Skip to content

Instantly share code, notes, and snippets.

@FranciscoG

FranciscoG/securitychecklist.sh

Last active March 28, 2016 18:51
Show Gist options
  • Save FranciscoG/6417d51b79c504693db1 to your computer and use it in GitHub Desktop.
Save FranciscoG/6417d51b79c504693db1 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
securitychecklist.sh
#!/bin/bash
# run a series of command line test to see if your site is secure
# based on this checklist: https://securitychecklist.org/
#
# INCOMPLETE - still working on it
#
# Todo: download nmap
# Colors
# Black 0;30 Dark Gray 1;30
# Blue 0;34 Light Blue 1;34
# Green 0;32 Light Green 1;32
# Cyan 0;36 Light Cyan 1;36
# Red 0;31 Light Red 1;31
# Purple 0;35 Light Purple 1;35
# Brown/Orange 0;33 Yellow 1;33
# Light Gray 0;37 White 1;37
green='\033[0;32m'
red='\033[0;31m'
NC='\033[0m' # No Color
yellow='\033[1;33m'
# if there's not an argument via the command line then it'll ask you for a file name
if [ -z "$1" ]
then
echo -e "${green}Please enter the domain name, without the http protocol ${NC}"
read DOMAIN
else
DOMAIN=$1
fi
OUTPUT="$(curl -s -I https://$DOMAIN)"
function checkSSLRedirect () {
echo -e "${yellow}Checking if http 301 redirects to https"
echo -e "Should say: HTTP/1.1 301 Moved Permanently ${NC}"
curl -s -I http://$DOMAIN | grep '^HTTP'
echo -e '\n'
}
function checkSSL() {
echo -e "${yellow}Checking if https works"
echo -e "Should say: HTTP/1.1 200 OK ${NC}"
echo "$OUTPUT" | grep '^HTTP'
echo -e '\n'
}
function checkHSTS () {
echo -e "${yellow}Is the HSTS http-header set?"
echo -e "Should say:${NC} Strict-Transport-Security: max-age=63072000; includeSubdomains;"
echo "$OUTPUT"| grep '^Strict'
echo -e '\n'
}
function checkCert4096 () {
echo -e "${yellow}Is the server certificate at least 4096 bits?"
echo -e "Should say:${NC} Server public key is 4096 bit"
openssl s_client -showcerts -connect $DOMAIN:443 | grep '^Server public key' &
echo -e '\n'
}
function checkSSLv3(){
echo -e "${yellow}SSL v3"
echo -e "Should say:${NC} curl: (35) Server aborted the SSL handshake"
curl --sslv3 https://$DOMAIN | grep 'Server aborted'
echo -e '\n'
}
function checkTLS10(){
echo -e "${yellow}TLS v1.0"
echo -e "Should say:${NC} curl: (35) Server aborted the SSL handshake"
curl --tlsv1.0 https://$DOMAIN | grep 'Server aborted'
echo -e '\n'
}
function checkTLS11(){
echo -e "${yellow}TLS v1.1"
echo -e "Should say:${NC} curl: (35) Server aborted the SSL handshake"
curl --tlsv1.1 https://$DOMAIN | grep 'Server aborted'
echo -e '\n'
}
function checkTLS12(){
echo -e "${yellow}TLS v 1.2"
echo -e "Should say:${NC} HTTP/1.1 200 OK"
curl --tlsv1.2 -s -I https://$DOMAIN | grep 'HTTP'
echo -e '\n'
}
function checkTLS() {
echo -e "${yellow}Is TLS1.2 the only supported protocol?"
checkSSLv3 && checkTLS10 && checkTLS11 && checkTLS12
echo -e '\n'
}
function checkCiphers () {
echo -e "${yellow}Do all supported symmetric ciphers use at least 256 bit keys?"
echo -e "Should output:${NC}"
cat<<"EOT"
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
| compressors:
| NULL
|_ least strength: strong
EOT
nmap --script ssl-enum-ciphers -p 443 $DOMAIN
}
function checkDiffe(){
echo -e "${yellow}Is the Diffie-Hellman prime at least 4096 bits?"
echo -e "Should say:${NC} Server Temp Key: DH, 4096 bits"
openssl s_client -connect $DOMAIN:443 -cipher "EDH" | grep "^Server Temp Key" &
echo -e '\n'
}
checkSSLRedirect && checkSSL && checkHSTS && checkCert4096 && checkTLS && checkDiffe
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment