So I've patched OpenSSL's s_client a bit to print temporary RSA 512 public key used for EXPORT cipher
--- 1/apps/s_cb.c 2015-03-04 17:17:28.349494504 +0300
+++ 2/apps/s_cb.c 2015-03-04 17:17:30.452827799 +0300
@@ -507,6 +507,7 @@
switch (EVP_PKEY_id(key)) {
case EVP_PKEY_RSA:
BIO_printf(out, "RSA, %d bits\n", EVP_PKEY_bits(key));
+ PEM_write_bio_PUBKEY(out, key);
break;
case EVP_PKEY_DH:
Then grabbed domain list from freakattack.com, got first IP addresses from domain with
parallel -u -j8 -a domainlist.txt 'dig +short a {} | egrep "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" | head -n1' > ips.txt
and ran parallel -u -a ips.txt -j20 './run.sh {}' twice to collect temporary RSA 512 bit keys, where run.sh is as follows:
openssl s_client -connect $1:443 -showcerts -cipher EXP-RC4-MD5 < /dev/null | grep -A3 'BEGIN PUBLIC KEY' >> output/$1.txt
then count all domains with more than 4 unique RSA key lines:
parallel -u -a ../ips.txt -j1 'if [ "$(sort -u {}.txt | wc -l)" -gt 4 ]; then echo {}; fi' > ../random.txt
Total hosts in list: 415
Hosts with enabled EXPORT: 368
Hosts with random keys for every connection: 137
Hosts with static keys for every connection: 231