[Openvas-devel] Improved NASL built-in cert_quert

Thu, 18 Oct 2012 09:31:45 -0700 

Hi!

I just committed a change to the new cert_query NASL function which
allows to extract the list of hostnames in a reliable way.  There are
also a couple of other things which can be done with that.  Find example
code in openvas-libaries/nasl/tests/test_socket.nasl .  Some snippets:

  sock = open_sock_tcp(target_port,
                       transport:ENCAPS_TLScustom,
                       priority:strcat("NONE:+VERS-TLS1.0:",
                                       "+AES-256-CBC:+AES-128-CBC:",
                                       "+COMP-DEFLATE:+COMP-NULL:",
                                       "+RSA:+DHE-RSA:+DHE-DSS:+SHA1"));
  if (sock > 0) {
      display("\tencaps:     ", get_sock_info(sock, "encaps", asstring:1),"\n");
      display("\ttls-proto:  ", get_sock_info(sock, "tls-proto"), "\n");
      display("\ttls-kx:     ", get_sock_info(sock, "tls-kx"), "\n");
      certlist = get_sock_info(sock, "tls-cert");
      display("\ttls-cert: n=", max_index(certlist), "\n");
      if (defined_func("cert_open")) {
        for (i=0; i < max_index(certlist); i++) {
          cert = cert_open(certlist[i]);
          if (!cert)
            display("\ttls_cert: ",i,": error parsing certificate\n");
          else {
            hostnames = cert_query(cert, "hostnames");
            for (j=0; j < max_index(hostnames); j++) {
                display("\ttls_cert: ",i,":   hostname: ", hostnames[j], "\n");
            }
            cert_close(cert);
          }
        }
      }
    }

ENCAPS_TLScustom is also new and allows to use a specific list of
SSL/TLS algorithms.  get_sock_info(sock, "tls-cert") returns the certs
of the peer (i.e. the server).

Example run:

  $ ../openvas-nasl -X  -t eff.org test_socket.nasl
  ** WARNING : packet forgery will not work
  ** as NASL is not running as root
  test_open_sock_tcp_tlscustom OK
        encaps:     TLScustom
        tls-proto:  TLS1.0
        tls-kx:     DHE-RSA
        tls-cipher: AES-256-CBC
        tls-mac:    SHA1
        tls-comp:   DEFLATE
        tls-auth:   CERT
        tls-ctype:  X.509
        tls-cert: n=2
        tls_cert: 0:     serial: 00DADF
        tls_cert: 0:     issuer: CN=StartCom Class 2 Primary Intermediate 
Server CA,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL
        tls_cert: 0:    subject: 
1.2.840.113549.1.9.1=#686F73746D617374657240646566656E64696E6E6F766174696F6E2E6F7267,CN=*.defendinnovation.org,O=Electronic
 Frontier Foundation Inc.,L=San 
Francisco,ST=California,C=US,2.5.4.13=#533870666E5A3151684676336D383348
        tls_cert: 0: altsubject: (8:dns-name22:*.defendinnovation.org)
        tls_cert: 0: altsubject: (8:dns-name20:defendinnovation.org)
        tls_cert: 0: altsubject: (8:dns-name19:copyright-watch.org)
        tls_cert: 0: altsubject: (8:dns-name7:eff.org)
        tls_cert: 0: altsubject: (8:dns-name21:globalchokepoints.org)
        tls_cert: 0: altsubject: (8:dns-name27:jailbreakingisnotacrime.org)
        tls_cert: 0: altsubject: (8:dns-name14:ripmixmake.org)
        tls_cert: 0: altsubject: (8:dns-name21:*.copyright-watch.org)
        tls_cert: 0: altsubject: (8:dns-name9:*.eff.org)
        tls_cert: 0: altsubject: (8:dns-name23:*.globalchokepoints.org)
        tls_cert: 0: altsubject: (8:dns-name29:*.jailbreakingisnotacrime.org)
        tls_cert: 0: altsubject: (8:dns-name16:*.ripmixmake.org)
        tls_cert: 0: not-before: 20120614T025508
        tls_cert: 0:  not-after: 20140615T051658
        tls_cert: 0:   hostname: *.defendinnovation.org
        tls_cert: 0:   hostname: *.defendinnovation.org
        tls_cert: 0:   hostname: defendinnovation.org
        tls_cert: 0:   hostname: copyright-watch.org
        tls_cert: 0:   hostname: eff.org
        tls_cert: 0:   hostname: globalchokepoints.org
        tls_cert: 0:   hostname: jailbreakingisnotacrime.org
        tls_cert: 0:   hostname: ripmixmake.org
        tls_cert: 0:   hostname: *.copyright-watch.org
        tls_cert: 0:   hostname: *.eff.org
        tls_cert: 0:   hostname: *.globalchokepoints.org
        tls_cert: 0:   hostname: *.jailbreakingisnotacrime.org
        tls_cert: 0:   hostname: *.ripmixmake.org
        tls_cert: 1:     serial: 1A
        tls_cert: 1:     issuer: CN=StartCom Certification Authority,OU=Secure 
Digital Certificate Signing,O=StartCom Ltd.,C=IL
        tls_cert: 1:    subject: CN=StartCom Class 2 Primary Intermediate 
Server CA,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL
        tls_cert: 1: not-before: 20071024T205709
        tls_cert: 1:  not-after: 20171024T205709


cert_query(cert, "hostnames") works by parsing the the same information
as shown in subject and alssubject.  It shows a host form the CN only if
its value contains at least one dot.


Salam-Shalom,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

_______________________________________________
Openvas-devel mailing list
Openvas-devel@wald.intevation.org
http://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-devel

Reply via email to