Merge pull request #215 from projectdiscovery/dev

tlsx v1.0.6

Author: ehsandeep

.github/workflows/build-test.yml

@@ -11,7 +11,7 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-latest, windows-latest, macOS-12]
-        go-version: [1.18.x, 1.19.x]
+        go-version: [1.19.x, 1.20.x]
     steps:
       - name: Set up Go
         uses: actions/setup-go@v3
@@ -30,7 +30,7 @@ jobs:
         working-directory: .
 
       - name: Race Condition Tests
-        run: go build -race .
+        run: go run -race . -u scanme.sh
         working-directory: cmd/tlsx/
 
       - name: Test Example Code

.github/workflows/dockerhub-push.yml

@@ -32,7 +32,7 @@ jobs:
           password: ${{ secrets.DOCKER_TOKEN }}
 
       - name: Build and push
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v4
         with:
           context: .
           platforms: linux/amd64,linux/arm64,linux/arm

.github/workflows/lint-test.yml

@@ -13,9 +13,9 @@ jobs:
       - name: "Set up Go"
         uses: actions/setup-go@v3
         with: 
-          go-version: 1.18
+          go-version: 1.19
       - name: Run golangci-lint
-        uses: golangci/golangci-lint-action@v3.3.1
+        uses: golangci/golangci-lint-action@v3.4.0
         with:
           version: latest
           args: --timeout 5m

.github/workflows/release-binary.yml

@@ -17,7 +17,7 @@ jobs:
       - name: "Set up Go"
         uses: actions/setup-go@v3
         with: 
-          go-version: 1.18
+          go-version: 1.19
 
       - name: "Create release on GitHub"
         uses: goreleaser/goreleaser-action@v4

.github/workflows/sonarcloud.yml

@@ -2,7 +2,7 @@ FROM golang:1.18.2-alpine3.14 AS build-env
 RUN apk add --no-cache build-base
 RUN go install -v github.com/projectdiscovery/tlsx/cmd/tlsx@latest
 
-FROM alpine:3.17.1
+FROM alpine:3.17.2
 RUN apk add --no-cache bind-tools ca-certificates
 COPY --from=build-env /go/bin/tlsx /usr/local/bin/tlsx
 ENTRYPOINT ["tlsx"]

Dockerfile

@@ -43,7 +43,7 @@ A fast and configurable TLS grabber focused on TLS based **data collection and a
 
 ## Installation
 
-tlsx requires **Go 1.18** to install successfully. To install, just run the below command or download pre-compiled binary from [release page](https://github.com/projectdiscovery/tlsx/releases).
+tlsx requires **Go 1.19** to install successfully. To install, just run the below command or download pre-compiled binary from [release page](https://github.com/projectdiscovery/tlsx/releases).
 
 ```console
 go install github.com/projectdiscovery/tlsx/cmd/tlsx@latest
@@ -88,14 +88,17 @@ PROBES:
    -tps, -probe-status  display tls probe status
    -ve, -version-enum   enumerate and display supported tls versions
    -ce, -cipher-enum    enumerate and display supported cipher
+   -ct, -cipher-type    ciphers types to enumerate (all/secure/insecure/weak) (default 0)
    -ch, -client-hello   include client hello in json output (ztls mode only)
    -sh, -server-hello   include server hello in json output (ztls mode only)
+   -se, -serial             display certificate serial number
 
 MISCONFIGURATIONS:
    -ex, -expired      display host with host expired certificate
    -ss, -self-signed  display host with self-signed certificate
    -mm, -mismatched   display host with mismatched certificate
    -re, -revoked      display host with revoked certificate
+   -un, -untrusted    display host with untrusted certificate
 
 CONFIGURATIONS:
    -config string               path to the tlsx configuration file
@@ -104,23 +107,28 @@ CONFIGURATIONS:
    -ci, -cipher-input string[]  ciphers to use with tls connection
    -sni string[]                tls sni hostname to use
    -rs, -random-sni             use random sni when empty
+   -rps, -rev-ptr-sni           perform reverse PTR to retrieve SNI from IP
    -min-version string          minimum tls version to accept (ssl30,tls10,tls11,tls12,tls13)
    -max-version string          maximum tls version to accept (ssl30,tls10,tls11,tls12,tls13)
-   -ac, -all-ciphers            send all ciphers as accepted inputs (default true)
    -cert, -certificate          include certificates in json output (PEM format)
    -tc, -tls-chain              include certificates chain in json output
    -vc, -verify-cert            enable verification of server certificate
    -ob, -openssl-binary string  OpenSSL Binary Path
+   -hf, -hardfail               strategy to use if encountered errors while checking revocation status
 
 OPTIMIZATIONS:
    -c, -concurrency int  number of concurrent threads to process (default 300)
    -timeout int          tls connection timeout in seconds (default 5)
    -retry int            number of retries to perform for failures (default 3)
    -delay string         duration to wait between each connection per thread (eg: 200ms, 1s)
 
+UPDATE:
+   -up, -update                 update tlsx to latest version
+   -duc, -disable-update-check  disable automatic tlsx update check
+
 OUTPUT:
    -o, -output string  file to write output to
-   -j, -json           display json format output
+   -j, -json           display output in jsonline format
    -ro, -resp-only     display tls response only
    -silent             display silent output
    -nc, -no-color      disable colors in cli output
@@ -320,12 +328,12 @@ support.hackerone.com:443 [TLS1.2] [TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
 
 # TLS Misconfiguration
 
-### Expired / Self Signed / Mismatched / Revoked Certificate
+### Expired / Self Signed / Mismatched / Revoked / Untrusted Certificate
 
-A list of host can be provided to tlsx to detect **expired / self-signed / mismatched / revoked** certificates.
+A list of host can be provided to tlsx to detect **expired / self-signed / mismatched / revoked / untrusted** certificates.
 
 ```console
-$ tlsx -l hosts.txt -expired -self-signed -mismatched -revoked
+$ tlsx -l hosts.txt -expired -self-signed -mismatched -revoked -untrusted
   
 
   _____ _    _____  __
@@ -342,6 +350,7 @@ wrong.host.badssl.com:443 [mismatched]
 self-signed.badssl.com:443 [self-signed]
 expired.badssl.com:443 [expired]
 revoked.badssl.com:443 [revoked]
+untrusted-root.badssl.com:443 [untrusted]
 ```
 
 ### [JARM](https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a/) TLS Fingerprint
@@ -530,6 +539,7 @@ This program optionally uses:
 
 - [zcrypto](https://github.com/zmap/zcrypto) library from the zmap team.
 - [cfssl](https://github.com/cloudflare/cfssl) library from the cloudflare team
+- cipher data from [ciphersuite.info](https://ciphersuite.info) for ciphersuite classification
 
 --------
 

README.md

@@ -0,0 +1,54 @@
+package assets
+
+import (
+	_ "embed"
+	"encoding/json"
+
+	"github.com/projectdiscovery/gologger"
+	stringsutil "github.com/projectdiscovery/utils/strings"
+)
+
+//go:embed cipherstatus_data.json
+var CipherDataBin string
+
+// CipherSecLevel contains cipher and its security level
+// Source:  https://ciphersuite.info/
+var CipherSecLevel map[string]string = map[string]string{}
+
+// GetSecureCiphers returns Ciphers with status `Recommended` and `Secure`
+// Ex: https://ciphersuite.info/cs/TLS_AES_128_CCM_8_SHA256/
+func GetSecureCipherSuites() []string {
+	return getCipherWithLevel("Recommended", "Secure")
+}
+
+// GetInSecureCipherSuites returns Ciphers with status `Insecure`.
+// Insecure Ciphers either uses no authentication at all or does not provide confidentiality
+// Ex: https://ciphersuite.info/cs/TLS_NULL_WITH_NULL_NULL/
+func GetInSecureCipherSuites() []string {
+	return getCipherWithLevel("Insecure")
+}
+
+// GetWeakCipherSuites returns Ciphers with status `Weak`.
+// Weak Cipher suites use algorithms that are proven to be weak or can be broken
+// Ex: https://ciphersuite.info/cs/TLS_RSA_WITH_AES_256_CBC_SHA/
+func GetWeakCipherSuites() []string {
+	return getCipherWithLevel("Weak")
+}
+
+// returns cipher with level
+func getCipherWithLevel(level ...string) []string {
+	arr := []string{}
+	for k, v := range CipherSecLevel {
+		if stringsutil.EqualFoldAny(v, level...) {
+			arr = append(arr, k)
+		}
+	}
+	return arr
+}
+
+func init() {
+	err := json.Unmarshal([]byte(CipherDataBin), &CipherSecLevel)
+	if err != nil {
+		gologger.Error().Label("cipher").Msgf("failed to load cipherstatus_data.json, cipher-enum might return unexpected results: %v", err)
+	}
+}

assets/cipherstatus_data.go

@@ -80,15 +80,23 @@ func readFlags() error {
 		flagSet.BoolVarP(&options.ProbeStatus, "probe-status", "tps", false, "display tls probe status"),
 		flagSet.BoolVarP(&options.TlsVersionsEnum, "version-enum", "ve", false, "enumerate and display supported tls versions"),
 		flagSet.BoolVarP(&options.TlsCiphersEnum, "cipher-enum", "ce", false, "enumerate and display supported cipher"),
+		flagSet.EnumVarP(&options.TLsCipherLevel, "cipher-type", "ct", goflags.EnumVariable(0), "ciphers types to enumerate (all/secure/insecure/weak)", goflags.AllowdTypes{
+			"all":      goflags.EnumVariable(clients.All),
+			"weak":     goflags.EnumVariable(clients.Weak),
+			"insecure": goflags.EnumVariable(clients.Insecure),
+			"secure":   goflags.EnumVariable(clients.Secure),
+		}),
 		flagSet.BoolVarP(&options.ClientHello, "client-hello", "ch", false, "include client hello in json output (ztls mode only)"),
 		flagSet.BoolVarP(&options.ServerHello, "server-hello", "sh", false, "include server hello in json output (ztls mode only)"),
+		flagSet.BoolVarP(&options.Serial, "serial", "se", false, "display certificate serial number"),
 	)
 
 	flagSet.CreateGroup("misconfigurations", "Misconfigurations",
 		flagSet.BoolVarP(&options.Expired, "expired", "ex", false, "display host with host expired certificate"),
 		flagSet.BoolVarP(&options.SelfSigned, "self-signed", "ss", false, "display host with self-signed certificate"),
 		flagSet.BoolVarP(&options.MisMatched, "mismatched", "mm", false, "display host with mismatched certificate"),
 		flagSet.BoolVarP(&options.Revoked, "revoked", "re", false, "display host with revoked certificate"),
+		flagSet.BoolVarP(&options.Untrusted, "untrusted", "un", false, "display host with untrusted certificate"),
 	)
 
 	flagSet.CreateGroup("configs", "Configurations",
@@ -98,9 +106,9 @@ func readFlags() error {
 		flagSet.StringSliceVarP(&options.Ciphers, "cipher-input", "ci", nil, "ciphers to use with tls connection", goflags.FileCommaSeparatedStringSliceOptions),
 		flagSet.StringSliceVar(&options.ServerName, "sni", nil, "tls sni hostname to use", goflags.FileCommaSeparatedStringSliceOptions),
 		flagSet.BoolVarP(&options.RandomForEmptyServerName, "random-sni", "rs", false, "use random sni when empty"),
+		flagSet.BoolVarP(&options.ReversePtrSNI, "rev-ptr-sni", "rps", false, "perform reverse PTR to retrieve SNI from IP"),
 		flagSet.StringVar(&options.MinVersion, "min-version", "", "minimum tls version to accept (ssl30,tls10,tls11,tls12,tls13)"),
 		flagSet.StringVar(&options.MaxVersion, "max-version", "", "maximum tls version to accept (ssl30,tls10,tls11,tls12,tls13)"),
-		flagSet.BoolVarP(&options.AllCiphers, "all-ciphers", "ac", true, "send all ciphers as accepted inputs"),
 		flagSet.BoolVarP(&options.Cert, "certificate", "cert", false, "include certificates in json output (PEM format)"),
 		flagSet.BoolVarP(&options.TLSChain, "tls-chain", "tc", false, "include certificates chain in json output"),
 		flagSet.BoolVarP(&options.VerifyServerCertificate, "verify-cert", "vc", false, "enable verification of server certificate"),
@@ -115,6 +123,11 @@ func readFlags() error {
 		flagSet.StringVar(&options.Delay, "delay", "", "duration to wait between each connection per thread (eg: 200ms, 1s)"),
 	)
 
+	flagSet.CreateGroup("update", "Update",
+		flagSet.CallbackVarP(runner.GetUpdateCallback(), "update", "up", "update tlsx to latest version"),
+		flagSet.BoolVarP(&options.DisableUpdateCheck, "disable-update-check", "duc", false, "disable automatic tlsx update check"),
+	)
+
 	flagSet.CreateGroup("output", "Output",
 		flagSet.StringVarP(&options.OutputFile, "output", "o", "", "file to write output to"),
 		flagSet.BoolVarP(&options.JSON, "json", "j", false, "display json format output"),