Termux ID: TLS

Seccubus automates regular vulnerability scans with various tools and aids security people in the fast analysis of its output, both on the first scan and on repeated scans.
On repeated scan delta reporting ensures that findings only need to be judged when they first appear in the scan results or when their output changes.
Seccubus 2.x is the only actively developed and maintained branch and all support for Seccubus V1 has officially been dropped.

Seccubus V2 works with the following scanners:

Nessus
OpenVAS
Skipfish
Medusa (local and remote)
Nikto (local and remote)
NMap (local and remote)
OWASP-ZAP (local and remote)
SSLyze
Medusa
Qualys SSL labs
testssl.sh (local and remote)

For more information visit [www.seccubus.com]

Seccubus Docker container

Usage

Running a full stack (db/app/frontend) in a single container. And get an interactive shell

docker run -it seccubus/seccubus /bin/bash

By default the container holds a mysql server that runs and stores data locally. If you want data persistency there are two options:
Connect the container to a remote mysql/MariaDB database with environment viariables:

docker run -ti seccubus/seccubus -e DBHOST=dns.name.of.db.host \
-e DBPOSRT=3306 \
-e DBNAME=name.of.database \
-e DBUSER=db.username \
-e DBPASS=password \
/bin/bash

Or, mount a data volume with a db directory on it

mkdir data
mmdir data/db
docker run -it seccubus/seccubus -v ($pwd)/data:/opt/seccubus/data /bin/bash

Please be aware that you can only run one container at a time if you mount a local directory on /var/lib/mysql.

Running a scan
Run the following command to start the scan 'ssllabs' in workspace 'Example' (this workspace is created by default if you use the local mysql database)

docker run -ti seccubus/seccubus scan Example ssllabs

Please be aware that you need soem data persistency here or the data will be stored in a local database that will be deleted whent he container terminates

Running a scheduler
You can run a docker container as a scheduler. This will make it run cron and allow your crontab to execute scans.You can populate the crontab by either placing a file called crontab in the /opt/seccubus/data volume or puting the lines of you crontab in evironement variables starting with CRON_

docker run -e "STACK=cron" -e "CRON_1=* 0 * * * bin/do-scan -w Example -s ssllabs" -ti seccubus/seccubus

This will spin up a container that executes scan ssllabs from workspace Example at midnight every night.
You can set the TZ vairable to control the timezone.

Controlling TLS certificates
The Seccubus container is TLS enabled by default. The environment variable TLS controls this behaviour. Of it is set to anything other then yes, TLS is turned off.
There are three ways to control the certificate:

Do nothing : Self signed certificates will be generated for you
Populate the variables TLSCERT and TLSKEY : The contents will be placed in /opt/seccubus/data/seccubus.pem and /opt/seccubus/data/seccubus.key and used
Put the certificates in the files seccubus.pem and seccubus.key on a data volume and mount it on /opt/seccubus/data

Show this help message

docker run -ti seccubus/seccubus help

Default command
If you don't specify a command to docker run

docker run seccubus/seccubus

The web server access log and error log will be tailed to the screen.

Other options
You can set the following environment variables:

STACK - Determines which part of the stack is run
- full - Run everything
- front - Start apache to serve the html/javascript frontend (this requires that the APIURL variable is set too)
- api - Start apache to serve the json api at / (starts MariaDB too if required)
- web - Start apache to serve both the html/javascript frontend and the json
- perl - Do not start apache, just use this container as an perl backend
DBHOST, DBPORT, DBNAME, DBUSER, DBPASS - Database connection parameters
- If DBHOST/DBPORT are set to 127.0.0.1/3306 the local MariaDB instance is started
APIURL - Path to the API url
- Set this if your set STACK to front to redirect the API calls to an alternative relative or absolute URL.
BASEURI - Base URI for seccubus
- Server the application at the value provided
SMTPSERVER - IP address or host name of an SMTP server to be used for notifications
SMTPFROM - From address used in notifications
TICKETURL_HEAD/TICKETURL_TAIL - If these are set ticket numberrs will be linked to this URL
- E.g. TICKERURL_HEAD = https://jira.example.com/projects/SECC/issues/
- TICKERURL_TAIL = ?filter=allopenissues
- Ticket SECC-666 would be linked to https://jira.example.com/projects/SECC/issues/SECC-666?filter=allopenissues
SSHKEY1, SSHKEY2, SSHKEY3 .. SSHKEY9
- The content of this environment variable will stored in the file /opt/seccubus/.ssh/SSHKEY1 etc.
- You can use this mechanism to provide ssh keys that are used to start remote scans
HTTP_AUTH_HEADER - Set the http authentication header
- If you are using something like OpenAM to authenticate your users, this allows you to set which http request header contains the user that OpenAM detected
TZ - Set the timezone of the container
TLS - Controls TLS behaviour yes means TLS is on, otherwise TLS is off. TLS is on by default.
JIT_GROUP - Controls JIT provisioning of users
CRON_MAIL_TO - Mail cron messages to this addres
CRON_* - Add these lines to crontab in alphabetical order

Download Seccubus

Seccubus - Easy Automated Vulnerability Scanning, Reporting And Analysis

Admin Friday, October 20, 2017

Cipherscan tests the ordering of the SSL/TLS ciphers on a given target, for all major versions of SSL and TLS. It also extracts some certificates informations, TLS options, OCSP stapling and more. Cipherscan is a wrapper above the openssl s_client command line.

Cipherscan is meant to run on all flavors of unix. It ships with its own built of OpenSSL for Linux/64 and Darwin/64. On other platform, it will use the openssl version provided by the operating system (which may have limited ciphers support), or your own version provided in the -o command line flag.

Examples
Basic test:

$ ./cipherscan google.com
...................
Target: google.com:443

prio  ciphersuite                  protocols                    pfs                 curves
1     ECDHE-RSA-CHACHA20-POLY1305  TLSv1.2                      ECDH,P-256,256bits  prime256v1
2     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                      ECDH,P-256,256bits  prime256v1
3     ECDHE-RSA-AES128-SHA         TLSv1.1,TLSv1.2              ECDH,P-256,256bits  prime256v1
4     ECDHE-RSA-RC4-SHA            SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits  prime256v1
5     AES128-GCM-SHA256            TLSv1.2                      None                None
6     AES128-SHA256                TLSv1.2                      None                None
7     AES128-SHA                   TLSv1.1,TLSv1.2              None                None
8     RC4-SHA                      SSLv3,TLSv1,TLSv1.1,TLSv1.2  None                None
9     RC4-MD5                      SSLv3,TLSv1,TLSv1.1,TLSv1.2  None                None
10    ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                      ECDH,P-256,256bits  prime256v1
11    ECDHE-RSA-AES256-SHA384      TLSv1.2                      ECDH,P-256,256bits  prime256v1
12    ECDHE-RSA-AES256-SHA         SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits  prime256v1
13    AES256-GCM-SHA384            TLSv1.2                      None                None
14    AES256-SHA256                TLSv1.2                      None                None
15    AES256-SHA                   SSLv3,TLSv1,TLSv1.1,TLSv1.2  None                None
16    ECDHE-RSA-AES128-SHA256      TLSv1.2                      ECDH,P-256,256bits  prime256v1
17    ECDHE-RSA-DES-CBC3-SHA       SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits  prime256v1
18    DES-CBC3-SHA                 SSLv3,TLSv1,TLSv1.1,TLSv1.2  None                None

Certificate: trusted, 2048 bit, sha1WithRSAEncryption signature
TLS ticket lifetime hint: 100800
OCSP stapling: not supported
Cipher ordering: server

Testing STARTTLS:

darwin$ $ ./cipherscan --curves -starttls xmpp jabber.ccc.de:5222
................................
Target: jabber.ccc.de:5222

prio  ciphersuite                  protocols              pfs                 curves
1     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                ECDH,P-256,256bits  prime256v1
2     ECDHE-RSA-AES256-SHA384      TLSv1.2                ECDH,P-256,256bits  prime256v1
3     ECDHE-RSA-AES256-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits  prime256v1
4     DHE-RSA-AES256-GCM-SHA384    TLSv1.2                DH,1024bits         None
5     DHE-RSA-AES256-SHA256        TLSv1.2                DH,1024bits         None
6     DHE-RSA-AES256-SHA           TLSv1,TLSv1.1,TLSv1.2  DH,1024bits         None
7     DHE-RSA-CAMELLIA256-SHA      TLSv1,TLSv1.1,TLSv1.2  DH,1024bits         None
8     AES256-GCM-SHA384            TLSv1.2                None                None
9     AES256-SHA256                TLSv1.2                None                None
10    AES256-SHA                   TLSv1,TLSv1.1,TLSv1.2  None                None
11    CAMELLIA256-SHA              TLSv1,TLSv1.1,TLSv1.2  None                None
12    ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                ECDH,P-256,256bits  prime256v1
13    ECDHE-RSA-AES128-SHA256      TLSv1.2                ECDH,P-256,256bits  prime256v1
14    ECDHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits  prime256v1
15    DHE-RSA-AES128-GCM-SHA256    TLSv1.2                DH,1024bits         None
16    DHE-RSA-AES128-SHA256        TLSv1.2                DH,1024bits         None
17    DHE-RSA-AES128-SHA           TLSv1,TLSv1.1,TLSv1.2  DH,1024bits         None
18    DHE-RSA-SEED-SHA             TLSv1,TLSv1.1,TLSv1.2  DH,1024bits         None
19    DHE-RSA-CAMELLIA128-SHA      TLSv1,TLSv1.1,TLSv1.2  DH,1024bits         None
20    AES128-GCM-SHA256            TLSv1.2                None                None
21    AES128-SHA256                TLSv1.2                None                None
22    AES128-SHA                   TLSv1,TLSv1.1,TLSv1.2  None                None
23    SEED-SHA                     TLSv1,TLSv1.1,TLSv1.2  None                None
24    CAMELLIA128-SHA              TLSv1,TLSv1.1,TLSv1.2  None                None

Certificate: UNTRUSTED, 2048 bit, sha1WithRSAEncryption signature
TLS ticket lifetime hint: None
OCSP stapling: not supported
Cipher ordering: client
Curves ordering: server
Curves fallback: False

Exporting to JSON with the -j command line option:

$ ./cipherscan --curves -j www.ebay.com | j
{
    "curves_fallback": "False",
    "serverside": "True",
    "target": "www.ebay.com:443",
    "utctimestamp": "2015-04-03T14:54:31.0Z",
    "ciphersuite": [
        {
            "cipher": "AES256-SHA",
            "ocsp_stapling": "False",
            "pfs": "None",
            "protocols": [
                "TLSv1",
                "TLSv1.1",
                "TLSv1.2"
            ],
            "pubkey": [
                "2048"
            ],
            "sigalg": [
                "sha1WithRSAEncryption"
            ],
            "ticket_hint": "None",
            "trusted": "True"
        },
        {
            "cipher": "ECDHE-RSA-DES-CBC3-SHA",
            "curves": [
                "prime256v1",
                "secp384r1",
                "secp224r1",
                "secp521r1"
            ],
            "curves_ordering": "server",
            "ocsp_stapling": "False",
            "pfs": "ECDH,P-256,256bits",
            "protocols": [
                "TLSv1",
                "TLSv1.1",
                "TLSv1.2"
            ],
            "pubkey": [
                "2048"
            ],
            "sigalg": [
                "sha1WithRSAEncryption"
            ],
            "ticket_hint": "None",
            "trusted": "True"
        }
    ]
}

Analyzing configurations
The motivation behind cipherscan is to help operators configure good TLS on their endpoints. To help this further, the script analyze.py compares the results of a cipherscan with the TLS guidelines from https://wiki.mozilla.org/Security/Server_Side_TLS and output a level and recommendations.

$ ./analyze.py -t jve.linuxwall.info
jve.linuxwall.info:443 has intermediate tls

Changes needed to match the old level:
* consider enabling SSLv3
* add cipher DES-CBC3-SHA
* use a certificate with sha1WithRSAEncryption signature
* consider enabling OCSP Stapling

Changes needed to match the intermediate level:
* consider enabling OCSP Stapling

Changes needed to match the modern level:
* remove cipher AES128-GCM-SHA256
* remove cipher AES256-GCM-SHA384
* remove cipher AES128-SHA256
* remove cipher AES128-SHA
* remove cipher AES256-SHA256
* remove cipher AES256-SHA
* disable TLSv1
* consider enabling OCSP Stapling

In the output above, analyze.py indicates that the target jve.linuxwall.info matches the intermediate configuration level. If the administrator of this site wants to reach the modern level, the items that failed under the modern tests should be corrected.
analyze.py does not make any assumption on what a good level should be. Sites operators should now what level they want to match against, based on the compatibility level they want to support. Again, refer to https://wiki.mozilla.org/Security/Server_Side_TLS for more information.
Note on Nagios mode: analyse.py can be ran as a nagios check with --nagios. The exit code will then represent the state of the configuration:

2 (critical) for bad tls
1 (warning) if it doesn't match the desired level
0 (ok) if it matches. cipherscan can take more than 10 seconds to complete. To alleviate any timeout issues, you may want to run it outside of nagios, passing data through some temporary file.

OpenSSL
Cipherscan uses a custom release of openssl for linux 64 bits and darwin 64 bits. OpenSSL is build from a custom branch maintained by Peter Mosmans that includes a number of patches not merged upstream. It can be found here: https://github.com/PeterMosmans/openssl
You can build it yourself using following commands:

git clone https://github.com/PeterMosmans/openssl.git --depth 1 -b 1.0.2-chacha
cd openssl
./Configure zlib no-shared experimental-jpake enable-md2 enable-rc5 \
enable-rfc3779 enable-gost enable-static-engine linux-x86_64
make depend
make
make report

The statically linked binary will be apps/openssl.

Contributors

Julien Vehent julien@linuxwall.info (original author)
Hubert Kario hkario@redhat.com (co-maintainer)
Pepi Zawodsky git@maclemon.at
Michael Zeltner m@niij.org
Peter Mosmans support@go-forward.net
Vincent Riquer v.riquer@b2f-concept.com
Christian Stadelmann dev@genodeftest.de
Simon Deziel simon.deziel@gmail.com
Aaron Zauner azet@azet.org
Mike mikedawg@gmail.com
Phil Cohen phlipper@users.noreply.github.com
Samuel Kleiner sam@firstbanco.com
Richard Soderberg https://twitter.com/floatingatoll
Adam Crosby adamcrosby@users.noreply.github.com

Download CipherScan

CipherScan JSON Linux Nagios OpenSSL Protocols SSL SSL Ciphersuites SSL/TLS TLS Wrapper

CipherScan - Find out which SSL ciphersuites are supported by a target

Admin Saturday, September 30, 2017

Halaman

Social Items

Termux ID

Seccubus - Easy Automated Vulnerability Scanning, Reporting And Analysis

CipherScan - Find out which SSL ciphersuites are supported by a target