Last active
August 29, 2015 14:07
-
-
Save bitfolk/18e8f48ebe937e802967 to your computer and use it in GitHub Desktop.
Horrible shell hack to check for enabled SSLv3 on port 443 of a CIDR mask
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # Horrible shell hack to check for enabled SSLv3 on port 443 of a CIDR mask. | |
| # | |
| # This is pretty slow because it does them in series. Sticking a '&' on the end | |
| # of the for loop (so "done &" instead of "done") will execute openssl against | |
| # every IP:443 at once. If there's too many to do at once then I suggest | |
| # lashing something up with GNU parallel. | |
| # | |
| # Note also that nmap itself can check for SSLv3 with something like: | |
| # | |
| # for IP in $(nmap --open -sT -p 443 -oG - 192.168.80.0/23 | awk '/Ports/ {print $2}'); do nmap --script ssl-enum-ciphers -sT -p 443 $IP | grep -q SSLv3 && echo "$IP might need fixing"; done | |
| # | |
| # but this seems to be very slow. | |
| # | |
| # Requires: | |
| # | |
| # nmap | |
| # timeout (part of coreutils on Debian/Ubuntu) | |
| # openssl | |
| # | |
| # Example: | |
| # | |
| # $ ./check_poodle.sh 192.168.80.0/23 | grep -v ^# | |
| # ! 192.168.80.216 might need fixing | |
| # ! 192.168.80.220 might need fixing | |
| # ! 192.168.80.221 might need fixing | |
| # ! 192.168.80.223 might need fixing | |
| # ! 192.168.80.239 might need fixing | |
| # ! 192.168.80.244 might need fixing | |
| # ! 192.168.80.246 might need fixing | |
| # ! 192.168.80.247 might need fixing | |
| # ! 192.168.80.252 might need fixing | |
| # ! 192.168.80.254 might need fixing | |
| set -e | |
| set -u | |
| # nmap aggression level. | |
| # | |
| # You should only be doing this against your own hosts and nmap docs suggest | |
| # that a decent broadband connection should be able to cope with level 4. If | |
| # you are going through some sort of IDS though, maybe you want to lower | |
| # aggression in order to not trip it. Maximum (most aggressive) is 5, least | |
| # aggressive is 0. | |
| # | |
| # Some example timings, against a /22 (1024 IPs) where roughly half are | |
| # unreachable, across a broadband connection ~8ms away: | |
| # | |
| # 3: 16.88seconds | |
| # 4: 9.53s | |
| # 5: 6.44s | |
| # | |
| # Levels below 3 take several minutes and I can't really be bothered… | |
| AGGRESSION=4 | |
| poodle_check_openssl() | |
| ( | |
| TARGET=$1 | |
| timeout 5 openssl s_client -connect ${TARGET}:443 -ssl3 2>&1 | egrep -q '(SSL alert number 40|SSL3_GET_RECORD:wrong version number)' | |
| ) | |
| echo "# Checking for open port 443 in $1..." | |
| for IP in $(nmap -T${AGGRESSION} --open -sT -p 443 -oG - $1 | awk '/Ports/ {print $2}'); do | |
| echo "# Checking $IP..." | |
| if poodle_check_openssl ${IP}; then | |
| echo "#\t$IP looks alright" | |
| else | |
| echo "!\t$IP might need fixing" | |
| fi | |
| done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment