Untitled - Aman Hardikar
Transcription
Untitled - Aman Hardikar
1 Panspermia means that life exists everywhere and is transferred by various objects like comets, asteroids and space rocks. Why name it Panspermia? In IT, there exists many worlds (networking, web applications, OS, virtualisation, databases, malware, …) Each tool in the toolkit is designed to identify issues in each of those areas. Now let us look at SSLAuditor, a tool to check for issues in SSL and RDP services. 2 Opabinia is the name for SSLAuditor. What is Opabinia? It is one of the burgess shale creatures from the Cambrian period 500 million years ago. It has five eyes to look for food and also escape from any danger. It has a long proboscis to reach areas that are difficult otherwise. Why Opabinia? SSLAuditor has five components that look for risks in the SSL and RDP services. The five components can be seen in the graphic on the slide. They are cipher checker, certificate checker, web server checker, rdp checker and validity checker. The input module is very flexible and can handle a number of sources. Let us take a deeper look at Opabinia. 3 This is an overview of the various components, their purpose and the checks each components does. The tool performs around thirty checks at present. We will be going into each components to learn more. 4 Lets take a look at the input module and the various execution related features. Opabinia accepts input from four types of sources. The first one is addition of a single host/IP using the tool itself. The second one is for adding range of IP addresses. The starting IP needs to be specified. At present only the end IP option is available, but will enable subnet mask option in the next version. The third option is import from an IP address list file. This can be a simple text file with host or host and port on each line. It also accepts a CSV file, where the host and port are separated by a comma. The fourth option is import of Nmap XML files. By default, all 443 services are extracted from the Nmap scan results. Other ports could also be selected to extract them from the Nmap results file. The input module also does sanitisation of user input. So, the input need not be sanitised before it is imported. The host and port can be separated by : or <space> or , Regarding the execution features, the tool has scan tuning and scan speed options, which can be used to run the scan more efficiently. The development environment option ignores some of the checks like self-signed certificates. The tool has automatic timers that kick in if a timeout or error occurs in any of the components. These affect 5 component execution time and not the overall timeout value to improve efficiency. The timers can be disabled, if required using the disable timers option. The scan speed can also be modified using the slider in scan speed option. This comes in useful if the server is responding slowly and needs more time for the scan to finish. 5 The first module is the cipher checks module. The purpose of this module is to check for ciphers supported by the SSL service. It checks for SSL version 2 protocol support, support for weak ciphers. It lists the ciphers supported and the preferred ciphers for each protocol supported. 6 The second module is the certificate checks module. It checks for a number of issues based on the certificate and how the service is configured. Some of the certificate checks performed are validity checks, self-signed and wild card certificate, weak public key and signature algorithm, CRL information and support for MD5 MAC. Some of the configuration checks performed are secure renegotiation, session resumption, vulnerability to BEAST and CRIME attacks. The module also captures all the information in the form of a table that is easy to read and verify. 7 This module checks for the configuration of the web server. It checks for HSTS and other security related headers that enhance the security of the application. It checks for cache settings and cookie settings on the index page. It checks for version disclosure in the headers returned by the web server, which disclose the technology in use on the server. It also checks if the server is vulnerable to the Heartbleed vulnerability. 8 This module checks the RDP service configuration. It checks the support for various protocols like CredSSP, SSL and native RDP. If native RDP is supported, it checks for the security level and the supported ciphers. If SSL is supported, it checks for the ciphers and self-signed certificates. 9 This module checks for the validity of the certificate. It is designed for bulk scanning, mainly by the administrators to check the validity of certificates across the enterprise. The module checks if the certificate has expired or if it is expiring and reports the status. It checks not only the certificate on the server, but the entire chain for validity. The various colours in the report denote the urgency to get the certificate renewed. 10 The tool generates two types of reports – Audit reports and Validity reports. The audit report has four sections. The summary section contains the scope and the combined list of issues identified. The issue list section contains the list of issues identified on each service tested. The remaining two sections are optional, but enabled by default. The detailed information section contains the information retrieved about each of the service with all the issue areas highlighted. The mitigation procedure section contains the issue description and mitigation recommendations for each issue identified. The validity report is in the form of a table that is easy to read. There is also an option to report only the certificate with issues. The tool generates reports in four formats. In the current version, only web based HTML and CSV formats are enabled. The tool can automatically save reports to a specific directory. This option is saved and reloaded by the tool, when it is started. The tool can also generate report for the last scan based on the options selected (format, sections). 11 Demo or video of the tool execution. General scan demo at https://www.youtube.com/watch?v=76N523dm3S0 Validity scan demo at https://www.youtube.com/watch?v=_QiKWm01iDQ 12 13 The tool is available for download from http://www.amanhardikar.com/software.html Sample audit report is available at http://www.amanhardikar.com/software/sslauditor4audit.html Sample validity report is available at http://www.amanhardikar.com/software/sslauditor4-validity.html Please send feedback to [email protected] or via http://feedback.amanhardikar.com/ 14