From e9d84953d4a0d2ffac33a01598563bfe03c6a104 Mon Sep 17 00:00:00 2001 From: Maciej Mionskowski Date: Thu, 26 Oct 2023 13:58:03 +0200 Subject: [PATCH 1/2] feat: allow cipher enumeration in SSL protocol --- pkg/protocols/ssl/ssl.go | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/pkg/protocols/ssl/ssl.go b/pkg/protocols/ssl/ssl.go index 5fc16f0777..12055a024b 100644 --- a/pkg/protocols/ssl/ssl.go +++ b/pkg/protocols/ssl/ssl.go @@ -76,6 +76,14 @@ type Request struct { // - "auto" // - "openssl" # reverts to "auto" is openssl is not installed ScanMode string `yaml:"scan_mode,omitempty" json:"scan_mode,omitempty" jsonschema:"title=Scan Mode,description=Scan Mode - auto if not specified.,enum=ctls,enum=ztls,enum=auto"` + // description: | + // TLS Versions Enum - false if not specified + // Enumerates supported TLS versions + TLSVersionsEnum bool `yaml:"tls_versions_enum,omitempty" json:"tls_versions_enum,omitempty" jsonschema:"title=Enumerate Versions,description=Enumerate Version - false if not specified"` + // description: | + // TLS Ciphers Enum - false if not specified + // Enumerates supported TLS ciphers + TLSCiphersEnum bool `yaml:"tls_ciphers_enum,omitempty" json:"tls_ciphers_enum,omitempty" jsonschema:"title=Enumerate Ciphers,description=Enumerate Ciphers - false if not specified"` // cache any variables that may be needed for operation. dialer *fastdialer.Dialer @@ -133,6 +141,8 @@ func (request *Request) Compile(options *protocols.ExecutorOptions) error { ClientHello: true, ServerHello: true, DisplayDns: true, + TlsVersionsEnum: request.TLSVersionsEnum, + TlsCiphersEnum: request.TLSCiphersEnum, } tlsxService, err := tlsx.New(tlsxOptions) From 2c40c2fd8fc1e9b40605f133fb4dec44068efe4b Mon Sep 17 00:00:00 2001 From: Tarun Koyalwar Date: Thu, 16 Nov 2023 20:04:51 +0530 Subject: [PATCH 2/2] cipher enum improvements --- pkg/protocols/ssl/ssl.go | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/pkg/protocols/ssl/ssl.go b/pkg/protocols/ssl/ssl.go index 12055a024b..250eff5ab6 100644 --- a/pkg/protocols/ssl/ssl.go +++ b/pkg/protocols/ssl/ssl.go @@ -84,6 +84,14 @@ type Request struct { // TLS Ciphers Enum - false if not specified // Enumerates supported TLS ciphers TLSCiphersEnum bool `yaml:"tls_ciphers_enum,omitempty" json:"tls_ciphers_enum,omitempty" jsonschema:"title=Enumerate Ciphers,description=Enumerate Ciphers - false if not specified"` + // description: | + // TLS Cipher types to enumerate + // values: + // - "insecure" (default) + // - "weak" + // - "secure" + // - "all" + TLSCipherTypes []string `yaml:"tls_cipher_types,omitempty" json:"tls_cipher_types,omitempty" jsonschema:"title=TLS Cipher Types,description=TLS Cipher Types to enumerate,enum=weak,enum=secure,enum=insecure,enum=all"` // cache any variables that may be needed for operation. dialer *fastdialer.Dialer @@ -123,6 +131,14 @@ func (request *Request) Compile(options *protocols.ExecutorOptions) error { // if openssl is not installed instead of failing "auto" scanmode is used request.ScanMode = "auto" } + if request.TLSCiphersEnum { + // cipher enumeration requires tls version enumeration first + request.TLSVersionsEnum = true + } + if request.TLSCiphersEnum && len(request.TLSCipherTypes) == 0 { + // by default only look for insecure ciphers + request.TLSCipherTypes = []string{"insecure"} + } tlsxOptions := &clients.Options{ AllCiphers: true, @@ -143,6 +159,7 @@ func (request *Request) Compile(options *protocols.ExecutorOptions) error { DisplayDns: true, TlsVersionsEnum: request.TLSVersionsEnum, TlsCiphersEnum: request.TLSCiphersEnum, + TLsCipherLevel: request.TLSCipherTypes, } tlsxService, err := tlsx.New(tlsxOptions)