
weak = true
end
def tlsv1
@ciphers.reject{|cipher| cipher[:version] != :TLSv1 }
end
cipher_details = {:version => version, :cipher => cipher, :key_length => key_length, :weak => weak, :status => status}
@ciphers << cipher_details
@ciphers.uniq!
def weak_ciphers
@ciphers.reject{|cipher| cipher[:weak] == false }
end
def strong_ciphers
@ciphers.reject{|cipher| cipher[:weak] }
end
def accepted(version = :all)
@ -67,7 +55,7 @@ class Result
raise ArgumentError, "Invalid SSL Version Supplied: #{version}"
end
elsif version.kind_of? Array
version.reject!{|version| @supported_versions.include? version}
version.reject!{|v| !(@supported_versions.include? v)}
if version.empty?
return @ciphers.reject{|cipher| cipher[:status] == :rejected}
else
@ -89,7 +77,7 @@ class Result
raise ArgumentError, "Invalid SSL Version Supplied: #{version}"
end
elsif version.kind_of? Array
version.reject!{|version| @supported_versions.include? version}
version.reject!{|v| !(@supported_versions.include? v)}
if version.empty?
return @ciphers.reject{|cipher| cipher[:status] == :accepted}
else
@ -127,5 +115,45 @@ class Result
def supports_ssl?
supports_sslv2? or supports_sslv3? or supports_tlsv1?
end
def supports_weak_ciphers?
!(weak_ciphers.empty?)
end
def standards_compliant?
if supports_ssl?
return false if supports_sslv2?
return false if supports_weak_ciphers?
end
true
end
def add_cipher(version, cipher, key_length, status)
unless @supported_versions.include? version
raise ArgumentError, "Must be a supported SSL Version"
end
unless OpenSSL::SSL::SSLContext.new(version).ciphers.flatten.include? cipher
raise ArgumentError, "Must be a valid SSL Cipher for #{version}!"
end
unless key_length.kind_of? Fixnum
raise ArgumentError, "Must supply a valid key length"
end
unless [:accepted, :rejected].include? status
raise ArgumentError, "status Must be either :accepted or :rejected"
end
strong_cipher_ctx = OpenSSL::SSL::SSLContext.new(version)
strong_cipher_ctx.ciphers = "ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM"
if strong_cipher_ctx.ciphers.flatten.include? cipher
weak = false
else
weak = true
end
cipher_details = {:version => version, :cipher => cipher, :key_length => key_length, :weak => weak, :status => status}
@ciphers << cipher_details
@ciphers.uniq!
end
end
end

198
spec/lib/rex/sslscan/result_spec.rb
View File

@ -6,6 +6,19 @@ describe Rex::SSLScan::Result do
it { should respond_to :cert }
it { should respond_to :ciphers }
it { should respond_to :sslv2 }
it {should respond_to :sslv3 }
it {should respond_to :tlsv1 }
it {should respond_to :accepted }
it {should respond_to :rejected }
it {should respond_to :weak_ciphers }
it {should respond_to :strong_ciphers }
it {should respond_to :supports_sslv2? }
it {should respond_to :supports_sslv3? }
it {should respond_to :supports_tlsv1? }
it {should respond_to :supports_ssl? }
it {should respond_to :supports_weak_ciphers? }
it {should respond_to :standards_compliant? }
context "with no values set" do
it "should return nil for the cert" do
@ -23,6 +36,50 @@ describe Rex::SSLScan::Result do
it "should return an empty array for rejected" do
subject.rejected.should == []
end
it "should return an empty array for #sslv2" do
subject.sslv2.should == []
end
it "should return an empty array for #sslv3" do
subject.sslv3.should == []
end
it "should return an empty array for #tlsv1" do
subject.sslv2.should == []
end
it "should return an empty array for #weak_ciphers" do
subject.weak_ciphers.should == []
end
it "should return an empty array for #strong_ciphers" do
subject.strong_ciphers.should == []
end
it "should return false for #supports_ssl?" do
subject.supports_ssl?.should == false
end
it "should return false for #supports_ssl?v2" do
subject.supports_sslv2?.should == false
end
it "should return false for #supports_sslv3?" do
subject.supports_sslv3?.should == false
end
it "should return false for #supports_tlsv1?" do
subject.supports_tlsv1?.should == false
end
it "should return false for #supports_weak_ciphers?" do
subject.supports_weak_ciphers?.should == false
end
it "should return true for #standards_compliant?" do
subject.standards_compliant?.should == true
end
end
context "setting the cert" do
@ -194,18 +251,52 @@ describe Rex::SSLScan::Result do
subject.add_cipher(:SSLv3, "AES128-SHA", 128, :accepted)
end
it "should return an array of cipher detail hashes" do
subject.each_accepted do |cipher_details|
cipher_details.should include(:version, :cipher, :key_length, :status, :weak)
context "with no version selected" do
it "should return an array of cipher detail hashes" do
subject.each_accepted do |cipher_details|
cipher_details.should include(:version, :cipher, :key_length, :status, :weak)
end
end
it "should return all of the accepted cipher details" do
count = 0
subject.each_accepted do |cipher_details|
count = count+1
end
count.should == 4
end
end
it "should return all of the accepted cipher details" do
count = 0
subject.each_accepted do |cipher_details|
count = count+1
context "when specifying one SSL version" do
it "should raise an exception if not given a symbol" do
expect{ subject.each_accepted('sslv2')}.to raise_error
end
it "should raise an exception if given an invalid SSL version" do
expect{ subject.each_accepted(:TLSv3)}.to raise_error
end
it "should return only ciphers matching the version" do
subject.each_accepted(:SSLv2) do |cipher_details|
cipher_details[:version].should == :SSLv2
end
end
end
context "when specifying multiple SSL Versions in an array" do
it "should return all versions if no valid versions were supplied" do
count = 0
subject.each_accepted([:TLSv3, :TLSv4]) do |cipher_details|
count = count+1
end
count.should == 4
end
it "should return only the ciphers for the specified version" do
subject.each_accepted([:SSLv3,:TLSv1]) do |cipher_details|
cipher_details[:version].should_not == :SSLv2
end
end
count.should == 4
end
end
@ -217,18 +308,52 @@ describe Rex::SSLScan::Result do
subject.add_cipher(:SSLv3, "AES128-SHA", 128, :rejected)
end
it "should return an array of cipher detail hashes" do
subject.each_rejected do |cipher_details|
cipher_details.should include(:version, :cipher, :key_length, :status, :weak)
context "with no version selected" do
it "should return an array of cipher detail hashes" do
subject.each_rejected do |cipher_details|
cipher_details.should include(:version, :cipher, :key_length, :status, :weak)
end
end
it "should return all of the rejected cipher details" do
count = 0
subject.each_rejected do |cipher_details|
count = count+1
end
count.should == 4
end
end
it "should return all of the rejected cipher details" do
count = 0
subject.each_rejected do |cipher_details|
count = count+1
context "when specifying one SSL version" do
it "should raise an exception if not given a symbol" do
expect{ subject.each_rejected('sslv2')}.to raise_error
end
it "should raise an exception if given an invalid SSL version" do
expect{ subject.each_rejected(:TLSv3)}.to raise_error
end
it "should return only ciphers matching the version" do
subject.each_rejected(:SSLv2) do |cipher_details|
cipher_details[:version].should == :SSLv2
end
end
end
context "when specifying multiple SSL Versions in an array" do
it "should return all versions if no valid versions were supplied" do
count = 0
subject.each_rejected([:TLSv3, :TLSv4]) do |cipher_details|
count = count+1
end
count.should == 4
end
it "should return only the ciphers for the specified version" do
subject.each_rejected([:SSLv3,:TLSv1]) do |cipher_details|
cipher_details[:version].should_not == :SSLv2
end
end
count.should == 4
end
end
@ -271,4 +396,45 @@ describe Rex::SSLScan::Result do
end
end
context "checking for weak ciphers" do
context "when weak ciphers are supported" do
before(:each) do
subject.add_cipher(:SSLv2, "DES-CBC-MD5", 56, :accepted)
subject.add_cipher(:SSLv2, "EXP-RC2-CBC-MD5", 40, :accepted)
end
it "should return an array of weak ciphers from #weak_ciphers" do
weak = subject.weak_ciphers
weak.class.should == Array
weak.each do |cipher|
cipher[:weak].should == true
end
weak.count.should == 2
end
it "should return true from #supports_weak_ciphers" do
subject.supports_weak_ciphers?.should == true
end
end
context "when no weak ciphers are supported" do
before(:each) do
subject.add_cipher(:SSLv2, "DES-CBC3-MD5", 168, :accepted)
subject.add_cipher(:SSLv3, "AES256-SHA", 256, :accepted)
subject.add_cipher(:TLSv1, "AES256-SHA", 256, :accepted)
subject.add_cipher(:SSLv3, "AES128-SHA", 128, :accepted)
end
it "should return an empty array from #weak_ciphers" do
subject.weak_ciphers.should == []
end
it "should return false from #supports_weak_ciphers" do
subject.supports_weak_ciphers?.should == false
end
end
end
context "checking for standards compliance" do
end
end