Wednesday 28 May 2014

Titania Free Tools

Nigel Matthews and Max McFarlane (Free Tools Development Team, Titania)


About the Authors

Titania's Free Tools Team have worked hard to build and maintain a number of free tools which have now been released to help assist other auditors and penetration testers with their work.


Since the developers at Titania come from a penetration testing background, over the years they have created a number of tools to assist with their work. Furthermore, some of those tools have been released to help assist other penetration testers with their work. This article takes a look at two of those tools, SSL Scan and Banner Grab, and will also offer an exclusive insight into a number of updates that will be released soon.

Although packages are available on Linux platforms for some of these tools, they are distributed in source code form. This article shows how they can be compiled from the source code and run.

SSL Scan

The purpose of SSL Scan is to determine what encryption ciphers are supported by a particular SSL service. It also obtains a copy of the SSL certificate, determines default ciphers and can send additional service probes to determine if the cipher can actually be used with the service. Some SSL servers will accept negotiation with an encryption cipher, but the service then disallows it.

SSL Scan makes use of the OpenSSL library to create a list of potential ciphers that are then used to test a service.

Compilation

From the SSL Scan page on the Titania website, follow the link to download SSL Scan (the latest version is 1.8.2). You will also need OpenSSL (and the development libraries, if these are separate on your system) and the GNU C++ compiler. You may be able to use Cygwin / MinGW on Windows.

Extract the source code to a directory and then option a command prompt in that directory. You can then compile the source code using the following command:
gcc -lssl -lcrypto -o sslscan sslscan.c

On Apple Mac OS X systems, the procedure is slightly different as you need to use the Ports version of OpenSSL, rather than the restricted version that Apple supply. You can download and install Ports from macports.org. Once installed execute the following command to install the Ports version of OpenSSL:
sudo port install openssl 

Then you can compile SSL Scan using the following command:
gcc -I/opt/local/include -L/opt/local/lib -lssl -lcrypto -o sslscan sslscan.c

Using SSL Scan

Now that SSL Scan is compiled, you can obtain help on the command line options by typing the following command (see Listing 1):
./sslscan --help

Listing 1. ‘sslscan --help’ results

Command:
./sslscan [Options] [host:port | host]



Options:
--targets=<file>             A file containing a list of hosts to
                             check. Hosts can be supplied with
                             ports (i.e. host:port).

--no-failed                  List only accepted ciphers (default
                             is to listing all ciphers).

--ssl2                       Only check SSLv2 ciphers.

--ssl3                       Only check SSLv3 ciphers.

--tls1                       Only check TLSv1 ciphers.

--pk=<file>                  A file containing the private key or
                             a PKCS#12 file containing a private
                             key/certificate pair (as produced by

                             MSIE and Netscape).

--pkpass=<password>          The password for the private key or

                             PKCS#12 file.

--certs=<file>               A file containing PEM/ASN1 formatted
                             client certificates.

--starttls                   If a STARTTLS is required to kick an

                             SMTP service into action.

--http                       Test a HTTP connection.

--bugs                       Enable SSL implementation bug                                          workarounds.

--xml=<file>                 Output results to an XML file.

--version                    Display the program version.

--quiet                      Be quiet

--help                       Display the help text you are now
                             reading.

Example:
./sslscan 127.0.0.1

To use SSL Scan to determine what ciphers a standard HTTPS server operating on port 443 supports (using Google as an example):
./sslscan www.google.com

You will then receive information similar to what you can see in Listing 2.

Listing 2. Testing SSL server www.google.com on port 443

Testing SSL server www.google.com on port 443

Supported Server Cipher(s):
Rejected SSLv2 168 bits  DES-CBC3-MD5
Rejected SSLv2 128 bits  RC2-CBC-MD5
Rejected SSLv2 128 bits  RC4-MD5
Rejected SSLv2 56  bits  DES-CBC-MD5
Rejected SSLv2 40  bits  EXP-RC2-CBC-MD5
Rejected SSLv2 40  bits  EXP-RC4-MD5
Failed SSLv3 256 bits  ECDHE-RSA-AES256-GCM-SHA384
Failed SSLv3 256 bits  ECDHE-ECDSA-AES256-GCM-SHA384
Failed SSLv3 256 bits  ECDHE-RSA-AES256-SHA384
Failed SSLv3 256 bits  ECDHE-ECDSA-AES256-SHA384
Accepted SSLv3 256 bits  ECDHE-RSA-AES256-SHA
Rejected SSLv3 256 bits  ECDHE-ECDSA-AES256-SHA
Rejected SSLv3 256 bits  SRP-DSS-AES-256-CBC-SHA
Rejected SSLv3 257 bits  SRP-RSA-AES-256-CBC-SHA
Failed SSLv3 258 bits  DHE-DSS-AES256-GCM-SHA384

SSL Scan can be integrated in to third-party products by using the XML output option. The XML results can then be easily imported and managed by your own custom applications. To do this you can use the following command:
./sslscan --xml=scan-results.xml www.google.com

Banner Grab

When performing a penetration assessment, obtaining network service banners can often provide useful information. This information is not always accurately processed and reported by vulnerability scanners. Information leakage from a network service banner can have the potential to lead an attacker toward software vulnerabilities. For example, SSH service banners will often include both software and version details.

Titania developed Banner Grab to go and get the service banner information for you. In addition to standard service banners, Banner Grab has the ability to send specially formatted triggers for different types of service in order to obtain as much information as possible. By default Banner Grab will send triggers when a common port is used that has a trigger defined.

Compilation

From the Banner Grab page on the Titania website, follow the link to download Banner Grab (the latest version is 3.6). If you want to compile Banner Grab with SSL support then you will need to download OpenSSL (and the development libraries, if these are separate on your system). You will also need the GNU C++ compiler. You may be able to use Cygwin / MinGW on Windows.

Extract the source code to a directory and then option a command prompt in that directory. You can then compile the source code using the following command:
gcc –lssl –lcrypto –o bannergrab bannergrab.c

If you want to build Banner Grab without SSL support you can use the following:
gcc –DNOSSL –o bannergrab bannergrab.c

Using Banner Grab

Once compiled you can get help on Banner Grab by typing the following command:
./bannergrab --help

The result should be similar to what you can see in Listing 3.

Listing 3. ‘./bannergrab --help’ results

Command:
./bannergrab [Options] host port

Options:
--udp                        Connect to a port using UDP.                                          The default is to use TCP.

--no-triggers                Collect only the connection banner,                                    no triggers and no SSL.

--trigger=<trigger>          Specify the trigger to use. Specify
                             DEFAULT to use the default trigger.

--no-ssl                     Prevent SSL connection creation.

--no-hex                     Output containing non-printable
                             characters are converted to hex.                                      This option prevents the                                              conversion.

--conn-time=<secs>           Connection timeout (default is 5s).

--read-time=<secs>           Read timeout (default is 3s).

--verbose                    Show additional program details such                                  as any errors.

--show-triggers              Show the supported triggers.

--version                    Show the program version.

--help                       Display the help text you are                                          reading now.

Example:

./bannergrab 127.0.0.1 80

To get a simple banner from an SSH server you could type the following:
./bannergrab 192.168.0.22 22

On my test SSH service the result was:
SSH-2.0-OpenSSH_5.3

As you can see the SSH service returned not only the SSH protocol but the SSH service software and version. This is very useful information for an attacker attempting to identify software vulnerabilities to exploit.

I mentioned earlier about Banner Grab sending triggers to a service to identify additional information. In the next example I will use Banner Grab to get service information from a SNMP service. The command was:
./bannergrab --udp 192.168.0.12 161

See the results in Listing 4.

Listing 4. ‘./bannergrab --udp 192.168.0.12 161’ results



When the information returned from a service includes non-printable characters, Banner Grab returns the information in a HEX value format with the printable characters to the right. As you can see from the returned information it appears to be a HP device and has community strings of “public” and “private” supported.

Future Developments

There are a number of exciting updates coming through the Titania Free Tool Development Team at the moment. SSL Scan and Banner Grab tools described in this article are being updated, together with graphical versions of the tools. The Banner Grab tool now also includes a port scanning tool to identify the live ports on a device prior to performing the banner grabbing.

The Free Tool Team has also been updating our other tools such as IP Calculator, which now includes IPv6 support and provides much more address details. Plus there will be pre-compiled binary packages available for Windows, Linux and Mac systems making them all much easier to use. For more information on our full portfolio of free tools, visit our website.

No comments:

Post a Comment

Did you find our blog useful? Let us know! We would love to hear your thoughts, opinions and comments regarding any of our blog posts.