近期工作中總會遇到一些關於SSL/TLS類的漏洞被掃描工具掃除來,就翻閱網絡上關於這類漏洞的成因與驗證方法做一些總結,便於日后翻閱。
掃描的漏洞類似這樣:
- SSL/TLS 受誡禮(BAR-MITZVAH)攻擊漏洞(CVE-2015-2808)【原理掃描】
- SSL/TLS RC4 信息泄露漏洞(CVE-2013-2566)【原理掃描】
本文主要參考自:https://www.cnblogs.com/nul1/p/11233607.html
什么是TLS和SSL?
安全套接層(SSL)和傳輸層安全(TLS)加密用於通過互聯網提供通信安全(傳輸加密)和來保護網絡流量和互聯網上的隱私,用於諸如網絡,電子郵件,即時消息(IM)和一些虛擬專用網絡(VPN)。
因此,TLS安全配置很重要,應花時間學習如何識別常見的漏洞和安全配置錯誤。
TLS / SSL安全測試工具
測試要用到一個強大的工具 testssl.sh 它涵蓋了TLS和SSL評估所需的所有測試所需工具
您可以通過執行其git clone來安裝最新版本的tesetssl.sh:
git clone https://github.com/drwetter/testssl.sh.git
root@kali:~/testssl.sh# ./testssl.sh "testssl.sh [options] <URI>" or "testssl.sh <options>" "testssl.sh <options>", where <options> is: --help what you're looking at -b, --banner displays banner + version of testssl.sh -v, --version same as previous -V, --local pretty print all local ciphers -V, --local <pattern> which local ciphers with <pattern> are available? If pattern is not a number: word match <pattern> is always an ignore case word pattern of cipher hexcode or any other string in the name, kx or bits "testssl.sh <URI>", where <URI> is: <URI> host|host:port|URL|URL:port port 443 is default, URL can only contain HTTPS protocol) "testssl.sh [options] <URI>", where [options] is: -t, --starttls <protocol> Does a default run against a STARTTLS enabled <protocol, protocol is <ftp|smtp|lmtp|pop3|imap|xmpp|telnet|ldap|nntp|postgres|mysql> --xmpphost <to_domain> For STARTTLS enabled XMPP it supplies the XML stream to-'' domain -- sometimes needed --mx <domain/host> Tests MX records from high to low priority (STARTTLS, port 25) --file/-iL <fname> Mass testing option: Reads one testssl.sh command line per line from <fname>. Can be combined with --serial or --parallel. Implicitly turns on "--warnings batch". Text format 1: Comments via # allowed, EOF signals end of <fname> Text format 2: nmap output in greppable format (-oG), 1 port per line allowed --mode <serial|parallel> Mass testing to be done serial (default) or parallel (--parallel is shortcut for the latter) --warnings <batch|off> "batch" doesn't continue when a testing error is encountered, off continues and skips warnings --connect-timeout <seconds> useful to avoid hangers. Max <seconds> to wait for the TCP socket connect to return --openssl-timeout <seconds> useful to avoid hangers. Max <seconds> to wait before openssl connect will be terminated single check as <options> ("testssl.sh URI" does everything except -E and -g): -e, --each-cipher checks each local cipher remotely -E, --cipher-per-proto checks those per protocol -s, --std, --standard tests certain lists of cipher suites by strength -p, --protocols checks TLS/SSL protocols (including SPDY/HTTP2) -g, --grease tests several server implementation bugs like GREASE and size limitations -S, --server-defaults displays the server's default picks and certificate info -P, --server-preference displays the server's picks: protocol+cipher -x, --single-cipher <pattern> tests matched <pattern> of ciphers (if <pattern> not a number: word match) -c, --client-simulation test client simulations, see which client negotiates with cipher and protocol -h, --header, --headers tests HSTS, HPKP, server/app banner, security headers, cookie, reverse proxy, IPv4 address -U, --vulnerable tests all (of the following) vulnerabilities (if applicable) -H, --heartbleed tests for Heartbleed vulnerability -I, --ccs, --ccs-injection tests for CCS injection vulnerability -T, --ticketbleed tests for Ticketbleed vulnerability in BigIP loadbalancers -BB, --robot tests for Return of Bleichenbacher's Oracle Threat (ROBOT) vulnerability -R, --renegotiation tests for renegotiation vulnerabilities -C, --compression, --crime tests for CRIME vulnerability (TLS compression issue) -B, --breach tests for BREACH vulnerability (HTTP compression issue) -O, --poodle tests for POODLE (SSL) vulnerability -Z, --tls-fallback checks TLS_FALLBACK_SCSV mitigation -W, --sweet32 tests 64 bit block ciphers (3DES, RC2 and IDEA): SWEET32 vulnerability -A, --beast tests for BEAST vulnerability -L, --lucky13 tests for LUCKY13 -F, --freak tests for FREAK vulnerability -J, --logjam tests for LOGJAM vulnerability -D, --drown tests for DROWN vulnerability -f, --pfs, --fs, --nsa checks (perfect) forward secrecy settings -4, --rc4, --appelbaum which RC4 ciphers are being offered? tuning / connect options (most also can be preset via environment variables): --fast omits some checks: using openssl for all ciphers (-e), show only first preferred cipher. -9, --full includes tests for implementation bugs and cipher per protocol (could disappear) --bugs enables the "-bugs" option of s_client, needed e.g. for some buggy F5s --assume-http if protocol check fails it assumes HTTP protocol and enforces HTTP checks --ssl-native fallback to checks with OpenSSL where sockets are normally used --openssl <PATH> use this openssl binary (default: look in $PATH, $RUN_DIR of testssl.sh) --proxy <host:port|auto> (experimental) proxy connects via <host:port>, auto: values from $env ($http(s)_proxy) -6 also use IPv6. Works only with supporting OpenSSL version and IPv6 connectivity --ip <ip> a) tests the supplied <ip> v4 or v6 address instead of resolving host(s) in URI b) arg "one" means: just test the first DNS returns (useful for multiple IPs) -n, --nodns <min|none> if "none": do not try any DNS lookups, "min" queries A, AAAA and MX records --sneaky leave less traces in target logs: user agent, referer --ids-friendly skips a few vulnerability checks which may cause IDSs to block the scanning IP --phone-out allow to contact external servers for CRL download and querying OCSP responder --add-ca <cafile> path to <cafile> or a comma separated list of CA files enables test against additional CAs. --basicauth <user:pass> provide HTTP basic auth information. output options (can also be preset via environment variables): --quiet don't output the banner. By doing this you acknowledge usage terms normally appearing in the banner --wide wide output for tests like RC4, BEAST. PFS also with hexcode, kx, strength, RFC name --show-each for wide outputs: display all ciphers tested -- not only succeeded ones --mapping <openssl| openssl: use the OpenSSL cipher suite name as the primary name cipher suite name form (default) iana|rfc -> use the IANA/(RFC) cipher suite name as the primary name cipher suite name form no-openssl| -> don't display the OpenSSL cipher suite name, display IANA/(RFC) names only no-iana|no-rfc> -> don't display the IANA/(RFC) cipher suite name, display OpenSSL names only --color <0|1|2|3> 0: no escape or other codes, 1: b/w escape codes, 2: color (default), 3: extra color (color all ciphers) --colorblind swap green and blue in the output --debug <0-6> 1: screen output normal but keeps debug output in /tmp/. 2-6: see "grep -A 5 '^DEBUG=' testssl.sh"
測試單個主機上的所有內容並輸出到控制台
./testssl.sh -e -E -f -p -S -P -c -H -U TARGET-HOST
測試單個主機上的所有內容並輸出到HTML
./testssl.sh -e -E -f -p -S -P -c -H -U TARGET-HOST | aha> OUTPUT-FILE.html
漏洞詳情與回顧
| SSL/TLS RC4 信息泄露漏洞(CVE-2013-2566)【原理掃描】 |
||||
|
| SSL/TLS 受誡禮(BAR-MITZVAH)攻擊漏洞(CVE-2015-2808)【原理掃描】 |
||||
|
RC4 CVE-2013-2566
TLS協議和SSL協議中使用的RC4算法具有許多單字節偏移。遠程攻擊者可以通過使用相同明文的大量會話中的密文統計分析來進行明文破解攻擊。
自動RC4測試
testssl.sh RC4測試
./testssl.sh -4 目標
手動RC4測試
使用./testssl.sh -E TARGET手動枚舉服務器密碼或者nmap -p 443 --script=ssl-enum-ciphers TARGET確保服務器支持密碼類型不使用RC4。
TLS和SSL證書
對沒有加密的服務器證書應該被評估為配置錯誤和弱加密簽名,下面是證書檢查的項目列表:
使用以下方式獲取目標服務器證書:
openssl s_client -connect TARGET:443 | openssl x509 -noout -text
證書檢查項目表
| 名稱 | 描述 |
|---|---|
| 識別證書頒發者 | 確保證書頒發機構(CA)來自受信任的來源,不使用自簽名證書,因為自簽名證書允許中間人員攻擊(除非是內部的,並且與內部CA簽名)。 |
| 簽名算法 | 用於確保證書完整性的算法,您應該確保密碼是安全的,而不是使用MD5(已知不安全)或SHA1。 |
| 公鑰 | 關鍵長度應該足夠長以確保它不能被破解,最小值應該是2048位。 |
| Not Before | 證書開始日期。 |
| Not After | 證書結束日期。 |
| Subject&Subject Alternative Name | Subject應該列出證書所涉及的DNS名稱,如果這是不正確的瀏覽器會引發錯誤。Subject Alternative Name應列出通配符證書的DNS名稱,應列出此證書的所有DNS名稱。 |
123