Documentation ¶
Index ¶
- func FormatToSerialNumber(serialNumber *big.Int) string
- func GetCiphersWithLevel(cipherList []string, SecLevel ...CipherSecLevel) []string
- func GetConn(ctx context.Context, hostname, ip, port string, inputOpts *Options) (net.Conn, error)
- func GetUniqueDomainsFromCert(resp *CertificateResponse) []string
- func IntersectStringSlices(s1 []string, s2 []string) []string
- func IsExpired(notAfter time.Time) bool
- func IsMisMatchedCert(host string, alternativeNames []string) bool
- func IsSelfSigned(authorityKeyID, subjectKeyID []byte) bool
- func IsTLSRevoked(options *Options, cert *x509.Certificate) bool
- func IsUntrustedCA(certs []*x509.Certificate) bool
- func IsWildCardCert(names []string) bool
- func IsZTLSRevoked(options *Options, cert *zx509.Certificate) bool
- func IsZTLSUntrustedCA(certs []ztls.SimpleCertificate) bool
- func MD5Fingerprint(data []byte) string
- func ParseASN1DNSequenceWithZpkix(data []byte) string
- func ParseASN1DNSequenceWithZpkixOrDefault(data []byte, defaultValue string) string
- func PemEncode(cert []byte) string
- func SHA1Fingerprint(data []byte) string
- func SHA256Fingerprint(data []byte) string
- type CertificateDistinguishedName
- type CertificateResponse
- type CertificateResponseFingerprintHash
- type CipherSecLevel
- type CipherTypes
- type ConnectOptions
- type EnumMode
- type Implementation
- type Options
- type Response
- type TlsCiphers
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func FormatToSerialNumber ¶
FormatToSerialNumber converts big.Int to colon seperated hex string Example: 17034156255497985825694118641198758684 -> 0C:D0:A8:BE:C6:32:CF:E6:45:EC:A0:A9:B0:84:FB:1C
func GetCiphersWithLevel ¶
func GetCiphersWithLevel(cipherList []string, SecLevel ...CipherSecLevel) []string
GetCiphersWithLevel returns list of ciphers that have given secLevel
func GetUniqueDomainsFromCert ¶
func GetUniqueDomainsFromCert(resp *CertificateResponse) []string
GetUniqueDomainsFromCert returns unique domains extracted from certificate response
func IntersectStringSlices ¶
IntersectStringSlices returns intersection of two string slices
func IsMisMatchedCert ¶
IsMisMatchedCert returns true if cert names(subject common name + alternative names) does not contain host
func IsSelfSigned ¶
IsSelfSigned returns true if the certificate is self-signed
func IsTLSRevoked ¶
func IsTLSRevoked(options *Options, cert *x509.Certificate) bool
IsTLSRevoked returns true if the certificate has been revoked or failed to parse
func IsUntrustedCA ¶
func IsUntrustedCA(certs []*x509.Certificate) bool
IsUntrustedCA returns true if the certificate is a self-signed CA
func IsWildCardCert ¶
IsWildCardCert returns true if the certificate is a wildcard certificate
func IsZTLSRevoked ¶
func IsZTLSRevoked(options *Options, cert *zx509.Certificate) bool
IsZTLSRevoked returns true if the certificate has been revoked
func IsZTLSUntrustedCA ¶
func IsZTLSUntrustedCA(certs []ztls.SimpleCertificate) bool
IsZTLSUntrustedCA returns true if the certificate is a self-signed CA
func MD5Fingerprint ¶
MD5Fingerprint creates a fingerprint of data using the MD5 hash algorithm.
func ParseASN1DNSequenceWithZpkix ¶
ParseASN1DNSequenceWithZpkix tries to parse raw ASN1 of a TLS DN with zpkix and zasn1 library which includes additional information not parsed by go standard library which may be useful.
If the parsing fails, a blank string is returned and the standard library data is used.
func ParseASN1DNSequenceWithZpkixOrDefault ¶
ParseASN1DNSequenceWithZpkixOrDefault return the parsed value of ASN1DNSequence or a default string value
func SHA1Fingerprint ¶
SHA1Fingerprint creates a fingerprint of data using the SHA1 hash algorithm.
func SHA256Fingerprint ¶
SHA256Fingerprint creates a fingerprint of data using the SHA256 hash algorithm.
Types ¶
type CertificateDistinguishedName ¶
type CertificateDistinguishedName struct { Country []string `json:"country,omitempty"` Organization []string `json:"organization,omitempty"` OrganizationalUnit []string `json:"organizational_unit,omitempty"` Locality []string `json:"locality,omitempty"` Province []string `json:"province,omitempty"` StreetAddress []string `json:"street_address,omitempty"` CommonName string `json:"common_name,omitempty"` }
CertificateDistinguishedName is a distinguished certificate name
type CertificateResponse ¶
type CertificateResponse struct { // Expired specifies whether the certificate has expired Expired bool `json:"expired,omitempty"` // SelfSigned returns true if the certificate is self-signed SelfSigned bool `json:"self_signed,omitempty"` // MisMatched returns true if the certificate is mismatched MisMatched bool `json:"mismatched,omitempty"` // Revoked returns true if the certificate is revoked Revoked bool `json:"revoked,omitempty"` // Untrusted is true if the certificate is untrusted Untrusted bool `json:"untrusted,omitempty"` // NotBefore is the not-before time for certificate NotBefore time.Time `json:"not_before,omitempty"` // NotAfter is the not-after time for certificate NotAfter time.Time `json:"not_after,omitempty"` // SubjectDN is the distinguished name for cert SubjectDN string `json:"subject_dn,omitempty"` // SubjectCN is the common name for cert SubjectCN string `json:"subject_cn,omitempty"` // SubjectOrg is the organization for cert subject SubjectOrg []string `json:"subject_org,omitempty"` // SubjectAN is a list of Subject Alternative Names for the certificate SubjectAN []string `json:"subject_an,omitempty"` // Domains is list of deduplicated subject_cn + subject_an Domains []string `json:"domains,omitempty"` //Serial is the certificate serial number Serial string `json:"serial,omitempty"` // IssuerDN is the distinguished name for cert IssuerDN string `json:"issuer_dn,omitempty"` // IssuerCN is the common name for cert IssuerCN string `json:"issuer_cn,omitempty"` // IssuerOrg is the organization for cert issuer IssuerOrg []string `json:"issuer_org,omitempty"` // Emails is a list of Emails for the certificate Emails []string `json:"emails,omitempty"` // FingerprintHash is the hashes for certificate FingerprintHash CertificateResponseFingerprintHash `json:"fingerprint_hash,omitempty"` // Certificate is the raw certificate in PEM format Certificate string `json:"certificate,omitempty"` // WildCardCert is true if tls certificate is a wildcard certificate WildCardCert bool `json:"wildcard_certificate,omitempty"` }
CertificateResponse is the response for a certificate
func Convertx509toResponse ¶
func Convertx509toResponse(options *Options, hostname string, cert *x509.Certificate, showcert bool) *CertificateResponse
type CertificateResponseFingerprintHash ¶
type CertificateResponseFingerprintHash struct { // MD5 is the md5 hash for certificate MD5 string `json:"md5,omitempty"` // SHA1 is the sha1 hash for certificate SHA1 string `json:"sha1,omitempty"` // SHA256 is the sha256 hash for certificate SHA256 string `json:"sha256,omitempty"` }
CertificateResponseFingerprintHash is a response for fingerprint hash of cert
type CipherSecLevel ¶
type CipherSecLevel uint
CipherSecLevel
const ( All CipherSecLevel = iota //Default Weak Insecure Secure Unknown )
func GetCipherLevel ¶
func GetCipherLevel(cipherName string) CipherSecLevel
GetCipherLevel returns security level of given cipher
type CipherTypes ¶
type CipherTypes struct { Weak []string `json:"weak,omitempty"` Insecure []string `json:"insecure,omitempty"` Secure []string `json:"secure,omitempty"` Unknown []string `json:"unknown,omitempty"` // cipher type not know to tlsx }
func IdentifyCiphers ¶
func IdentifyCiphers(cipherList []string) CipherTypes
IdentifyCiphers identifies type of ciphers from given cipherList
func (*CipherTypes) ColorCode ¶
func (c *CipherTypes) ColorCode(a aurora.Aurora) CipherTypes
ColorCode returns a clone of CipherTypes with Colored Strings
type ConnectOptions ¶
type ConnectOptions struct { SNI string VersionTLS string Ciphers []string CipherLevel []CipherSecLevel // Only used in cipher enum mode EnumMode EnumMode // Enumeration Mode (version or ciphers) }
type Implementation ¶
type Implementation interface { // Connect connects to a host and grabs the response data ConnectWithOptions(hostname, ip, port string, options ConnectOptions) (*Response, error) EnumerateCiphers(hostname, ip, port string, options ConnectOptions) ([]string, error) // SupportedTLSVersions returns the list of supported tls versions SupportedTLSVersions() ([]string, error) // SupportedTLSCiphers returns the list of supported tls ciphers SupportedTLSCiphers() ([]string, error) }
Implementation is an interface implemented by TLSX client
type Options ¶
type Options struct { // OutputFile is the file to write output to OutputFile string // Inputs is a list of inputs to process Inputs goflags.StringSlice // InputList is the list of inputs to process InputList string // ServerName is the optional server-name for tls connection ServerName goflags.StringSlice // RandomForEmptyServerName in case of empty sni RandomForEmptyServerName bool // ReversePtrSNI performs a reverse PTR query to obtain SNI from IP ReversePtrSNI bool // Verbose enables display of verbose output Verbose bool // Version shows the version of the program Version bool // JSON enables display of JSON output JSON bool // DisplayDns enables display of unique hostname from SSL certificate response DisplayDns bool // TLSChain enables printing TLS chain information to output TLSChain bool // Deprecated: AllCiphers exists for historical compatibility and should not be used AllCiphers bool // ProbeStatus enables writing of errors with json output ProbeStatus bool // CertsOnly enables early SSL termination using ztls flag CertsOnly bool // RespOnly displays TLS respones only in CLI output RespOnly bool // Silent enables silent output display Silent bool // NoColor disables coloring of CLI output NoColor bool // Retries is the number of times to retry TLS connection Retries int // Timeout is the number of seconds to wait for connection Timeout int // Concurrency is the number of concurrent threads to process Concurrency int // Delay is the duration to wait between requests in each thread Delay string // Port is the ports to make request to Ports goflags.StringSlice // Ciphers is a list of custom ciphers to use for connection Ciphers goflags.StringSlice // CACertificate is the CA certificate for connection CACertificate string // MinVersion is the minimum tls version that is acceptable MinVersion string // MaxVersion is the maximum tls version that is acceptable MaxVersion string // Resolvers contains custom resolvers for the tlsx client Resolvers goflags.StringSlice // ScanMode is the tls connection mode to use ScanMode string // VerifyServerCertificate enables optional verification of server certificates VerifyServerCertificate bool // OpenSSL Binary Path OpenSSLBinary string // SAN displays Subject Alternative Names SAN bool // CN displays Subject Common Name CN bool // SO displays Subject Organization Name SO bool // TLSVersion displays used TLS version TLSVersion bool // Cipher displays used cipher Cipher bool // Expired displays validity of TLS certificate Expired bool // SelfSigned displays if cert is self-signed SelfSigned bool // Untrusted displays if cert is untrusted Untrusted bool // MisMatched displays if the cert is mismatched MisMatched bool // Revoked displays if the cert is revoked Revoked bool // HardFail defines Revoke status when there are parse failures or other errors // If HardFail is true then on any error certificate is considered as revoked HardFail bool // Hash is the hash to display for certificate Hash string // Jarm calculate jarm fingerprinting with multiple probes Jarm bool // Cert displays certificate in pem format Cert bool // Ja3 displays ja3 fingerprint hash Ja3 bool // Scan all IP's ScanAllIPs bool // IP Version to use for scanning IPVersion goflags.StringSlice // WildcardCertCheck enables wildcard certificate check WildcardCertCheck bool // TlsVersionsEnum enumerates supported tls versions TlsVersionsEnum bool // TlsCiphersEnum enumerates supported ciphers per TLS protocol TlsCiphersEnum bool // TLSCipherSecLevel TLsCipherLevel []string // ClientHello include client hello (only ztls) ClientHello bool // ServerHello include server hello (only ztls) ServerHello bool // HealthCheck performs a capabilities healthcheck HealthCheck bool // DisableUpdateCheck disables checking update DisableUpdateCheck bool // CipherConcurrency CipherConcurrency int // Fastdialer is a fastdialer dialer instance Fastdialer *fastdialer.Dialer // Serail displays certiface serial number Serial bool }
Options contains configuration options for tlsx client
type Response ¶
type Response struct { // Timestamp is the timestamp for certificate response Timestamp *time.Time `json:"timestamp,omitempty"` // Host is the host to make request to Host string `json:"host"` // IP is the IP address the request was made to IP string `json:"ip,omitempty"` // Port is the port to make request to Port string `json:"port"` // ProbeStatus is false if the tls probe failed ProbeStatus bool `json:"probe_status"` // Error is the optional error for tls request included // with errors_json flag. Error string `json:"error,omitempty"` // Version is the tls version responded by the server Version string `json:"tls_version,omitempty"` // Cipher is the cipher for the tls request Cipher string `json:"cipher,omitempty"` // CertificateResponse is the leaf certificate embedded in json *CertificateResponse `json:",inline"` // TLSConnection is the client used for TLS connection // when ran using scan-mode auto. TLSConnection string `json:"tls_connection,omitempty"` // Chain is the chain of certificates Chain []*CertificateResponse `json:"chain,omitempty"` JarmHash string `json:"jarm_hash,omitempty"` Ja3Hash string `json:"ja3_hash,omitempty"` ServerName string `json:"sni,omitempty"` VersionEnum []string `json:"version_enum,omitempty"` TlsCiphers []TlsCiphers `json:"cipher_enum,omitempty"` ClientHello *ztls.ClientHello `json:"client_hello,omitempty"` ServerHello *ztls.ServerHello `json:"servers_hello,omitempty"` }
Response is the response returned for a TLS grab event
type TlsCiphers ¶
type TlsCiphers struct { Version string `json:"version,omitempty"` Ciphers CipherTypes `json:"ciphers,omitempty"` }