Untitled - Aman Hardikar

Transcription

Untitled - Aman Hardikar
1
Panspermia means that life exists everywhere and is transferred by various objects like
comets, asteroids and space rocks.
Why name it Panspermia?
In IT, there exists many worlds (networking, web applications, OS, virtualisation,
databases, malware, …)
Each tool in the toolkit is designed to identify issues in each of those areas.
Now let us look at SSLAuditor, a tool to check for issues in SSL and RDP services.
2
Opabinia is the name for SSLAuditor.
What is Opabinia?
It is one of the burgess shale creatures from the Cambrian period 500 million years ago.
It has five eyes to look for food and also escape from any danger. It has a long proboscis
to reach areas that are difficult otherwise.
Why Opabinia?
SSLAuditor has five components that look for risks in the SSL and RDP services. The five
components can be seen in the graphic on the slide. They are cipher checker, certificate
checker, web server checker, rdp checker and validity checker. The input module is very
flexible and can handle a number of sources.
Let us take a deeper look at Opabinia.
3
This is an overview of the various components, their purpose and the checks each
components does. The tool performs around thirty checks at present.
We will be going into each components to learn more.
4
Lets take a look at the input module and the various execution related features.
Opabinia accepts input from four types of sources.
The first one is addition of a single host/IP using the tool itself. The second one is for
adding range of IP addresses. The starting IP needs to be specified. At present only the
end IP option is available, but will enable subnet mask option in the next version. The
third option is import from an IP address list file. This can be a simple text file with host
or host and port on each line. It also accepts a CSV file, where the host and port are
separated by a comma. The fourth option is import of Nmap XML files. By default, all
443 services are extracted from the Nmap scan results. Other ports could also be
selected to extract them from the Nmap results file.
The input module also does sanitisation of user input. So, the input need not be
sanitised before it is imported. The host and port can be separated by : or <space> or ,
Regarding the execution features, the tool has scan tuning and scan speed options,
which can be used to run the scan more efficiently. The development environment
option ignores some of the checks like self-signed certificates. The tool has automatic
timers that kick in if a timeout or error occurs in any of the components. These affect
5
component execution time and not the overall timeout value to improve efficiency. The
timers can be disabled, if required using the disable timers option. The scan speed can
also be modified using the slider in scan speed option. This comes in useful if the server is
responding slowly and needs more time for the scan to finish.
5
The first module is the cipher checks module. The purpose of this module is to check for
ciphers supported by the SSL service. It checks for SSL version 2 protocol support,
support for weak ciphers. It lists the ciphers supported and the preferred ciphers for
each protocol supported.
6
The second module is the certificate checks module. It checks for a number of issues
based on the certificate and how the service is configured. Some of the certificate
checks performed are validity checks, self-signed and wild card certificate, weak public
key and signature algorithm, CRL information and support for MD5 MAC. Some of the
configuration checks performed are secure renegotiation, session resumption,
vulnerability to BEAST and CRIME attacks.
The module also captures all the information in the form of a table that is easy to read
and verify.
7
This module checks for the configuration of the web server. It checks for HSTS and other
security related headers that enhance the security of the application. It checks for cache
settings and cookie settings on the index page. It checks for version disclosure in the
headers returned by the web server, which disclose the technology in use on the server.
It also checks if the server is vulnerable to the Heartbleed vulnerability.
8
This module checks the RDP service configuration. It checks the support for various
protocols like CredSSP, SSL and native RDP. If native RDP is supported, it checks for the
security level and the supported ciphers. If SSL is supported, it checks for the ciphers and
self-signed certificates.
9
This module checks for the validity of the certificate. It is designed for bulk scanning,
mainly by the administrators to check the validity of certificates across the enterprise.
The module checks if the certificate has expired or if it is expiring and reports the status.
It checks not only the certificate on the server, but the entire chain for validity. The
various colours in the report denote the urgency to get the certificate renewed.
10
The tool generates two types of reports – Audit reports and Validity reports. The audit
report has four sections. The summary section contains the scope and the combined list
of issues identified. The issue list section contains the list of issues identified on each
service tested. The remaining two sections are optional, but enabled by default. The
detailed information section contains the information retrieved about each of the
service with all the issue areas highlighted. The mitigation procedure section contains
the issue description and mitigation recommendations for each issue identified. The
validity report is in the form of a table that is easy to read. There is also an option to
report only the certificate with issues.
The tool generates reports in four formats. In the current version, only web based HTML
and CSV formats are enabled. The tool can automatically save reports to a specific
directory. This option is saved and reloaded by the tool, when it is started. The tool can
also generate report for the last scan based on the options selected (format, sections).
11
Demo or video of the tool execution.
General scan demo at https://www.youtube.com/watch?v=76N523dm3S0
Validity scan demo at https://www.youtube.com/watch?v=_QiKWm01iDQ
12
13
The tool is available for download from http://www.amanhardikar.com/software.html
Sample audit report is available at http://www.amanhardikar.com/software/sslauditor4audit.html
Sample validity report is available at
http://www.amanhardikar.com/software/sslauditor4-validity.html
Please send feedback to [email protected] or via
http://feedback.amanhardikar.com/
14