-
-
Save degan/70e8059507d173751294 to your computer and use it in GitHub Desktop.
see discussion below |
Is there an example freak site that can be tested that prints "1"? All sites I have tested so far return 0.
openssl s_client -cipher EXPORT -connect sohu.com:443 </dev/null 2>/dev/null |grep SSL-Session: -c
Prints 1
This is how it looks for:
~$ bash freak.sh
Obtaining cipher list from OpenSSL 0.9.8zc 15 Oct 2014.
Testing EXP-ADH-DES-CBC-SHA...NO (sslv3 alert handshake failure)
Testing EXP-ADH-RC4-MD5...NO (sslv3 alert handshake failure)
Testing EXP-EDH-RSA-DES-CBC-SHA...NO (sslv3 alert handshake failure)
Testing EXP-EDH-DSS-DES-CBC-SHA...NO (sslv3 alert handshake failure)
Testing EXP-DES-CBC-SHA...YES
Testing EXP-RC2-CBC-MD5...YES
Testing EXP-RC4-MD5...YES
Testing EXP-RC2-CBC-MD5...YES
Testing EXP-RC4-MD5...YES
WARNING: Upon further investigation, NONE of these openssl based methods are good enough. Not this gist and not my own suggestion earlier.
It looks like 'openssl s_client' does not "detect" a cipher it doesn't support it self. So if the machine you're testing FROM is fairly up-to-date, you may miss any ciphers that are already removed from your version. I haven't checked if this is a real-world-issue and i don't have time that right now, so i opt for a different detection mechanism, that will detect all combinations.
I suggest using nmap instead.
nmap --script ssl-enum-ciphers -p 443 sohu.com|grep EXPORT
This is a lot slower, but it catches all export ciphers.
And if you need a drop-in replacement for my earlier command, which prints 1 for vulnerable and 0 for clean:
nmap --script ssl-enum-ciphers -p 443 sohu.com|grep EXPORT -l |wc -l
On my system (CentOS 6.6), nmap outputs on STDERR not STDOUT... so you need an extra 2>&1 to avoid false "safe" messages... ie
nmap --script ssl-enum-ciphers -p 443 sohu.com 2>&1 | grep EXPORT -l | wc -l
Edit...
Hmm... not quite true... for sohu.com (as above..) I need it... but for example, for mumsnet.com I didn't ?? Don't have time to experiment... but to be sure... I'd check the output....
You can use this online tool to check if you webserver is vulnerable:
Great feedback and discussion, it looks like nmap is indeed a better method:
nmap --script ssl-enum-ciphers -p 443 sohu.com|grep EXPORT
WARNING, this is not the correct approach. See my later comment.
This approach is slow if you need to check many servers..
You don't need to connect multiple times to the server, just give it "EXPORT" as cipher, like so:
$ openssl s_client -cipher EXPORT -connect lg.com:443I use this command line to test. It takes only 1 request per server:
$ openssl s_client -cipher EXPORT -connect lg.com:443 </dev/null 2>/dev/null |grep SSL-Session: -cprints "1" if export-ciphers are enabled (meaning you're vulnerable), else it prints "0".