SSL/TLS类漏洞验证与修复
近期工作中总会遇到一些关于SSL/TLS类的漏洞被扫描工具扫除来,就翻阅网络上关于这类漏洞的成因与验证方法做一些总结,便于日后翻阅。
扫描的漏洞类似这样:
- SSL/TLS 受诫礼(BAR-MITZVAH)攻击漏洞(CVE-2015-2808)【原理扫描】
- SSL/TLS RC4 信息泄露漏洞(CVE-2013-2566)【原理扫描】
本文主要参考自:https://www.cnblogs.com/nul1/p/11233607.html
什么是TLS和SSL?
安全套接层(SSL)和传输层安全(TLS)加密用于通过互联网提供通信安全(传输加密)和来保护网络流量和互联网上的隐私,用于诸如网络,电子邮件,即时消息(IM)和一些虚拟专用网络(VPN)。
因此,TLS安全配置很重要,应花时间学习如何识别常见的漏洞和安全配置错误。
TLS / SSL安全测试工具
测试要用到一个强大的工具 testssl.sh 它涵盖了TLS和SSL评估所需的所有测试所需工具
您可以通过执行其git clone来安装最新版本的tesetssl.sh:
git clone https://github.com/drwetter/testssl.sh.git
root@kali:~/testssl.sh# ./testssl.sh "testssl.sh [options] <URI>" or "testssl.sh <options>" "testssl.sh <options>", where <options> is: --help what you're looking at -b, --banner displays banner + version of testssl.sh -v, --version same as previous -V, --local pretty print all local ciphers -V, --local <pattern> which local ciphers with <pattern> are available? If pattern is not a number: word match <pattern> is always an ignore case word pattern of cipher hexcode or any other string in the name, kx or bits "testssl.sh <URI>", where <URI> is: <URI> host|host:port|URL|URL:port port 443 is default, URL can only contain HTTPS protocol) "testssl.sh [options] <URI>", where [options] is: -t, --starttls <protocol> Does a default run against a STARTTLS enabled <protocol, protocol is <ftp|smtp|lmtp|pop3|imap|xmpp|telnet|ldap|nntp|postgres|mysql> --xmpphost <to_domain> For STARTTLS enabled XMPP it supplies the XML stream to-'' domain -- sometimes needed --mx <domain/host> Tests MX records from high to low priority (STARTTLS, port 25) --file/-iL <fname> Mass testing option: Reads one testssl.sh command line per line from <fname>. Can be combined with --serial or --parallel. Implicitly turns on "--warnings batch". Text format 1: Comments via # allowed, EOF signals end of <fname> Text format 2: nmap output in greppable format (-oG), 1 port per line allowed --mode <serial|parallel> Mass testing to be done serial (default) or parallel (--parallel is shortcut for the latter) --warnings <batch|off> "batch" doesn't continue when a testing error is encountered, off continues and skips warnings --connect-timeout <seconds> useful to avoid hangers. Max <seconds> to wait for the TCP socket connect to return --openssl-timeout <seconds> useful to avoid hangers. Max <seconds> to wait before openssl connect will be terminated single check as <options> ("testssl.sh URI" does everything except -E and -g): -e, --each-cipher checks each local cipher remotely -E, --cipher-per-proto checks those per protocol -s, --std, --standard tests certain lists of cipher suites by strength -p, --protocols checks TLS/SSL protocols (including SPDY/HTTP2) -g, --grease tests several server implementation bugs like GREASE and size limitations -S, --server-defaults displays the server's default picks and certificate info -P, --server-preference displays the server's picks: protocol+cipher -x, --single-cipher <pattern> tests matched <pattern> of ciphers (if <pattern> not a number: word match) -c, --client-simulation test client simulations, see which client negotiates with cipher and protocol -h, --header, --headers tests HSTS, HPKP, server/app banner, security headers, cookie, reverse proxy, IPv4 address -U, --vulnerable tests all (of the following) vulnerabilities (if applicable) -H, --heartbleed tests for Heartbleed vulnerability -I, --ccs, --ccs-injection tests for CCS injection vulnerability -T, --ticketbleed tests for Ticketbleed vulnerability in BigIP loadbalancers -BB, --robot tests for Return of Bleichenbacher's Oracle Threat (ROBOT) vulnerability -R, --renegotiation tests for renegotiation vulnerabilities -C, --compression, --crime tests for CRIME vulnerability (TLS compression issue) -B, --breach tests for BREACH vulnerability (HTTP compression issue) -O, --poodle tests for POODLE (SSL) vulnerability -Z, --tls-fallback checks TLS_FALLBACK_SCSV mitigation -W, --sweet32 tests 64 bit block ciphers (3DES, RC2 and IDEA): SWEET32 vulnerability -A, --beast tests for BEAST vulnerability -L, --lucky13 tests for LUCKY13 -F, --freak tests for FREAK vulnerability -J, --logjam tests for LOGJAM vulnerability -D, --drown tests for DROWN vulnerability -f, --pfs, --fs, --nsa checks (perfect) forward secrecy settings -4, --rc4, --appelbaum which RC4 ciphers are being offered? tuning / connect options (most also can be preset via environment variables): --fast omits some checks: using openssl for all ciphers (-e), show only first preferred cipher. -9, --full includes tests for implementation bugs and cipher per protocol (could disappear) --bugs enables the "-bugs" option of s_client, needed e.g. for some buggy F5s --assume-http if protocol check fails it assumes HTTP protocol and enforces HTTP checks --ssl-native fallback to checks with OpenSSL where sockets are normally used --openssl <PATH> use this openssl binary (default: look in $PATH, $RUN_DIR of testssl.sh) --proxy <host:port|auto> (experimental) proxy connects via <host:port>, auto: values from $env ($http(s)_proxy) -6 also use IPv6. Works only with supporting OpenSSL version and IPv6 connectivity --ip <ip> a) tests the supplied <ip> v4 or v6 address instead of resolving host(s) in URI b) arg "one" means: just test the first DNS returns (useful for multiple IPs) -n, --nodns <min|none> if "none": do not try any DNS lookups, "min" queries A, AAAA and MX records --sneaky leave less traces in target logs: user agent, referer --ids-friendly skips a few vulnerability checks which may cause IDSs to block the scanning IP --phone-out allow to contact external servers for CRL download and querying OCSP responder --add-ca <cafile> path to <cafile> or a comma separated list of CA files enables test against additional CAs. --basicauth <user:pass> provide HTTP basic auth information. output options (can also be preset via environment variables): --quiet don't output the banner. By doing this you acknowledge usage terms normally appearing in the banner --wide wide output for tests like RC4, BEAST. PFS also with hexcode, kx, strength, RFC name --show-each for wide outputs: display all ciphers tested -- not only succeeded ones --mapping <openssl| openssl: use the OpenSSL cipher suite name as the primary name cipher suite name form (default) iana|rfc -> use the IANA/(RFC) cipher suite name as the primary name cipher suite name form no-openssl| -> don't display the OpenSSL cipher suite name, display IANA/(RFC) names only no-iana|no-rfc> -> don't display the IANA/(RFC) cipher suite name, display OpenSSL names only --color <0|1|2|3> 0: no escape or other codes, 1: b/w escape codes, 2: color (default), 3: extra color (color all ciphers) --colorblind swap green and blue in the output --debug <0-6> 1: screen output normal but keeps debug output in /tmp/. 2-6: see "grep -A 5 '^DEBUG=' testssl.sh"
测试单个主机上的所有内容并输出到控制台
./testssl.sh -e -E -f -p -S -P -c -H -U TARGET-HOST
测试单个主机上的所有内容并输出到HTML
./testssl.sh -e -E -f -p -S -P -c -H -U TARGET-HOST | aha> OUTPUT-FILE.html
漏洞详情与回顾
SSL/TLS RC4 信息泄露漏洞(CVE-2013-2566)【原理扫描】 | ||||
|
SSL/TLS 受诫礼(BAR-MITZVAH)攻击漏洞(CVE-2015-2808)【原理扫描】 | ||||
|
RC4 CVE-2013-2566
TLS协议和SSL协议中使用的RC4算法具有许多单字节偏移。远程攻击者可以通过使用相同明文的大量会话中的密文统计分析来进行明文破解攻击。
自动RC4测试
testssl.sh RC4测试
./testssl.sh -4 目标
手动RC4测试
使用./testssl.sh -E TARGET手动枚举服务器密码或者nmap -p 443 --script=ssl-enum-ciphers TARGET确保服务器支持密码类型不使用RC4。
TLS和SSL证书
对没有加密的服务器证书应该被评估为配置错误和弱加密签名,下面是证书检查的项目列表:
使用以下方式获取目标服务器证书:
openssl s_client -connect TARGET:443 | openssl x509 -noout -text
证书检查项目表
名称 | 描述 |
---|---|
识别证书颁发者 | 确保证书颁发机构(CA)来自受信任的来源,不使用自签名证书,因为自签名证书允许中间人员攻击(除非是内部的,并且与内部CA签名)。 |
签名算法 | 用于确保证书完整性的算法,您应该确保密码是安全的,而不是使用MD5(已知不安全)或SHA1。 |
公钥 | 关键长度应该足够长以确保它不能被破解,最小值应该是2048位。 |
Not Before | 证书开始日期。 |
Not After | 证书结束日期。 |
Subject&Subject Alternative Name | Subject应该列出证书所涉及的DNS名称,如果这是不正确的浏览器会引发错误。Subject Alternative Name应列出通配符证书的DNS名称,应列出此证书的所有DNS名称。 |
123
为美好的生活奋斗!