Documentation ¶
Index ¶
- Variables
- type AdvancedScanRequest
- type CertificateMessage
- type CipherConfig
- func (cc *CipherConfig) ComputeContextFreeMetric(config CipherConfigParameters) (metric CipherMetrics)
- func (cc *CipherConfig) GetEncryptionKeyLength() int
- func (cc *CipherConfig) GetKeyExchangeKeyLength(cipher, protocol uint16, scan ScanResult) int
- func (cc *CipherConfig) GetMACPRFStrength() int
- func (cc *CipherConfig) IsAuthenticated() bool
- type CipherConfigParameters
- type CipherMetrics
- type CipherMetricsSorter
- type CurveID
- type GroupedHost
- type HelloAndKey
- type HostAndPort
- type HumanCertificate
- type HumanScanResult
- type KeyExchangeAlgorithm
- type KeyShare
- type PersistedScanRequest
- type ScanConfig
- type ScanData
- type ScanGroup
- type ScanProgress
- type ScanResult
- type ScanResultSorter
- type ScanResultSummary
- type SecurityScore
- type ServerHelloMessage
- type ServerKeyExchangeMsg
- type TLSAuditConfig
- type TLSAuditSnapshot
- type TLSAuditSnapshotHuman
Constants ¶
This section is empty.
Variables ¶
var (
//NkxErrorMessage error message
NkxErrorMessage = "Not a key exchange message"
)
Functions ¶
This section is empty.
Types ¶
type AdvancedScanRequest ¶ added in v0.5.4
type AdvancedScanRequest struct { Config ScanConfig //Next two fields will be automatically set once scan starts Day string //Date the scan was run in the format yyyy-mm-dd ScanID string //Non-empty ScanID means this is a ScanRequest to resume an existing, possibly incomplete, scan ScanGroups []ScanGroup }
AdvancedScanRequest is a model to describe a given TLS Audit scan
type CertificateMessage ¶
type CertificateMessage struct { // Raw []byte Certificates [][]byte Certs []*x509.Certificate }
CertificateMessage simply exporting the internal certificateMsg
func (*CertificateMessage) GetCertificates ¶
func (cert *CertificateMessage) GetCertificates() (certs []*x509.Certificate, e error)
GetCertificates returns the list of certificates in a TLS certificate message
type CipherConfig ¶ added in v0.1.9
type CipherConfig struct { CipherID uint16 Cipher string KeyExchange string Authentication string IsExport bool SupportsForwardSecrecy bool Encryption string MACPRF string //MAC (TLS <=1.1) or PseudoRandomFunction (TLS >= 1.2) }
CipherConfig extracts the important elements of a Ciphersuit based on its name
func GetCipherConfig ¶ added in v0.1.9
func GetCipherConfig(cipher uint16) (config CipherConfig, err error)
GetCipherConfig extracts a `CipherConfig` using the Cipher's IANA string name Details here https://www.iana.org/assignments/tls-parameters/tls-parameters.txt
func (*CipherConfig) ComputeContextFreeMetric ¶ added in v0.1.27
func (cc *CipherConfig) ComputeContextFreeMetric(config CipherConfigParameters) (metric CipherMetrics)
ComputeContextFreeMetric calculates interesting metrics about the cipher
func (*CipherConfig) GetEncryptionKeyLength ¶ added in v0.1.9
func (cc *CipherConfig) GetEncryptionKeyLength() int
GetEncryptionKeyLength returns the effective key lengths of encryption algorithms used in the cipher See https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf for details
func (*CipherConfig) GetKeyExchangeKeyLength ¶ added in v0.1.9
func (cc *CipherConfig) GetKeyExchangeKeyLength(cipher, protocol uint16, scan ScanResult) int
GetKeyExchangeKeyLength returns the key length indicated by the cipher
func (*CipherConfig) GetMACPRFStrength ¶ added in v0.1.27
func (cc *CipherConfig) GetMACPRFStrength() int
GetMACPRFStrength returns the relative strength of the MAC/PRF algorithm
func (*CipherConfig) IsAuthenticated ¶ added in v0.1.9
func (cc *CipherConfig) IsAuthenticated() bool
IsAuthenticated returns whether the cipher supports authentication
type CipherConfigParameters ¶ added in v0.1.27
type CipherConfigParameters struct { RSABitLength int //The RSA key from the certificate SupportedGroupStrength int SupportedGroups []string //The Supported Groups that have the indicated strength }
CipherConfigParameters contains information about Parameters for determining the key length of key exchange algorithms and other cipher parameters
type CipherMetrics ¶ added in v0.1.27
type CipherMetrics struct { Authentication int KeyExchangeStrength int ForwardSecrecy int EncryptionKeyStrength int MacPRF int Performance int OverallScore int ConfigParams CipherConfigParameters CipherConfig CipherConfig }
CipherMetrics are various metrics of interest to compare ciphers as the bases for various desirable property ordering such as security and performance
func EnumerateCipherMetrics ¶ added in v0.1.27
func EnumerateCipherMetrics() (metrics []CipherMetrics)
EnumerateCipherMetrics enumerates metrics for ciphers along multiple config axes
type CipherMetricsSorter ¶ added in v0.1.27
type CipherMetricsSorter []CipherMetrics
CipherMetricsSorter sorts scan results by server IP and port
func (CipherMetricsSorter) Len ¶ added in v0.1.27
func (k CipherMetricsSorter) Len() int
func (CipherMetricsSorter) Less ¶ added in v0.1.27
func (k CipherMetricsSorter) Less(i, j int) bool
func (CipherMetricsSorter) Swap ¶ added in v0.1.27
func (k CipherMetricsSorter) Swap(i, j int)
type CurveID ¶ added in v0.5.5
type CurveID uint16
CurveID is the type of a TLS identifier for an elliptic curve. See https://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-8.
In TLS 1.3, this type is called NamedGroup, but at this time this library only supports Elliptic Curve based groups. See RFC 8446, Section 4.2.7.
type GroupedHost ¶ added in v0.5.4
GroupedHost exploded hosts from an associated ScanGroup
type HelloAndKey ¶
type HelloAndKey struct { Hello ServerHelloMessage Key ServerKeyExchangeMsg HasKey bool }
HelloAndKey bundles server hello and ServerKeyExchange messages
type HostAndPort ¶
HostAndPort is a model representing a hostname and a given port
type HumanCertificate ¶ added in v0.1.22
type HumanCertificate struct { Subject string SubjectSerialNo string SubjectCN string SubjectAN string SerialNumber string Issuer string PublicKeyAlgorithm string ValidFrom string ValidUntil string Key string SignatureAlgorithm string Signature string OcspStapling bool RevocationDetail string }
HumanCertificate is a "string" representation of various attributes of a certificate
type HumanScanResult ¶
type HumanScanResult struct { Server string HostName string Port string SupportsTLS bool SupportedProtocols []string HasCipherPreferenceOrderByProtocol map[string]bool CipherPreferenceOrderByProtocol map[string][]string OcspStaplingByProtocol map[string]bool SelectedCipherByProtocol map[string]string ALPNByProtocol map[string]string SecureRenegotiationSupportedByProtocol map[string]bool CipherSuiteByProtocol map[string][]string // ServerHelloMessageByProtocolByCipher map[string]map[string]ServerHelloMessage CertificatesPerProtocol map[string][]HumanCertificate // KeyExchangeByProtocolByCipher map[string]map[string]ServerKeyExchangeMsg IsSTARTLS bool IsSSH bool SupportsTLSFallbackSCSV bool Score SecurityScore GroupID int //ScanRequest Host Group index }
HumanScanResult is a Stringified version of ScanResult
type KeyShare ¶ added in v0.5.5
type KeyShare struct {}
KeyShare TLS 1.3 Key Share. See RFC 8446, Section 4.2.8.
type PersistedScanRequest ¶ added in v0.1.18
type PersistedScanRequest struct { Request AdvancedScanRequest GroupedHosts []GroupedHost ScanStart time.Time ScanEnd time.Time Progress int HostCount int }
PersistedScanRequest persisted version of ScanRequest
func UnmasharlPersistedScanRequest ¶ added in v0.1.18
func UnmasharlPersistedScanRequest(data []byte) (PersistedScanRequest, error)
UnmasharlPersistedScanRequest builds PersistedScanRequest from bytes
func (PersistedScanRequest) Marshall ¶ added in v0.1.18
func (psr PersistedScanRequest) Marshall() []byte
Marshall scan request
type ScanConfig ¶
type ScanConfig struct { ProtocolsOnly bool Timeout int //Number of Packets per Second to send out during underlying port scan PacketsPerSecond int //Suppress certificate output HideCerts bool //Suppress output of TLS status of closed ports or ports with no TLS HideNoTLS bool //control whether to produce a running commentary of scan progress or stay quiet till the end Quiet bool ServicePort int }
ScanConfig describes details of how the TLS scan should be carried out
type ScanData ¶ added in v0.5.4
type ScanData struct { ScanRequest AdvancedScanRequest Results map[int][]HumanScanResult //ScanGroup index (in the ASR) -> human scan results }
ScanData is the Human-readable result of a given scan
type ScanGroup ¶ added in v0.5.4
type ScanGroup struct { Description string `yaml:"description"` //Freeform text used in reporting CIDRRanges []string `yaml:"cidrRanges"` }
ScanGroup is a grouping of CIDR ranges to be scanned with descriptions, useful for reporting
type ScanProgress ¶ added in v0.1.10
type ScanProgress struct { ScanID string Progress float32 ScanResults []HumanScanResult // this is the latest scan results delta, at the end of scan all cummulative scans are sent Narrative string //freeflow text }
ScanProgress contains partial scam results with an indication of progress
type ScanResult ¶
type ScanResult struct { Server string //IP address HostName string Port string SupportedProtocols []uint16 HasCipherPreferenceOrderByProtocol map[uint16]bool CipherPreferenceOrderByProtocol map[uint16][]uint16 OcspStaplingByProtocol map[uint16]bool SelectedCipherByProtocol map[uint16]uint16 ALPNByProtocol map[uint16]string SecureRenegotiationSupportedByProtocol map[uint16]bool CipherSuiteByProtocol map[uint16][]uint16 ServerHelloMessageByProtocolByCipher map[uint16]map[uint16]ServerHelloMessage CertificatesPerProtocol map[uint16]CertificateMessage KeyExchangeByProtocolByCipher map[uint16]map[uint16]ServerKeyExchangeMsg IsSTARTLS bool IsSSH bool SupportsTLSFallbackSCSV bool GroupID int //ScanRequest Host Group index }
ScanResult is the scan result of a server TLS settings
func UnmarsharlScanResult ¶ added in v0.1.18
func UnmarsharlScanResult(data []byte) ([]ScanResult, error)
UnmarsharlScanResult builds ScanResults from bytes
func (*ScanResult) CalculateScore ¶ added in v0.1.9
func (s *ScanResult) CalculateScore() (result SecurityScore)
CalculateScore computes an SSLLab-esque score for the scan https://github.com/ssllabs/research/wiki/SS https://community.qualys.com/docs/DOC-6321-ssl-labs-grading-2018 SecurityScoreL-Server-Rating-Guide contains the overall grading of a TLS/SSL port
func (ScanResult) String ¶
func (s ScanResult) String() string
func (ScanResult) SupportsTLS ¶
func (s ScanResult) SupportsTLS() bool
SupportsTLS determines whether the port on the specified server supports TLS at all
func (ScanResult) ToJSON ¶
func (s ScanResult) ToJSON() (js string)
ToJSON returns a JSON-formatted string representation of the ScanResult
func (ScanResult) ToString ¶
func (s ScanResult) ToString(config ScanConfig) (result string)
ToString generates a string output
func (ScanResult) ToStringStruct ¶
func (s ScanResult) ToStringStruct() (out HumanScanResult)
ToStringStruct returns a string-decoded form of ScanResult
type ScanResultSorter ¶ added in v0.1.18
type ScanResultSorter []ScanResult
ScanResultSorter sorts scan results by server IP and port
func (ScanResultSorter) Len ¶ added in v0.1.18
func (k ScanResultSorter) Len() int
func (ScanResultSorter) Less ¶ added in v0.1.18
func (k ScanResultSorter) Less(i, j int) bool
func (ScanResultSorter) Swap ¶ added in v0.1.18
func (k ScanResultSorter) Swap(i, j int)
type ScanResultSummary ¶ added in v0.1.21
type ScanResultSummary struct { Request AdvancedScanRequest ScanStart time.Time ScanEnd time.Time Progress int HostCount int PortCount int BestGrade string WorstGrade string HostGrades map[string]string GradeToHostPorts map[string][]string }
ScanResultSummary is the summary of a scan result session
type SecurityScore ¶ added in v0.1.9
type SecurityScore struct { ProtocolScore int KeyExchangeScore int CipherEncryptionScore int CertificateScore int Grade string Warnings []string }
SecurityScore contains the overall grading of a TLS/SSL port
func (SecurityScore) OrderGrade ¶ added in v0.1.21
func (SecurityScore) OrderGrade(grade string) int
OrderGrade allows a simple numeric ordering of TLS grades. Actual values don't matter
type ServerHelloMessage ¶
type ServerHelloMessage struct { Raw []byte Vers uint16 Random []byte SessionId []byte CipherSuite uint16 CompressionMethod uint8 NextProtoNeg bool NextProtos []string OcspStapling bool Scts [][]byte TicketSupported bool SecureRenegotiation []byte SecureRenegotiationSupported bool AlpnProtocol string SupportedVersion uint16 SelectedIdentityPresent bool SelectedIdentity uint16 // contains filtered or unexported fields }
ServerHelloMessage is the TLS server hello message
type ServerKeyExchangeMsg ¶
ServerKeyExchangeMsg is the key exchange message
type TLSAuditConfig ¶ added in v0.1.22
type TLSAuditConfig struct { DailySchedules []string `yaml:"dailySchedules"` // in the format 13:45, 01:20 etc ServicePort int `yaml:"servicePort"` IsProduction bool `yaml:"isProduction"` PacketsPerSecond int `yaml:"packetsPerSecond"` Timeout int `yaml:"timeout"` ScanGroups []ScanGroup `yaml:"scanGroups"` }
TLSAuditConfig is the configuration of the nmap runner
type TLSAuditSnapshot ¶ added in v0.1.22
type TLSAuditSnapshot struct { Timestamp time.Time ScanResults []ScanResult }
TLSAuditSnapshot a snapshot representing the results of a given scan session
type TLSAuditSnapshotHuman ¶ added in v0.1.22
type TLSAuditSnapshotHuman struct { Timestamp time.Time ScanResults []HumanScanResult }
TLSAuditSnapshotHuman a snapshot representing the results of a given scan session