Added testssl attack

.gitignore

@@ -1,5 +1,7 @@
 .idea/
 .vagrant/
+venv/
+__pycache__/
 
 vagrant/vars.yml
 .models.json

kraken-proto/proto/attacks.proto

@@ -273,6 +273,224 @@ message OsDetectionResponse {
   repeated string versions = 4;
 }
 
+/*
+ * testssl.sh
+ */
+
+// Request for running testssl.sh
+message TestSSLRequest {
+  // A unique id that identifier the attack
+  string attack_uuid = 1;
+  // The domain used for SNI and cert validity check
+  optional string domain = 2;
+  // The ip address to scan
+  shared.Address ip = 3;
+  // The port to scan
+  uint32 port = 4;
+  // Timeout for TCP handshakes in seconds
+  optional uint64 connect_timeout = 5;
+  // Timeout for `openssl` connections in seconds
+  optional uint64 openssl_timeout = 6;
+  // Enable ip v6
+  optional bool v6 = 7;
+  // Set the `BASICAUTH` header when checking http headers
+  optional BasicAuth basic_auth = 8;
+  // Run against a STARTTLS enabled protocol
+  optional StartTLSProtocol starttls = 9;
+  // Which scans `testssl.sh` should run
+  optional TestSSLScans scans = 10;
+}
+
+// The `BASICAUTH` header
+message BasicAuth {
+  // The username
+  string username = 1;
+  // The password
+  string password = 2;
+}
+
+// Protocols to select from when using `testssl.sh`'s `--starttls` option
+enum StartTLSProtocol {
+  // FTP
+  FTP = 0;
+  // SMTP
+  SMTP = 1;
+  // POP3
+  POP3 = 2;
+  // IMAP
+  IMAP = 3;
+  // XMPP
+  XMPP = 4;
+  // LMTP
+  LMTP = 5;
+  // NNTP
+  NNTP = 6;
+  // Postgres
+  Postgres = 7;
+  // MySQL
+  MySQL = 8;
+}
+
+/// Config option which scans `testssl.sh` should run
+message TestSSLScans {
+  // Workaround field to store a `oneof`
+  oneof testssl_scans {
+    // Either run all scans or just the default ones
+    bool all = 1;
+
+    // Select the scans to run manually
+    TestSSLScansManual manual = 2;
+  }
+}
+
+// Select the scans to run manually
+//
+// Each field (except `cipher_tests_...`) correspond directly to a section in `testssl.sh`'s output
+message TestSSLScansManual {
+  /// Enables [`ScanResult`]'s `protocols` section
+  bool protocols = 1;
+
+  /// Enables [`ScanResult`]'s `grease` section
+  bool grease = 2;
+
+  /// Enables [`ScanResult`]'s `ciphers` section
+  bool ciphers = 3;
+
+  /// Enables [`ScanResult`]'s `pfs` section
+  bool pfs = 4;
+
+  /// Enables [`ScanResult`]'s `server_preferences` section
+  bool server_preferences = 5;
+
+  /// Enables [`ScanResult`]'s `server_defaults` section
+  bool server_defaults = 6;
+
+  /// Enables [`ScanResult`]'s `header_response` section
+  bool header_response = 7;
+
+  /// Enables [`ScanResult`]'s `vulnerabilities` section
+  bool vulnerabilities = 8;
+
+  /// Enables [`ScanResult`]'s `cipher_tests` section
+  bool cipher_tests_all = 9;
+
+  /// Enables [`ScanResult`]'s `cipher_tests` section
+  bool cipher_tests_per_proto = 10;
+
+  /// Enables [`ScanResult`]'s `browser_simulations` section
+  bool browser_simulations = 11;
+}
+
+// Response to a test ssl request
+message TestSSLResponse {
+  // The services' scan results or their errors
+  repeated TestSSLService services = 1;
+}
+
+// A service's scan results or an error
+message TestSSLService {
+  // Workaround field to store a `oneof`
+  oneof testssl_service {
+    // The result from scanning a service
+    TestSSLScanResult result = 1;
+
+    // Some error prevented a service from being scanned
+    TestSSLFinding error = 2;
+  }
+}
+
+// A service's scan results
+message TestSSLScanResult {
+  // The original user target this result belongs to
+  string target_host = 1;
+
+  // The scanned ip address
+  string ip = 2;
+
+  // The scanned port
+  string port = 3;
+
+  // The detected service
+  string service = 5;
+
+  // TODO: not found yet in the wild
+  // optional string hostname = 6;
+
+  // Some sanity checks which can't be disabled
+  repeated TestSSLFinding pretest = 7;
+
+  // Which tls protocols are supported
+  repeated TestSSLFinding protocols = 8;
+
+  // Server implementation bugs and [GREASE](https://www.ietf.org/archive/id/draft-ietf-tls-grease-01.txt)
+  repeated TestSSLFinding grease = 9;
+
+  // Which cipher suites are supported
+  repeated TestSSLFinding ciphers = 10;
+
+  // Checks robust (perfect) forward secrecy key exchange
+  repeated TestSSLFinding pfs = 11;
+
+  // The server's preferences
+  repeated TestSSLFinding server_preferences = 12;
+
+  // The server's defaults
+  repeated TestSSLFinding server_defaults = 13;
+
+  // The http header set by the server
+  repeated TestSSLFinding header_response = 14;
+
+  // List of several vulnerabilities
+  repeated TestSSLFinding vulnerabilities = 15;
+
+  // Which concrete ciphers are supported
+  //
+  // Depending on the option `testssl` is invoked with,
+  // this is either a list of all ciphers or a list of all cipher per tls protocol.
+  repeated TestSSLFinding cipher_tests = 16;
+
+  // Which browser is able to establish a connection
+  repeated TestSSLFinding browser_simulations = 17;
+}
+
+// A single test's result or testssl log message
+message TestSSLFinding {
+  // The test's id
+  string id = 1;
+  // The result's severity
+  TestSSLSeverity severity = 2;
+  // The test's result
+  string finding = 3;
+
+  // The associated CVE
+  optional string cve = 4;
+  // The associated CWE
+  optional string cwe = 5;
+}
+
+// A TestSSLFinding's severity
+enum TestSSLSeverity {
+  // A debug level log message
+  Debug = 0;
+  // An info level log message
+  Info = 1;
+  // A warning level log message
+  Warn = 2;
+  // An error level log message
+  Fatal = 3;
+
+  // The test's result doesn't pose an issue
+  Ok = 4;
+  // The test's result pose a low priority issue
+  Low = 5;
+  // The test's result pose a medium priority issue
+  Medium = 6;
+  // The test's result pose a high priority issue
+  High = 7;
+  // The test's result pose a critical priority issue
+  Critical = 8;
+}
+
 // Implemented by leech; allows kraken to request attack from a leech
 service ReqAttackService {
   rpc BruteforceSubdomains(BruteforceSubdomainRequest) returns (stream BruteforceSubdomainResponse);
@@ -283,6 +501,7 @@ service ReqAttackService {
   rpc DnsResolution(DnsResolutionRequest) returns (stream DnsResolutionResponse);
   rpc DnsTxtScan(DnsTxtScanRequest) returns (stream DnsTxtScanResponse);
   rpc OsDetection(OsDetectionRequest) returns (stream OsDetectionResponse);
+  rpc TestSSL(TestSSLRequest) returns (TestSSLResponse);
 }
 
 /*
@@ -315,6 +534,8 @@ message PushAttackRequest {
     RepeatedDnsTxtScanResponse dns_txt_scan = 10;
     // Response to a operating system detection request
     RepeatedOsDetectionResponse os_detection = 11;
+    // Response for running testssl.sh
+    TestSSLResponse testssl = 12;
   }
 }
 
@@ -405,6 +626,8 @@ message AnyAttackResponse {
     DnsTxtScanResponse dns_txt_scan = 9;
     // Response to a operating system detection request
     OsDetectionResponse os_detection = 10;
+    // Response for running testssl.sh
+    TestSSLResponse testssl = 11;
   }
 }
 

kraken-proto/src/lib.rs

@@ -6,7 +6,7 @@ pub use generated::*;
 
 mod convert;
 
-#[allow(clippy::unwrap_used, clippy::expect_used)]
+#[allow(clippy::unwrap_used, clippy::expect_used, clippy::large_enum_variant)]
 mod generated {
 
     /// The autogenerated rpc definitions from `attacks.shared.proto`

kraken/migrations/0001_initial.toml

@@ -94,6 +94,7 @@ Value = [
     "OSDetection",
     "VersionDetection",
     "AntiPortScanningDetection",
+    "TestSSL",
 ]
 
 [[Migration.Operations.Fields.Annotations]]
@@ -1335,6 +1336,7 @@ Value = [
     "OSDetection",
     "VersionDetection",
     "AntiPortScanningDetection",
+    "TestSSL",
     "ManualDomain",
     "ManualHost",
     "ManualPort",
@@ -3582,4 +3584,4 @@ OnDelete = "Cascade"
 OnUpdate = "Cascade"
 
 [[Migration.Operations.Field.Annotations]]
-Type = "not_null"
+Type = "not_null"