Skip to content

Instantly share code, notes, and snippets.

@degan
Last active August 29, 2015 14:16
  • Star 8 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save degan/70e8059507d173751294 to your computer and use it in GitHub Desktop.
FREAK Attack server test
see discussion below
@dfaerch
Copy link

dfaerch commented Mar 4, 2015

WARNING, this is not the correct approach. See my later comment.

This approach is slow if you need to check many servers..

You don't need to connect multiple times to the server, just give it "EXPORT" as cipher, like so:
$ openssl s_client -cipher EXPORT -connect lg.com:443

I use this command line to test. It takes only 1 request per server:
$ openssl s_client -cipher EXPORT -connect lg.com:443 </dev/null 2>/dev/null |grep SSL-Session: -c

prints "1" if export-ciphers are enabled (meaning you're vulnerable), else it prints "0".

@proxyblue
Copy link

Is there an example freak site that can be tested that prints "1"? All sites I have tested so far return 0.

@barbrick
Copy link

barbrick commented Mar 4, 2015

openssl s_client -cipher EXPORT -connect sohu.com:443 </dev/null 2>/dev/null |grep SSL-Session: -c

Prints 1

@kaspergrubbe
Copy link

This is how it looks for:

~$ bash freak.sh
Obtaining cipher list from OpenSSL 0.9.8zc 15 Oct 2014.
Testing EXP-ADH-DES-CBC-SHA...NO (sslv3 alert handshake failure)
Testing EXP-ADH-RC4-MD5...NO (sslv3 alert handshake failure)
Testing EXP-EDH-RSA-DES-CBC-SHA...NO (sslv3 alert handshake failure)
Testing EXP-EDH-DSS-DES-CBC-SHA...NO (sslv3 alert handshake failure)
Testing EXP-DES-CBC-SHA...YES
Testing EXP-RC2-CBC-MD5...YES
Testing EXP-RC4-MD5...YES
Testing EXP-RC2-CBC-MD5...YES
Testing EXP-RC4-MD5...YES

@dfaerch
Copy link

dfaerch commented Mar 5, 2015

WARNING: Upon further investigation, NONE of these openssl based methods are good enough. Not this gist and not my own suggestion earlier.

It looks like 'openssl s_client' does not "detect" a cipher it doesn't support it self. So if the machine you're testing FROM is fairly up-to-date, you may miss any ciphers that are already removed from your version. I haven't checked if this is a real-world-issue and i don't have time that right now, so i opt for a different detection mechanism, that will detect all combinations.

I suggest using nmap instead.

nmap --script ssl-enum-ciphers -p 443 sohu.com|grep EXPORT

This is a lot slower, but it catches all export ciphers.

And if you need a drop-in replacement for my earlier command, which prints 1 for vulnerable and 0 for clean:

nmap --script ssl-enum-ciphers -p 443 sohu.com|grep EXPORT -l |wc -l

@MalcolmPreen
Copy link

On my system (CentOS 6.6), nmap outputs on STDERR not STDOUT... so you need an extra 2>&1 to avoid false "safe" messages... ie

nmap --script ssl-enum-ciphers -p 443 sohu.com 2>&1 | grep EXPORT -l | wc -l

Edit...
Hmm... not quite true... for sohu.com (as above..) I need it... but for example, for mumsnet.com I didn't ?? Don't have time to experiment... but to be sure... I'd check the output....

@ebatista
Copy link

ebatista commented Mar 5, 2015

You can use this online tool to check if you webserver is vulnerable:

http://www.freakattacktest.tk

@degan
Copy link
Author

degan commented Mar 5, 2015

Great feedback and discussion, it looks like nmap is indeed a better method:

nmap --script ssl-enum-ciphers -p 443 sohu.com|grep EXPORT

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment