|
| 1 | +#!/bin/bash |
| 2 | +# |
| 3 | +# winshock_test.sh |
| 4 | +# |
| 5 | +# This script tries to determine whether the target system has the |
| 6 | +# winshock (MS14-066) patches applied or not. |
| 7 | +# This is done by checking if the SSL ciphers introduced by MS14-066 are |
| 8 | +# available on the system. |
| 9 | +# |
| 10 | +# |
| 11 | +# Authors: |
| 12 | +# Stephan Peijnik <speijnik@anexia-it.com> |
| 13 | +# |
| 14 | +# The MIT License (MIT) |
| 15 | +# |
| 16 | +# Copyright (c) 2014 ANEXIA Internetdienstleistungs GmbH |
| 17 | +# |
| 18 | +# Permission is hereby granted, free of charge, to any person obtaining a copy |
| 19 | +# of this software and associated documentation files (the "Software"), to deal |
| 20 | +# in the Software without restriction, including without limitation the rights |
| 21 | +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell |
| 22 | +# copies of the Software, and to permit persons to whom the Software is |
| 23 | +# furnished to do so, subject to the following conditions: |
| 24 | +# |
| 25 | +# The above copyright notice and this permission notice shall be included in all |
| 26 | +# copies or substantial portions of the Software. |
| 27 | +# |
| 28 | +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR |
| 29 | +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, |
| 30 | +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE |
| 31 | +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER |
| 32 | +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, |
| 33 | +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE |
| 34 | +# SOFTWARE. |
| 35 | + |
| 36 | +VERSION=0.2.1 |
| 37 | +HOST=1ドル |
| 38 | +PORT=${2:-443} |
| 39 | + |
| 40 | +if [ -z "$HOST" -o -z "$PORT" ] |
| 41 | +then |
| 42 | + echo "Usage: 0ドル host [port]" |
| 43 | + echo "port defaults to 443." |
| 44 | + exit 1 |
| 45 | +fi |
| 46 | + |
| 47 | +echo "Checking if script is up-to-date..." |
| 48 | +REMOTE_VERSION=$(curl -k https://raw.githubusercontent.com/anexia-it/winshock-test/master/winshock_test.sh 2>/dev/null | grep '^VERSION=' | sed -e 's/^VERSION=//g') |
| 49 | + |
| 50 | +if [[ "$REMOTE_VERSION" != "$VERSION" ]] |
| 51 | +then |
| 52 | + echo -e "033円[91mYou are running an outdated version of this script." |
| 53 | + echo "The most recent version is $REMOTE_VERSION." |
| 54 | + echo -e "It is highly recommended to update your script first.033円[0m" |
| 55 | + read -p "Do you want to continue? (y/N) " -n 1 -r |
| 56 | + if [[ ! "$REPLY" =~ ^[Yy]$ ]] |
| 57 | + then |
| 58 | + exit 2 |
| 59 | + fi |
| 60 | +else |
| 61 | + echo "Script is up-to-date." |
| 62 | +fi |
| 63 | + |
| 64 | +echo -e "\n033円[91m" |
| 65 | +cat <<IMP |
| 66 | +*** IMPORTANT *** |
| 67 | +This script is intended to give you a hint on whether the MS14-66 patches |
| 68 | +have been installed or not. |
| 69 | + |
| 70 | +Please do NOT rely on the results this script is giving, as the correctness |
| 71 | +of the results can be impacted by manual modifications of cipher suites |
| 72 | +with tools like IIS Crypto or load balancers or SSL-offloaders between |
| 73 | +you and the target host. |
| 74 | + |
| 75 | +Also, this script is unreliable if the target system is running |
| 76 | +Windows Server 2012 R2, as the ciphers this script is testing for were present |
| 77 | +on Windows Server 2012 R2 without the MS14-066 updates as well. |
| 78 | +If the checks are executed against IIS the result for Windows Server 2012 R2 |
| 79 | +will be presented as "UNKNOWN". |
| 80 | +IMP |
| 81 | + |
| 82 | +echo -e "033円[93m" |
| 83 | + |
| 84 | +cat <<WARN |
| 85 | +*** WARNING *** |
| 86 | +A negative result presented by this script does NOT mean that you do not |
| 87 | +have to install the MS14-66 patches on the target system. |
| 88 | +Make sure to update all your Windows installations, regardless of the |
| 89 | +results this script gives you. |
| 90 | + |
| 91 | +WARN |
| 92 | + |
| 93 | +echo -e "033円[0m" |
| 94 | +read -p "I have read and understood the messages above. (y/N) " -n 1 -r |
| 95 | +if [[ ! "$REPLY" =~ ^[yY]$ ]] |
| 96 | +then |
| 97 | + echo -e "\n033円[91mAborting. Please re-run and confirm that you have read and understood the messages above.033円[0m" |
| 98 | + exit 4 |
| 99 | +fi |
| 100 | +echo "" |
| 101 | + |
| 102 | +# According to https://technet.microsoft.com/library/security/ms14-066 the |
| 103 | +# following ciphers were added with the patch: |
| 104 | +# * TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 |
| 105 | +# * TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 |
| 106 | +# * TLS_RSA_WITH_AES_256_GCM_SHA384 |
| 107 | +# * TLS_RSA_WITH_AES_128_GCM_SHA256 |
| 108 | +# |
| 109 | +# The OpenSSL cipher names for these ciphers are: |
| 110 | +MS14_066_CIPHERS="DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-GCM-SHA256" |
| 111 | +# Ciphers supported by Windows Server 2012R2 |
| 112 | +WINDOWS_SERVER_2012R2_CIPHERS="ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA" |
| 113 | + |
| 114 | +# Test if OpenSSL does support the ciphers we're checking for... |
| 115 | +echo -n "Testing if OpenSSL supports the ciphers we are checking for: " |
| 116 | +openssl_ciphers=$(openssl ciphers) |
| 117 | + |
| 118 | +for c in $MS14_066_CIPHERS |
| 119 | +do |
| 120 | + if ! echo $openssl_ciphers | grep -q $c 2>&1 >/dev/null |
| 121 | + then |
| 122 | + echo -e "033円[91mNO (OpenSSL does not support $c cipher.)033円[0m" |
| 123 | + echo -e "033円[91mAborting." |
| 124 | + exit 5 |
| 125 | + fi |
| 126 | +done |
| 127 | + |
| 128 | +echo -e "033円[92mYES033円[0m" |
| 129 | + |
| 130 | +SERVER=$HOST:$PORT |
| 131 | + |
| 132 | +echo -e "\n033円[94mTesting ${SERVER} for availability of SSL ciphers added in MS14-066...033円[0m" |
| 133 | + |
| 134 | +patched="no" |
| 135 | +for cipher in ${MS14_066_CIPHERS} |
| 136 | +do |
| 137 | + echo -en "Testing cipher ${cipher}: " |
| 138 | + result=$(echo -n | openssl s_client -cipher "$cipher" -connect $SERVER 2>&1) |
| 139 | + if [[ "$result" =~ "connect:errno=" ]] |
| 140 | + then |
| 141 | + err=$(echo $result | grep ^connect: \ |
| 142 | + | sed -e 's/connect:errno=.*//g' -e 's/connect: //g') |
| 143 | + echo -e "033円[93mConnection error: $err" |
| 144 | + echo -e "Aborting checks.033円[0m" |
| 145 | + exit 1 |
| 146 | + elif [[ "$result" =~ "SSL23_GET_SERVER_HELLO:unknown protocol" ]] |
| 147 | + then |
| 148 | + echo -e "033円[93mNo SSL/TLS support on target port." |
| 149 | + echo -e "Aborting checks.033円[0m" |
| 150 | + exit 1 |
| 151 | + elif [[ "$result" =~ "SSL_CTX_set_cipher_list:no cipher match" ]] |
| 152 | + then |
| 153 | + echo -e "033円[93mYour version of OpenSSL is not supported." |
| 154 | + echo -e "Aborting checks.033円[39m" |
| 155 | + exit 1 |
| 156 | + elif [[ "$result" =~ "Cipher is ${cipher}" || "$result" =~ "Cipher : ${cipher}" ]] |
| 157 | + then |
| 158 | + echo -e "033円[92mSUPPORTED033円[0m" |
| 159 | + if [[ "$patched" == "no" ]] |
| 160 | + then |
| 161 | + patched="yes" |
| 162 | + fi |
| 163 | + else |
| 164 | + echo -e "033円[91mUNSUPPORTED033円[0m" |
| 165 | + fi |
| 166 | +done |
| 167 | + |
| 168 | +windows_server_2012_or_later="no" |
| 169 | +windows_server_2012_r2="no" |
| 170 | +iis_detected="no" |
| 171 | +# added by @stoep: check whether a 443 port runs IIS |
| 172 | +if [[ "$PORT" == "443" ]] |
| 173 | +then |
| 174 | + iis=$(curl -k -I https://$SERVER 2> /dev/null | grep "Server" ) |
| 175 | + echo -n "Testing if IIS is running on port 443: " |
| 176 | + if [[ $iis == *Microsoft-IIS* ]] |
| 177 | + then |
| 178 | + iis_version=$(echo $iis | sed -e 's|Server: Microsoft-IIS/||g') |
| 179 | + iis_detected="yes" |
| 180 | + echo -e "033円[92mYES - Version ${iis_version}033円[0m" |
| 181 | + if [[ $iis_version == *8.5* ]] |
| 182 | + then |
| 183 | + echo -e "033円[91mWindows Server 2012 R2 detected. Results of this script will be inconclusive.033円[0m" |
| 184 | + windows_server_2012_or_later="yes" |
| 185 | + windows_server_2012_r2="yes" |
| 186 | + elif [[ $iis_version == *8.0* ]] |
| 187 | + then |
| 188 | + windows_server_2012_or_later="yes" |
| 189 | + windows_server_2012_r2="no" |
| 190 | + fi |
| 191 | + else |
| 192 | + echo -e "033円[91mNO033円[0m" |
| 193 | + fi |
| 194 | +fi |
| 195 | + |
| 196 | +# Check if Windows Server 2012 or later is running on the remote system... |
| 197 | +if [[ "$windows_server_2012_or_later" == "no" && "$iis_detected" == "no" ]] |
| 198 | +then |
| 199 | + echo -e "033円[94mChecking if target system is running Windows Server 2012 or later...033円[0m" |
| 200 | + for cipher in ${WINDOWS_SERVER_2012R2_CIPHERS} |
| 201 | + do |
| 202 | + echo -en "Testing cipher ${cipher}: " |
| 203 | + result=$(echo -n | openssl s_client -cipher "$cipher" -connect $SERVER 2>&1) |
| 204 | + if [[ "$result" =~ "connect:errno=" ]] |
| 205 | + then |
| 206 | + err=$(echo $result | grep ^connect: \ |
| 207 | + | sed -e 's/connect:errno=.*//g' -e 's/connect: //g') |
| 208 | + echo -e "033円[93mConnection error: $err" |
| 209 | + echo -e "Aborting checks.033円[0m" |
| 210 | + exit 1 |
| 211 | + elif [[ "$result" =~ "SSL23_GET_SERVER_HELLO:unknown protocol" ]] |
| 212 | + then |
| 213 | + echo -e "033円[93mNo SSL/TLS support on target port." |
| 214 | + echo -e "Aborting checks.033円[0m" |
| 215 | + exit 1 |
| 216 | + elif [[ "$result" =~ "Cipher is ${cipher}" || "$result" =~ "Cipher : ${cipher}" ]] |
| 217 | + then |
| 218 | + echo -e "033円[92mSUPPORTED033円[0m" |
| 219 | + if [[ "$windows_server_2012_or_later" == "no" ]] |
| 220 | + then |
| 221 | + windows_server_2012_or_later="yes" |
| 222 | + break |
| 223 | + fi |
| 224 | + else |
| 225 | + echo -e "033円[91mUNSUPPORTED033円[0m" |
| 226 | + fi |
| 227 | + done |
| 228 | +fi |
| 229 | + |
| 230 | +if [[ "$patched" == "yes" && "$windows_server_2012_or_later" == "no" ]] |
| 231 | +then |
| 232 | + patched="033円[92mYES033円[0m" |
| 233 | +elif [[ "$patched" == "yes" ]] |
| 234 | +then |
| 235 | + patched="033円[93mUNKNOWN" |
| 236 | + if [[ "$windows_server_2012_r2" == "yes" ]] |
| 237 | + then |
| 238 | + patched="$patched: Windows Server 2012 R2 detected." |
| 239 | + else |
| 240 | + patched="$patched: Windows Server 2012 or later detected." |
| 241 | + fi |
| 242 | +else |
| 243 | + patched="033円[91mNO033円[0m" |
| 244 | +fi |
| 245 | + |
| 246 | +echo -e "033円[94m$SERVER is patched: $patched033円[0m" |
| 247 | +echo -e "\n033円[93m" |
| 248 | +cat <<EOF |
| 249 | +*** IMPORTANT *** |
| 250 | + |
| 251 | +Please keep in mind that the patch-status reported above is only a hint and |
| 252 | +may generate both false-positive and false-negative results in some cases. |
| 253 | + |
| 254 | +If Windows Server 2012 R2 is reported above results WIIL BE incorrect. |
| 255 | +If Windows Server 2012 or later is reported above results MAY BE incorrect, |
| 256 | +please test again against IIS running on port 443. |
| 257 | + |
| 258 | +The information above may be incorrect if: |
| 259 | + |
| 260 | +* the available SSL ciphers have been modified manually |
| 261 | +* you are not directly connecting to the target system |
| 262 | +* the target system is running Windows Server 2012 R2 |
| 263 | + |
| 264 | +Please do apply the MS14-066 patches to all your systems regardless |
| 265 | +of the results presented above! |
| 266 | + |
| 267 | +EOF |
| 268 | +echo -en "033円[0m" |
| 269 | +exit 0 |
0 commit comments