Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding initial support for tls version enum #69

Merged
merged 7 commits into from
Aug 10, 2022
Merged

Adding initial support for tls version enum #69

merged 7 commits into from
Aug 10, 2022

Conversation

Mzack9999
Copy link
Member

@Mzack9999 Mzack9999 commented Aug 4, 2022
edited by ehsandeep
Loading

Description

This PR adds support for:

Follow up investigation tickets

Example

> echo hackerone.com | go run . -port 443 -ve -ce -json | jq
  

  _____ _    _____  __
 |_   _| |  / __\ \/ /
   | | | |__\__ \>  <
   |_| |____|___/_/\_\  v0.0.5

                projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions.
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
{
  "timestamp": "2022-08-08T10:18:47.2387684+02:00",
  "host": "hackerone.com",
  "ip": "104.16.100.52",
  "port": "443",
  "probe_status": true,
  "tls_version": "tls13",
  "cipher": "TLS_AES_128_GCM_SHA256",
  "not_before": "2022-02-21T00:00:00Z",
  "not_after": "2023-03-24T23:59:59Z",
  "subject_dn": "CN=hackerone.com, O=HackerOne Inc., L=San Francisco, ST=California, C=US, serialNumber=5308693, businessCategory=Private Organization, jurisdictionStateOrProvince=Delaware, jurisdictionCountry=US, businessCategory=Private Organization, jurisdictionStateOrProvince=Delaware, jurisdictionCountry=US",
  "subject_cn": "hackerone.com",
  "subject_org": [
    "HackerOne Inc."
  ],
  "subject_an": [
    "hackerone.com",
    "www.hackerone.com",
    "api.hackerone.com"
  ],
  "issuer_dn": "CN=DigiCert SHA2 Extended Validation Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US",
  "issuer_cn": "DigiCert SHA2 Extended Validation Server CA",
  "issuer_org": [
    "DigiCert Inc"
  ],
  "fingerprint_hash": {
    "md5": "f26c9c2b1f0a75f9419c09bd57c84e41",
    "sha1": "9118c928a478899b5d4e18e7bacc438c994e1299",
    "sha256": "61dcdf3ff2bc9ccd545fd19f6783ac8cb13c06fdaac32212e8bc1b52c2e327b0"
  },
  "tls_connection": "ctls",
  "sni": "hackerone.com",
  "version-enum": [
    "tls13",
    "tls12"
  ],
  "cipher-enum": [
    {
      "version": "tls13",
      "ciphers": [
        "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
        "TLS_FALLBACK_SCSV",
        "TLS_AES_128_GCM_SHA256",
        "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
        "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
        "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
        "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
        "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
        "TLS_AES_256_GCM_SHA384",
        "TLS_RSA_WITH_AES_128_CBC_SHA",
        "TLS_RSA_WITH_AES_128_CBC_SHA256",
        "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
        "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
        "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
        "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
        "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
        "TLS_RSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
        "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
        "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
        "TLS_RSA_WITH_AES_128_GCM_SHA256",
        "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
        "TLS_CHACHA20_POLY1305_SHA256",
        "TLS_RSA_WITH_RC4_128_SHA",
        "TLS_RSA_WITH_AES_256_CBC_SHA",
        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305"
      ]
    },
    {
      "version": "tls12",
      "ciphers": [
        "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
        "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
        "TLS_AES_256_GCM_SHA384",
        "TLS_RSA_WITH_AES_128_CBC_SHA256",
        "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
        "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
        "TLS_RSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
        "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305"
      ]
    }
  ]
}

@Mzack9999 Mzack9999 added Status: In Progress This issue is being worked on, and has someone assigned. Type: Enhancement Most issues will probably ask for additions or changes. labels Aug 4, 2022
@Mzack9999 Mzack9999 self-assigned this Aug 4, 2022
@Mzack9999 Mzack9999 linked an issue Aug 4, 2022 that may be closed by this pull request
TLS Versions and Ciphers enumeration support #20
Closed
github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 4, 2022
View reviewed changes
pkg/tlsx/tls/tls.go
if err != nil {
return nil, errors.Wrap(err, "could not get tls ciphers")
}
c.tlsConfig.CipherSuites = customCiphers

Check failure

Code scanning / CodeQL

Insecure TLS configuration

Use of an insecure cipher suite: TLS_RSA_WITH_RC4_128_SHA. Use of an insecure cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256. Use of an insecure cipher suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA. Use of an insecure cipher suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA. Use of an insecure cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256. Use of an insecure cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256.
@Mzack9999 Mzack9999 added Status: Review Needed The issue has a PR attached to it which needs to be reviewed and removed Status: In Progress This issue is being worked on, and has someone assigned. labels Aug 8, 2022
@Mzack9999 Mzack9999 requested a review from Ice3man543 August 8, 2022 08:43
ehsandeep
ehsandeep requested changes Aug 8, 2022
View reviewed changes
Copy link
Member

@ehsandeep ehsandeep left a comment
edited by Mzack9999
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • Not working in auto mode
echo hackerone.com | go run . -ve -ce -json -sm auto | jq .
  • using _ instead of - in json output fields.
    • version-enum => version_enum
    • cipher-enum => cipher_enum

github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 9, 2022
View reviewed changes
pkg/tlsx/tls/tls.go
@@ -55,7 +55,7 @@
}

if options.AllCiphers {
c.tlsConfig.CipherSuites = allCiphers
c.tlsConfig.CipherSuites = AllCiphers

Check failure

Code scanning / CodeQL

Insecure TLS configuration

Use of an insecure cipher suite: TLS_RSA_WITH_RC4_128_SHA. Use of an insecure cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256. Use of an insecure cipher suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA. Use of an insecure cipher suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA. Use of an insecure cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256. Use of an insecure cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256.
@sonarqubecloud
Copy link

sonarqubecloud bot commented Aug 9, 2022

SonarCloud Quality Gate failed.    Quality Gate failed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

0.0% 0.0% Coverage
10.5% 10.5% Duplication

@Mzack9999 Mzack9999 requested a review from ehsandeep August 9, 2022 08:16
@ehsandeep ehsandeep merged commit 8d911b3 into dev Aug 10, 2022
@ehsandeep ehsandeep deleted the issue-20-enums branch August 10, 2022 16:25
@ehsandeep ehsandeep removed the Status: Review Needed The issue has a PR attached to it which needs to be reviewed label Aug 10, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Ice3man543 Ice3man543 Ice3man543 approved these changes

@ehsandeep ehsandeep ehsandeep approved these changes

Assignees

@Mzack9999 Mzack9999

Labels
Type: Enhancement Most issues will probably ask for additions or changes.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

TLS Versions and Ciphers enumeration support
3 participants
@Mzack9999 @ehsandeep @Ice3man543