Last active
March 28, 2016 18:51
-
-
Save FranciscoG/6417d51b79c504693db1 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# run a series of command line test to see if your site is secure | |
# based on this checklist: https://securitychecklist.org/ | |
# | |
# INCOMPLETE - still working on it | |
# | |
# Todo: download nmap | |
# Colors | |
# Black 0;30 Dark Gray 1;30 | |
# Blue 0;34 Light Blue 1;34 | |
# Green 0;32 Light Green 1;32 | |
# Cyan 0;36 Light Cyan 1;36 | |
# Red 0;31 Light Red 1;31 | |
# Purple 0;35 Light Purple 1;35 | |
# Brown/Orange 0;33 Yellow 1;33 | |
# Light Gray 0;37 White 1;37 | |
green='\033[0;32m' | |
red='\033[0;31m' | |
NC='\033[0m' # No Color | |
yellow='\033[1;33m' | |
# if there's not an argument via the command line then it'll ask you for a file name | |
if [ -z "$1" ] | |
then | |
echo -e "${green}Please enter the domain name, without the http protocol ${NC}" | |
read DOMAIN | |
else | |
DOMAIN=$1 | |
fi | |
OUTPUT="$(curl -s -I https://$DOMAIN)" | |
function checkSSLRedirect () { | |
echo -e "${yellow}Checking if http 301 redirects to https" | |
echo -e "Should say: HTTP/1.1 301 Moved Permanently ${NC}" | |
curl -s -I http://$DOMAIN | grep '^HTTP' | |
echo -e '\n' | |
} | |
function checkSSL() { | |
echo -e "${yellow}Checking if https works" | |
echo -e "Should say: HTTP/1.1 200 OK ${NC}" | |
echo "$OUTPUT" | grep '^HTTP' | |
echo -e '\n' | |
} | |
function checkHSTS () { | |
echo -e "${yellow}Is the HSTS http-header set?" | |
echo -e "Should say:${NC} Strict-Transport-Security: max-age=63072000; includeSubdomains;" | |
echo "$OUTPUT"| grep '^Strict' | |
echo -e '\n' | |
} | |
function checkCert4096 () { | |
echo -e "${yellow}Is the server certificate at least 4096 bits?" | |
echo -e "Should say:${NC} Server public key is 4096 bit" | |
openssl s_client -showcerts -connect $DOMAIN:443 | grep '^Server public key' & | |
echo -e '\n' | |
} | |
function checkSSLv3(){ | |
echo -e "${yellow}SSL v3" | |
echo -e "Should say:${NC} curl: (35) Server aborted the SSL handshake" | |
curl --sslv3 https://$DOMAIN | grep 'Server aborted' | |
echo -e '\n' | |
} | |
function checkTLS10(){ | |
echo -e "${yellow}TLS v1.0" | |
echo -e "Should say:${NC} curl: (35) Server aborted the SSL handshake" | |
curl --tlsv1.0 https://$DOMAIN | grep 'Server aborted' | |
echo -e '\n' | |
} | |
function checkTLS11(){ | |
echo -e "${yellow}TLS v1.1" | |
echo -e "Should say:${NC} curl: (35) Server aborted the SSL handshake" | |
curl --tlsv1.1 https://$DOMAIN | grep 'Server aborted' | |
echo -e '\n' | |
} | |
function checkTLS12(){ | |
echo -e "${yellow}TLS v 1.2" | |
echo -e "Should say:${NC} HTTP/1.1 200 OK" | |
curl --tlsv1.2 -s -I https://$DOMAIN | grep 'HTTP' | |
echo -e '\n' | |
} | |
function checkTLS() { | |
echo -e "${yellow}Is TLS1.2 the only supported protocol?" | |
checkSSLv3 && checkTLS10 && checkTLS11 && checkTLS12 | |
echo -e '\n' | |
} | |
function checkCiphers () { | |
echo -e "${yellow}Do all supported symmetric ciphers use at least 256 bit keys?" | |
echo -e "Should output:${NC}" | |
cat<<"EOT" | |
PORT STATE SERVICE | |
443/tcp open https | |
| ssl-enum-ciphers: | |
| TLSv1.2: | |
| ciphers: | |
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong | |
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong | |
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong | |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong | |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong | |
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong | |
| compressors: | |
| NULL | |
|_ least strength: strong | |
EOT | |
nmap --script ssl-enum-ciphers -p 443 $DOMAIN | |
} | |
function checkDiffe(){ | |
echo -e "${yellow}Is the Diffie-Hellman prime at least 4096 bits?" | |
echo -e "Should say:${NC} Server Temp Key: DH, 4096 bits" | |
openssl s_client -connect $DOMAIN:443 -cipher "EDH" | grep "^Server Temp Key" & | |
echo -e '\n' | |
} | |
checkSSLRedirect && checkSSL && checkHSTS && checkCert4096 && checkTLS && checkDiffe |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment