|
| 1 | +#!/bin/bash |
| 2 | +# |
| 3 | +# winshock_test.sh |
| 4 | +# |
| 5 | +# This script tries to determine whether the target system has the |
| 6 | +# winshock (MS14-066) patches applied or not. |
| 7 | +# This is done by checking if the SSL ciphers introduced by MS14-066 are |
| 8 | +# available on the system. |
| 9 | +# |
| 10 | +# |
| 11 | +# Authors: |
| 12 | +# Stephan Peijnik <speijnik@anexia-it.com> |
| 13 | +# |
| 14 | +# The MIT License (MIT) |
| 15 | +# |
| 16 | +# Copyright (c) 2014 ANEXIA Internetdienstleistungs GmbH |
| 17 | +# |
| 18 | +# Permission is hereby granted, free of charge, to any person obtaining a copy |
| 19 | +# of this software and associated documentation files (the "Software"), to deal |
| 20 | +# in the Software without restriction, including without limitation the rights |
| 21 | +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell |
| 22 | +# copies of the Software, and to permit persons to whom the Software is |
| 23 | +# furnished to do so, subject to the following conditions: |
| 24 | +# |
| 25 | +# The above copyright notice and this permission notice shall be included in all |
| 26 | +# copies or substantial portions of the Software. |
| 27 | +# |
| 28 | +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR |
| 29 | +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, |
| 30 | +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE |
| 31 | +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER |
| 32 | +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, |
| 33 | +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE |
| 34 | +# SOFTWARE. |
| 35 | + |
| 36 | +VERSION=0.2.1 |
| 37 | +HOST=$1 |
| 38 | +PORT=${2:-443} |
| 39 | + |
| 40 | +if [-z"$HOST"-o-z"$PORT" ] |
| 41 | +then |
| 42 | +echo"Usage:$0 host [port]" |
| 43 | +echo"port defaults to 443." |
| 44 | +exit 1 |
| 45 | +fi |
| 46 | + |
| 47 | +echo"Checking if script is up-to-date..." |
| 48 | +REMOTE_VERSION=$(curl -k https://raw.githubusercontent.com/anexia-it/winshock-test/master/winshock_test.sh2>/dev/null| grep'^VERSION='| sed -e's/^VERSION=//g') |
| 49 | + |
| 50 | +if [["$REMOTE_VERSION"!="$VERSION" ]] |
| 51 | +then |
| 52 | +echo -e"\033[91mYou are running an outdated version of this script." |
| 53 | +echo"The most recent version is$REMOTE_VERSION." |
| 54 | +echo -e"It is highly recommended to update your script first.\033[0m" |
| 55 | +read -p"Do you want to continue? (y/N)" -n 1 -r |
| 56 | +if [[!"$REPLY"=~ ^[Yy]$ ]] |
| 57 | +then |
| 58 | +exit 2 |
| 59 | +fi |
| 60 | +else |
| 61 | +echo"Script is up-to-date." |
| 62 | +fi |
| 63 | + |
| 64 | +echo -e"\n\033[91m" |
| 65 | +cat<<IMP |
| 66 | +*** IMPORTANT *** |
| 67 | +This script is intended to give you a hint on whether the MS14-66 patches |
| 68 | +have been installed or not. |
| 69 | +
|
| 70 | +Please do NOT rely on the results this script is giving, as the correctness |
| 71 | +of the results can be impacted by manual modifications of cipher suites |
| 72 | +with tools like IIS Crypto or load balancers or SSL-offloaders between |
| 73 | +you and the target host. |
| 74 | +
|
| 75 | +Also, this script is unreliable if the target system is running |
| 76 | +Windows Server 2012 R2, as the ciphers this script is testing for were present |
| 77 | +on Windows Server 2012 R2 without the MS14-066 updates as well. |
| 78 | +If the checks are executed against IIS the result for Windows Server 2012 R2 |
| 79 | +will be presented as "UNKNOWN". |
| 80 | +IMP |
| 81 | + |
| 82 | +echo -e"\033[93m" |
| 83 | + |
| 84 | +cat<<WARN |
| 85 | +*** WARNING *** |
| 86 | +A negative result presented by this script does NOT mean that you do not |
| 87 | +have to install the MS14-66 patches on the target system. |
| 88 | +Make sure to update all your Windows installations, regardless of the |
| 89 | +results this script gives you. |
| 90 | +
|
| 91 | +WARN |
| 92 | + |
| 93 | +echo -e"\033[0m" |
| 94 | +read -p"I have read and understood the messages above. (y/N)" -n 1 -r |
| 95 | +if [[!"$REPLY"=~ ^[yY]$ ]] |
| 96 | +then |
| 97 | +echo -e"\n\033[91mAborting. Please re-run and confirm that you have read and understood the messages above.\033[0m" |
| 98 | +exit 4 |
| 99 | +fi |
| 100 | +echo"" |
| 101 | + |
| 102 | +# According to https://technet.microsoft.com/library/security/ms14-066 the |
| 103 | +# following ciphers were added with the patch: |
| 104 | +# * TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 |
| 105 | +# * TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 |
| 106 | +# * TLS_RSA_WITH_AES_256_GCM_SHA384 |
| 107 | +# * TLS_RSA_WITH_AES_128_GCM_SHA256 |
| 108 | +# |
| 109 | +# The OpenSSL cipher names for these ciphers are: |
| 110 | +MS14_066_CIPHERS="DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-GCM-SHA256" |
| 111 | +# Ciphers supported by Windows Server 2012R2 |
| 112 | +WINDOWS_SERVER_2012R2_CIPHERS="ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA" |
| 113 | + |
| 114 | +# Test if OpenSSL does support the ciphers we're checking for... |
| 115 | +echo -n"Testing if OpenSSL supports the ciphers we are checking for:" |
| 116 | +openssl_ciphers=$(openssl ciphers) |
| 117 | + |
| 118 | +forcin$MS14_066_CIPHERS |
| 119 | +do |
| 120 | +if!echo$openssl_ciphers| grep -q$c2>&1>/dev/null |
| 121 | +then |
| 122 | +echo -e"\033[91mNO (OpenSSL does not support$c cipher.)\033[0m" |
| 123 | +echo -e"\033[91mAborting." |
| 124 | +exit 5 |
| 125 | +fi |
| 126 | +done |
| 127 | + |
| 128 | +echo -e"\033[92mYES\033[0m" |
| 129 | + |
| 130 | +SERVER=$HOST:$PORT |
| 131 | + |
| 132 | +echo -e"\n\033[94mTesting${SERVER} for availability of SSL ciphers added in MS14-066...\033[0m" |
| 133 | + |
| 134 | +patched="no" |
| 135 | +forcipherin${MS14_066_CIPHERS} |
| 136 | +do |
| 137 | +echo -en"Testing cipher${cipher}:" |
| 138 | + result=$(echo -n| openssl s_client -cipher"$cipher" -connect$SERVER2>&1) |
| 139 | +if [["$result"=~"connect:errno=" ]] |
| 140 | +then |
| 141 | + err=$(echo$result| grep ^connect: \ |
| 142 | +| sed -e's/connect:errno=.*//g' -e's/connect: //g') |
| 143 | +echo -e"\033[93mConnection error:$err" |
| 144 | +echo -e"Aborting checks.\033[0m" |
| 145 | +exit 1 |
| 146 | +elif [["$result"=~"SSL23_GET_SERVER_HELLO:unknown protocol" ]] |
| 147 | +then |
| 148 | +echo -e"\033[93mNo SSL/TLS support on target port." |
| 149 | +echo -e"Aborting checks.\033[0m" |
| 150 | +exit 1 |
| 151 | +elif [["$result"=~"SSL_CTX_set_cipher_list:no cipher match" ]] |
| 152 | +then |
| 153 | +echo -e"\033[93mYour version of OpenSSL is not supported." |
| 154 | +echo -e"Aborting checks.\033[39m" |
| 155 | +exit 1 |
| 156 | +elif [["$result"=~"Cipher is${cipher}"||"$result"=~"Cipher :${cipher}" ]] |
| 157 | +then |
| 158 | +echo -e"\033[92mSUPPORTED\033[0m" |
| 159 | +if [["$patched"=="no" ]] |
| 160 | +then |
| 161 | + patched="yes" |
| 162 | +fi |
| 163 | +else |
| 164 | +echo -e"\033[91mUNSUPPORTED\033[0m" |
| 165 | +fi |
| 166 | +done |
| 167 | + |
| 168 | +windows_server_2012_or_later="no" |
| 169 | +windows_server_2012_r2="no" |
| 170 | +iis_detected="no" |
| 171 | +# added by @stoep: check whether a 443 port runs IIS |
| 172 | +if [["$PORT"=="443" ]] |
| 173 | +then |
| 174 | + iis=$(curl -k -I https://$SERVER2> /dev/null| grep"Server") |
| 175 | +echo -n"Testing if IIS is running on port 443:" |
| 176 | +if [[$iis==*Microsoft-IIS* ]] |
| 177 | +then |
| 178 | + iis_version=$(echo$iis| sed -e's|Server: Microsoft-IIS/||g') |
| 179 | + iis_detected="yes" |
| 180 | +echo -e"\033[92mYES - Version${iis_version}\033[0m" |
| 181 | +if [[$iis_version==*8.5* ]] |
| 182 | +then |
| 183 | +echo -e"\033[91mWindows Server 2012 R2 detected. Results of this script will be inconclusive.\033[0m" |
| 184 | + windows_server_2012_or_later="yes" |
| 185 | + windows_server_2012_r2="yes" |
| 186 | +elif [[$iis_version==*8.0* ]] |
| 187 | +then |
| 188 | + windows_server_2012_or_later="yes" |
| 189 | + windows_server_2012_r2="no" |
| 190 | +fi |
| 191 | +else |
| 192 | +echo -e"\033[91mNO\033[0m" |
| 193 | +fi |
| 194 | +fi |
| 195 | + |
| 196 | +# Check if Windows Server 2012 or later is running on the remote system... |
| 197 | +if [["$windows_server_2012_or_later"=="no"&&"$iis_detected"=="no" ]] |
| 198 | +then |
| 199 | +echo -e"\033[94mChecking if target system is running Windows Server 2012 or later...\033[0m" |
| 200 | +forcipherin${WINDOWS_SERVER_2012R2_CIPHERS} |
| 201 | +do |
| 202 | +echo -en"Testing cipher${cipher}:" |
| 203 | + result=$(echo -n| openssl s_client -cipher"$cipher" -connect$SERVER2>&1) |
| 204 | +if [["$result"=~"connect:errno=" ]] |
| 205 | +then |
| 206 | + err=$(echo$result| grep ^connect: \ |
| 207 | +| sed -e's/connect:errno=.*//g' -e's/connect: //g') |
| 208 | +echo -e"\033[93mConnection error:$err" |
| 209 | +echo -e"Aborting checks.\033[0m" |
| 210 | +exit 1 |
| 211 | +elif [["$result"=~"SSL23_GET_SERVER_HELLO:unknown protocol" ]] |
| 212 | +then |
| 213 | +echo -e"\033[93mNo SSL/TLS support on target port." |
| 214 | +echo -e"Aborting checks.\033[0m" |
| 215 | +exit 1 |
| 216 | +elif [["$result"=~"Cipher is${cipher}"||"$result"=~"Cipher :${cipher}" ]] |
| 217 | +then |
| 218 | +echo -e"\033[92mSUPPORTED\033[0m" |
| 219 | +if [["$windows_server_2012_or_later"=="no" ]] |
| 220 | +then |
| 221 | + windows_server_2012_or_later="yes" |
| 222 | +break |
| 223 | +fi |
| 224 | +else |
| 225 | +echo -e"\033[91mUNSUPPORTED\033[0m" |
| 226 | +fi |
| 227 | +done |
| 228 | +fi |
| 229 | + |
| 230 | +if [["$patched"=="yes"&&"$windows_server_2012_or_later"=="no" ]] |
| 231 | +then |
| 232 | + patched="\033[92mYES\033[0m" |
| 233 | +elif [["$patched"=="yes" ]] |
| 234 | +then |
| 235 | + patched="\033[93mUNKNOWN" |
| 236 | +if [["$windows_server_2012_r2"=="yes" ]] |
| 237 | +then |
| 238 | + patched="$patched: Windows Server 2012 R2 detected." |
| 239 | +else |
| 240 | + patched="$patched: Windows Server 2012 or later detected." |
| 241 | +fi |
| 242 | +else |
| 243 | + patched="\033[91mNO\033[0m" |
| 244 | +fi |
| 245 | + |
| 246 | +echo -e"\033[94m$SERVER is patched:$patched\033[0m" |
| 247 | +echo -e"\n\033[93m" |
| 248 | +cat<<EOF |
| 249 | +*** IMPORTANT *** |
| 250 | +
|
| 251 | +Please keep in mind that the patch-status reported above is only a hint and |
| 252 | +may generate both false-positive and false-negative results in some cases. |
| 253 | +
|
| 254 | +If Windows Server 2012 R2 is reported above results WIIL BE incorrect. |
| 255 | +If Windows Server 2012 or later is reported above results MAY BE incorrect, |
| 256 | +please test again against IIS running on port 443. |
| 257 | +
|
| 258 | +The information above may be incorrect if: |
| 259 | +
|
| 260 | +* the available SSL ciphers have been modified manually |
| 261 | +* you are not directly connecting to the target system |
| 262 | +* the target system is running Windows Server 2012 R2 |
| 263 | +
|
| 264 | +Please do apply the MS14-066 patches to all your systems regardless |
| 265 | +of the results presented above! |
| 266 | +
|
| 267 | +EOF |
| 268 | +echo -en"\033[0m" |
| 269 | +exit 0 |
