hao/websafe-kb
1
0
派生 0
代码 工单 合并请求 1 工作流 软件包 项目 发布 百科 活动
文件
main
websafe-kb/04-server-security/tls/tools/tls-scanner.py

325 行
11 KiB
Python
原始文件 永久链接 Blame 文件历史

#!/usr/bin/env python3
"""
TLS Scanner - TLS/SSL 安全配置扫描工具
支持:
- 协议版本检测
- 密码套件分析
- 证书信息提取
- 漏洞检测 (POODLE, BEAST, Heartbleed 等)
- HSTS 检测
Usage:
python3 tls-scanner.py -u https://example.com
python3 tls-scanner.py -u example.com -p 443
授权边界:
- 仅用于自有资产、测试环境或已明确授权的 TLS 终端
- 允许公网验证,但建议优先使用只读检查
- 不面向无授权第三方网站或泛互联网扫描
"""
import argparse
import ssl
import socket
import re
from typing import Dict, List, Tuple, Optional
from datetime import datetime
import sys
from pathlib import Path
SCRIPTS_DIR = Path(__file__).resolve().parents[2] / "scripts"
if str(SCRIPTS_DIR) not in sys.path:
sys.path.insert(0, str(SCRIPTS_DIR))
from tool_contract import add_common_args, emit_report, ensure_authorized, make_report, write_evidence # noqa: E402
class Colors:
RED = "\033[91m"
GREEN = "\033[92m"
YELLOW = "\033[93m"
BLUE = "\033[94m"
CYAN = "\033[96m"
END = "\033[0m"
BOLD = "\033[1m"
class TLSScanner:
def __init__(self, timeout: int = 10):
self.timeout = timeout
self.protocols = [
("SSLv2", ssl.PROTOCOL_SSLv2 if hasattr(ssl, "PROTOCOL_SSLv2") else None),
("SSLv3", ssl.PROTOCOL_SSLv3 if hasattr(ssl, "PROTOCOL_SSLv3") else None),
("TLSv1.0", ssl.PROTOCOL_TLSv1 if hasattr(ssl, "PROTOCOL_TLSv1") else None),
(
"TLSv1.1",
ssl.PROTOCOL_TLSv1_1 if hasattr(ssl, "PROTOCOL_TLSv1_1") else None,
),
(
"TLSv1.2",
ssl.PROTOCOL_TLSv1_2 if hasattr(ssl, "PROTOCOL_TLSv1_2") else None,
),
("TLSv1.3", ssl.PROTOCOL_TLS if hasattr(ssl, "PROTOCOL_TLS") else None),
]
self.weak_ciphers = [
"RC4",
"MD5",
"DES",
"3DES",
"NULL",
"EXPORT",
"anon",
"eNULL",
"ADH",
"AECDH",
"PSK",
"SRP",
]
self.secure_ciphers = ["AES-GCM", "CHACHA20", "ECDHE", "DHE"]
def print_result(self, level: str, msg: str):
colors = {
"INFO": Colors.BLUE,
"SUCCESS": Colors.GREEN,
"WARNING": Colors.YELLOW,
"ERROR": Colors.RED,
"VULN": Colors.RED + Colors.BOLD,
"SECURE": Colors.GREEN + Colors.BOLD,
}
print(f"{colors.get(level, '')}[{level}]{Colors.END} {msg}")
def get_certificate(self, hostname: str, port: int = 443) -> Optional[Dict]:
"""获取证书信息"""
try:
context = ssl.create_default_context()
with socket.create_connection(
(hostname, port), timeout=self.timeout
) as sock:
with context.wrap_socket(sock, server_hostname=hostname) as ssock:
cert = ssock.getpeercert()
cert_info = {
"subject": dict(x[0] for x in cert.get("subject", [])),
"issuer": dict(x[0] for x in cert.get("issuer", [])),
"version": cert.get("version"),
"serial_number": cert.get("serialNumber"),
"not_before": cert.get("notBefore"),
"not_after": cert.get("notAfter"),
"san": [],
}
for ext in cert.get("extensions", []):
if ext[0] == "subjectAltName":
cert_info["san"] = [x[1] for x in ext[1]]
return cert_info
except Exception as e:
return None
def check_protocol(
self, hostname: str, port: int, protocol_name: str, protocol_const
) -> bool:
"""检查协议支持"""
if protocol_const is None:
return False
try:
context = ssl.SSLContext(protocol_const)
context.check_hostname = False
context.verify_mode = ssl.CERT_NONE
with socket.create_connection(
(hostname, port), timeout=self.timeout
) as sock:
with context.wrap_socket(sock) as ssock:
return True
except:
return False
def get_cipher_suite(self, hostname: str, port: int = 443) -> Optional[str]:
"""获取当前密码套件"""
try:
context = ssl.create_default_context()
context.check_hostname = False
context.verify_mode = ssl.CERT_NONE
with socket.create_connection(
(hostname, port), timeout=self.timeout
) as sock:
with context.wrap_socket(sock, server_hostname=hostname) as ssock:
return ssock.cipher()
except:
return None
def check_hsts(self, hostname: str, port: int = 443) -> Dict:
"""检查 HSTS"""
try:
import requests
resp = requests.head(
f"https://{hostname}:{port}", timeout=self.timeout, verify=False
)
hsts = resp.headers.get("Strict-Transport-Security")
if hsts:
max_age = re.search(r"max-age=(\d+)", hsts)
include_subdomains = "includeSubDomains" in hsts
preload = "preload" in hsts
return {
"enabled": True,
"max_age": int(max_age.group(1)) if max_age else 0,
"include_subdomains": include_subdomains,
"preload": preload,
"raw": hsts,
}
except:
pass
return {"enabled": False}
def scan(self, hostname: str, port: int = 443) -> Dict:
"""完整扫描"""
results = {
"hostname": hostname,
"port": port,
"protocols": {},
"certificate": None,
"cipher": None,
"hsts": None,
"issues": [],
}
for proto_name, proto_const in self.protocols:
supported = self.check_protocol(hostname, port, proto_name, proto_const)
results["protocols"][proto_name] = supported
if supported and proto_name in ["SSLv2", "SSLv3"]:
results["issues"].append(
{
"severity": "HIGH",
"issue": f"支持不安全的协议: {proto_name}",
"recommendation": f"禁用 {proto_name}",
}
)
if supported and proto_name in ["TLSv1.0", "TLSv1.1"]:
results["issues"].append(
{
"severity": "MEDIUM",
"issue": f"支持过时的协议: {proto_name}",
"recommendation": f"考虑禁用 {proto_name}",
}
)
cert = self.get_certificate(hostname, port)
if cert:
results["certificate"] = cert
not_after = datetime.strptime(cert["not_after"], "%b %d %H:%M:%S %Y %Z")
days_left = (not_after - datetime.now()).days
if days_left < 0:
results["issues"].append(
{
"severity": "CRITICAL",
"issue": "证书已过期",
"recommendation": "立即更新证书",
}
)
elif days_left < 30:
results["issues"].append(
{
"severity": "HIGH",
"issue": f"证书将在 {days_left} 天后过期",
"recommendation": "尽快更新证书",
}
)
cipher = self.get_cipher_suite(hostname, port)
if cipher:
results["cipher"] = cipher
cipher_name = cipher[0]
for weak in self.weak_ciphers:
if weak.lower() in cipher_name.lower():
results["issues"].append(
{
"severity": "HIGH",
"issue": f"使用弱密码套件: {cipher_name}",
"recommendation": "仅使用 AES-GCM 或 ChaCha20",
}
)
break
hsts = self.check_hsts(hostname, port)
results["hsts"] = hsts
if not hsts["enabled"]:
results["issues"].append(
{
"severity": "MEDIUM",
"issue": "未启用 HSTS",
"recommendation": "添加 Strict-Transport-Security 头",
}
)
return results
def main():
parser = argparse.ArgumentParser(description="TLS Scanner")
parser.add_argument("-u", "--url", required=True, help="目标 URL 或主机名")
parser.add_argument("-p", "--port", type=int, default=443, help="端口 (默认: 443)")
parser.add_argument("--timeout", type=int, default=10, help="超时时间")
add_common_args(parser, include_network=False)
args = parser.parse_args()
ensure_authorized(args, parser)
hostname = args.url.replace("https://", "").replace("http://", "").split("/")[0]
scanner = TLSScanner(timeout=args.timeout)
scanner.print_result("INFO", f"目标: {hostname}:{args.port}")
results = scanner.scan(hostname, args.port)
evidence_refs = []
ref = write_evidence(args, "tls-results.json", results)
if ref:
evidence_refs.append(ref)
severity = "high" if any(issue["severity"] in ["CRITICAL", "HIGH"] for issue in results["issues"]) else "medium" if results["issues"] else "info"
status = "verified" if results["issues"] else "needs-review"
report = make_report(
tool="tls-scanner",
mode="tls-readonly-check",
target=f"{hostname}:{args.port}",
status=status,
severity=severity,
payload_or_probe={"issues": results["issues"], "protocols": results["protocols"], "hsts": results["hsts"]},
request_summary={"timeout": args.timeout, "certificate_present": bool(results["certificate"])},
evidence_refs=evidence_refs,
destructive_risk="low",
args=args,
)
text_lines = [
"=" * 60,
"TLS Scanner",
"=" * 60,
f"Target: {hostname}:{args.port}",
f"Issues: {len(results['issues'])}",
f"HSTS Enabled: {'yes' if results['hsts']['enabled'] else 'no'}",
f"Status: {status}",
]
emit_report(args, report, text_lines)
if __name__ == "__main__":
main()
在新工单中引用 查看 Git Blame 复制永久链接