scan

package
v1.4.0-rc1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 30, 2019 License: BSD-2-Clause Imports: 18 Imported by: 146

Documentation

Index

Constants

This section is empty.

Variables

View Source
var (
	// Network is the default network to use.
	Network = "tcp"
	// Dialer is the default dialer to use, with a 1s timeout.
	Dialer = &net.Dialer{Timeout: time.Second}
	// Client is the default HTTP Client.
	Client = &http.Client{Transport: &http.Transport{Dial: Dialer.Dial}}
	// RootCAs defines the default root certificate authorities to be used for scan.
	RootCAs *x509.CertPool
)
View Source
var Broad = &Family{
	Description: "Large scale scans of TLS hosts",
	Scanners: map[string]*Scanner{
		"IntermediateCAs": {
			"Scans a CIDR IP range for unknown Intermediate CAs",
			intermediateCAScan,
		},
	},
}

Broad contains scanners for large swaths of TLS hosts on the internet.

View Source
var Connectivity = &Family{
	Description: "Scans for basic connectivity with the host through DNS and TCP/TLS dials",
	Scanners: map[string]*Scanner{
		"DNSLookup": {
			"Host can be resolved through DNS",
			dnsLookupScan,
		},
		"CloudFlareStatus": {
			"Host is on CloudFlare",
			onCloudFlareScan,
		},
		"TCPDial": {
			"Host accepts TCP connection",
			tcpDialScan,
		},
		"TLSDial": {
			"Host can perform TLS handshake",
			tlsDialScan,
		},
	},
}

Connectivity contains scanners testing basic connectivity to the host

View Source
var Default = FamilySet{
	"Connectivity": Connectivity,
	"TLSHandshake": TLSHandshake,
	"TLSSession":   TLSSession,
	"PKI":          PKI,
	"Broad":        Broad,
}

Default contains each scan Family that is defined

View Source
var PKI = &Family{
	Description: "Scans for the Public Key Infrastructure",
	Scanners: map[string]*Scanner{
		"ChainExpiration": {
			"Host's chain hasn't expired and won't expire in the next 30 days",
			chainExpiration,
		},
		"ChainValidation": {
			"All certificates in host's chain are valid",
			chainValidation,
		},
		"MultipleCerts": {
			"Host serves same certificate chain across all IPs",
			multipleCerts,
		},
	},
}

PKI contains scanners for the Public Key Infrastructure.

View Source
var TLSHandshake = &Family{
	Description: "Scans for host's SSL/TLS version and cipher suite negotiation",
	Scanners: map[string]*Scanner{
		"CipherSuite": {
			"Determines host's cipher suites accepted and preferred order",
			cipherSuiteScan,
		},
		"SigAlgs": {
			"Determines host's accepted signature and hash algorithms",
			sigAlgsScan,
		},
		"CertsBySigAlgs": {
			"Determines host's certificate signature algorithm matching client's accepted signature and hash algorithms",
			certSigAlgsScan,
		},
		"CertsByCiphers": {
			"Determines host's certificate signature algorithm matching client's accepted ciphers",
			certSigAlgsScanByCipher,
		},
		"ECCurves": {
			"Determines the host's ec curve support for TLS 1.2",
			ecCurveScan,
		},
	},
}

TLSHandshake contains scanners testing host cipher suite negotiation

View Source
var TLSSession = &Family{
	Description: "Scans host's implementation of TLS session resumption using session tickets/session IDs",
	Scanners: map[string]*Scanner{
		"SessionResume": {
			"Host is able to resume sessions across all addresses",
			sessionResumeScan,
		},
	},
}

TLSSession contains tests of host TLS Session Resumption via Session Tickets and Session IDs

Functions

func LoadRootCAs

func LoadRootCAs(caBundleFile string) (err error)

LoadRootCAs loads the default root certificate authorities from file.

Types

type Family

type Family struct {
	// Description gives a short description of the scans performed scan/scan_common.goon the host.
	Description string `json:"description"`
	// Scanners is a list of scanners that are to be run in sequence.
	Scanners map[string]*Scanner `json:"scanners"`
}

Family defines a set of related scans meant to be run together in sequence.

type FamilyResult

type FamilyResult map[string]ScannerResult

FamilyResult contains a scan response for a single Family

type FamilySet

type FamilySet map[string]*Family

FamilySet contains a set of Families to run Scans from.

func (FamilySet) RunScans

func (fs FamilySet) RunScans(host, ip, family, scanner string, timeout time.Duration) (map[string]FamilyResult, error)

RunScans iterates over AllScans, running each scan that matches the family and scanner regular expressions concurrently.

type Grade

type Grade int

Grade gives a subjective rating of the host's success in a scan.

const (
	// Bad describes a host with serious misconfiguration or vulnerability.
	Bad Grade = iota
	// Warning describes a host with non-ideal configuration that maintains support for Warning clients.
	Warning
	// Good describes host performing the expected state-of-the-art.
	Good
	// Skipped descibes the "grade" of a scan that has been skipped.
	Skipped
)

func (Grade) String

func (g Grade) String() string

String gives the name of the Grade as a string.

type Output

type Output interface{}

Output is the result of a scan, to be stored for potential use by later Scanners.

type Result

type Result struct {
	Family, Scanner string
	ScannerResult
}

A Result contains a ScannerResult along with it's scanner and family names.

type Scanner

type Scanner struct {
	// Description describes the nature of the scan to be performed.
	Description string `json:"description"`
	// contains filtered or unexported fields
}

Scanner describes a type of scan to perform on a host.

func (*Scanner) Scan

func (s *Scanner) Scan(addr, hostname string) (Grade, Output, error)

Scan performs the scan to be performed on the given host and stores its result.

type ScannerResult

type ScannerResult struct {
	Grade  string `json:"grade"`
	Output Output `json:"output,omitempty"`
	Error  string `json:"error,omitempty"`
}

ScannerResult contains the result for a single scan.

Directories

Path Synopsis
Package crypto collects common cryptographic constants.
Package crypto collects common cryptographic constants.
md5
Package md5 implements the MD5 hash algorithm as defined in RFC 1321.
Package md5 implements the MD5 hash algorithm as defined in RFC 1321.
rsa
Package rsa implements RSA encryption as specified in PKCS#1.
Package rsa implements RSA encryption as specified in PKCS#1.
sha1
Package sha1 implements the SHA1 hash algorithm as defined in RFC 3174.
Package sha1 implements the SHA1 hash algorithm as defined in RFC 3174.
sha256
Package sha256 implements the SHA224 and SHA256 hash algorithms as defined in FIPS 180-4.
Package sha256 implements the SHA224 and SHA256 hash algorithms as defined in FIPS 180-4.
sha512
Package sha512 implements the SHA-384, SHA-512, SHA-512/224, and SHA-512/256 hash algorithms as defined in FIPS 180-4.
Package sha512 implements the SHA-384, SHA-512, SHA-512/224, and SHA-512/256 hash algorithms as defined in FIPS 180-4.
tls
Package tls partially implements TLS 1.2, as specified in RFC 5246.
Package tls partially implements TLS 1.2, as specified in RFC 5246.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL