Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var ( // Network is the default network to use. Network = "tcp" // Dialer is the default dialer to use, with a 1s timeout. Dialer = &net.Dialer{Timeout: time.Second} // Client is the default HTTP Client. Client = &http.Client{Transport: &http.Transport{Dial: Dialer.Dial}} // RootCAs defines the default root certificate authorities to be used for scan. RootCAs *x509.CertPool )
View Source
var Broad = &Family{ Description: "Large scale scans of TLS hosts", Scanners: map[string]*Scanner{ "IntermediateCAs": { "Scans a CIDR IP range for unknown Intermediate CAs", intermediateCAScan, }, }, }
Broad contains scanners for large swaths of TLS hosts on the internet.
View Source
var Connectivity = &Family{ Description: "Scans for basic connectivity with the host through DNS and TCP/TLS dials", Scanners: map[string]*Scanner{ "DNSLookup": { "Host can be resolved through DNS", dnsLookupScan, }, "CloudFlareStatus": { "Host is on CloudFlare", onCloudFlareScan, }, "TCPDial": { "Host accepts TCP connection", tcpDialScan, }, "TLSDial": { "Host can perform TLS handshake", tlsDialScan, }, }, }
Connectivity contains scanners testing basic connectivity to the host
View Source
var Default = FamilySet{ "Connectivity": Connectivity, "TLSHandshake": TLSHandshake, "TLSSession": TLSSession, "PKI": PKI, "Broad": Broad, }
Default contains each scan Family that is defined
View Source
var PKI = &Family{ Description: "Scans for the Public Key Infrastructure", Scanners: map[string]*Scanner{ "ChainExpiration": { "Host's chain hasn't expired and won't expire in the next 30 days", chainExpiration, }, "ChainValidation": { "All certificates in host's chain are valid", chainValidation, }, "MultipleCerts": { "Host serves same certificate chain across all IPs", multipleCerts, }, }, }
PKI contains scanners for the Public Key Infrastructure.
View Source
var TLSHandshake = &Family{ Description: "Scans for host's SSL/TLS version and cipher suite negotiation", Scanners: map[string]*Scanner{ "CipherSuite": { "Determines host's cipher suites accepted and preferred order", cipherSuiteScan, }, "SigAlgs": { "Determines host's accepted signature and hash algorithms", sigAlgsScan, }, "CertsBySigAlgs": { "Determines host's certificate signature algorithm matching client's accepted signature and hash algorithms", certSigAlgsScan, }, "CertsByCiphers": { "Determines host's certificate signature algorithm matching client's accepted ciphers", certSigAlgsScanByCipher, }, "ECCurves": { "Determines the host's ec curve support for TLS 1.2", ecCurveScan, }, }, }
TLSHandshake contains scanners testing host cipher suite negotiation
View Source
var TLSSession = &Family{ Description: "Scans host's implementation of TLS session resumption using session tickets/session IDs", Scanners: map[string]*Scanner{ "SessionResume": { "Host is able to resume sessions across all addresses", sessionResumeScan, }, }, }
TLSSession contains tests of host TLS Session Resumption via Session Tickets and Session IDs
Functions ¶
func LoadRootCAs ¶
LoadRootCAs loads the default root certificate authorities from file.
Types ¶
type Family ¶
type Family struct {
// Description gives a short description of the scans performed scan/scan_common.goon the host.
Description string `json:"description"`
// Scanners is a list of scanners that are to be run in sequence.
Scanners map[string]*Scanner `json:"scanners"`
}
Family defines a set of related scans meant to be run together in sequence.
type FamilyResult ¶
type FamilyResult map[string]ScannerResult
FamilyResult contains a scan response for a single Family
type Grade ¶
type Grade int
Grade gives a subjective rating of the host's success in a scan.
const ( // Bad describes a host with serious misconfiguration or vulnerability. Bad Grade = iota // Warning describes a host with non-ideal configuration that maintains support for Warning clients. Warning // Good describes host performing the expected state-of-the-art. Good // Skipped descibes the "grade" of a scan that has been skipped. Skipped )
type Output ¶
type Output interface{}
Output is the result of a scan, to be stored for potential use by later Scanners.
type Result ¶
type Result struct {
Family, Scanner string
ScannerResult
}
A Result contains a ScannerResult along with it's scanner and family names.
type Scanner ¶
type Scanner struct {
// Description describes the nature of the scan to be performed.
Description string `json:"description"`
// contains filtered or unexported fields
}
Scanner describes a type of scan to perform on a host.
type ScannerResult ¶
type ScannerResult struct {
Grade string `json:"grade"`
Output Output `json:"output,omitempty"`
Error string `json:"error,omitempty"`
}
ScannerResult contains the result for a single scan.
Source Files
¶
Directories
¶
| Path | Synopsis |
|---|---|
|
Package crypto collects common cryptographic constants.
|
Package crypto collects common cryptographic constants. |
|
md5
Package md5 implements the MD5 hash algorithm as defined in RFC 1321.
|
Package md5 implements the MD5 hash algorithm as defined in RFC 1321. |
|
rsa
Package rsa implements RSA encryption as specified in PKCS#1.
|
Package rsa implements RSA encryption as specified in PKCS#1. |
|
sha1
Package sha1 implements the SHA1 hash algorithm as defined in RFC 3174.
|
Package sha1 implements the SHA1 hash algorithm as defined in RFC 3174. |
|
sha256
Package sha256 implements the SHA224 and SHA256 hash algorithms as defined in FIPS 180-4.
|
Package sha256 implements the SHA224 and SHA256 hash algorithms as defined in FIPS 180-4. |
|
sha512
Package sha512 implements the SHA-384, SHA-512, SHA-512/224, and SHA-512/256 hash algorithms as defined in FIPS 180-4.
|
Package sha512 implements the SHA-384, SHA-512, SHA-512/224, and SHA-512/256 hash algorithms as defined in FIPS 180-4. |
|
tls
Package tls partially implements TLS 1.2, as specified in RFC 5246.
|
Package tls partially implements TLS 1.2, as specified in RFC 5246. |
Click to show internal directories.
Click to hide internal directories.