scan

package
v0.0.0-...-ed317c9 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 7, 2023 License: BSD-2-Clause Imports: 17 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var (
	// Network is the default network to use.
	Network = "tcp"
	// Dialer is the default dialer to use, with a 1s timeout.
	Dialer = &net.Dialer{Timeout: time.Second}
	// Client is the default HTTP Client.
	Client = &http.Client{Transport: &http.Transport{Dial: Dialer.Dial}}
	// RootCAs defines the default root certificate authorities to be used for scan.
	RootCAs *x509.CertPool
)
View Source
var Broad = &Family{
	Description: "Large scale scans of TLS hosts",
	Scanners: map[string]*Scanner{
		"IntermediateCAs": {
			"Scans a CIDR IP range for unknown Intermediate CAs",
			intermediateCAScan,
		},
	},
}

Broad contains scanners for large swaths of TLS hosts on the internet.

View Source
var Connectivity = &Family{
	Description: "Scans for basic connectivity with the host through DNS and TCP/TLS dials",
	Scanners: map[string]*Scanner{
		"DNSLookup": {
			"Host can be resolved through DNS",
			dnsLookupScan,
		},
		"CloudFlareStatus": {
			"Host is on CloudFlare",
			onCloudFlareScan,
		},
		"TCPDial": {
			"Host accepts TCP connection",
			tcpDialScan,
		},
		"TLSDial": {
			"Host can perform TLS handshake",
			tlsDialScan,
		},
	},
}

Connectivity contains scanners testing basic connectivity to the host

View Source
var Default = FamilySet{
	"Connectivity": Connectivity,
	"TLSHandshake": TLSHandshake,
	"TLSSession":   TLSSession,
	"PKI":          PKI,
	"Broad":        Broad,
}

Default contains each scan Family that is defined

View Source
var PKI = &Family{
	Description: "Scans for the Public Key Infrastructure",
	Scanners: map[string]*Scanner{
		"ChainExpiration": {
			"Host's chain hasn't expired and won't expire in the next 30 days",
			chainExpiration,
		},
		"ChainValidation": {
			"All certificates in host's chain are valid",
			chainValidation,
		},
		"MultipleCerts": {
			"Host serves same certificate chain across all IPs",
			multipleCerts,
		},
	},
}

PKI contains scanners for the Public Key Infrastructure.

View Source
var TLSHandshake = &Family{
	Description: "Scans for host's SSL/TLS version and cipher suite negotiation",
	Scanners: map[string]*Scanner{
		"CipherSuite": {
			"Determines host's cipher suites accepted and prefered order",
			cipherSuiteScan,
		},
		"SigAlgs": {
			"Determines host's accepted signature and hash algorithms",
			sigAlgsScan,
		},
		"CertsBySigAlgs": {
			"Determines host's certificate signature algorithm matching client's accepted signature and hash algorithms",
			certSigAlgsScan,
		},
		"CertsByCiphers": {
			"Determines host's certificate signature algorithm matching client's accepted ciphers",
			certSigAlgsScanByCipher,
		},
	},
}

TLSHandshake contains scanners testing host cipher suite negotiation

View Source
var TLSSession = &Family{
	Description: "Scans host's implementation of TLS session resumption using session tickets/session IDs",
	Scanners: map[string]*Scanner{
		"SessionResume": {
			"Host is able to resume sessions across all addresses",
			sessionResumeScan,
		},
	},
}

TLSSession contains tests of host TLS Session Resumption via Session Tickets and Session IDs

Functions

func LoadRootCAs

func LoadRootCAs(caBundleFile string) (err error)

LoadRootCAs loads the default root certificate authorities from file.

Types

type Family

type Family struct {
	// Description gives a short description of the scans performed scan/scan_common.goon the host.
	Description string `json:"description"`
	// Scanners is a list of scanners that are to be run in sequence.
	Scanners map[string]*Scanner `json:"scanners"`
}

Family defines a set of related scans meant to be run together in sequence.

type FamilyResult

type FamilyResult map[string]ScannerResult

FamilyResult contains a scan response for a single Family

type FamilySet

type FamilySet map[string]*Family

FamilySet contains a set of Families to run Scans from.

func (FamilySet) RunScans

func (fs FamilySet) RunScans(host, ip, family, scanner string, timeout time.Duration) (map[string]FamilyResult, error)

RunScans iterates over AllScans, running each scan that matches the family and scanner regular expressions concurrently.

type Grade

type Grade int

Grade gives a subjective rating of the host's success in a scan.

const (
	// Bad describes a host with serious misconfiguration or vulnerability.
	Bad Grade = iota
	// Warning describes a host with non-ideal configuration that maintains support for Warning clients.
	Warning
	// Good describes host performing the expected state-of-the-art.
	Good
	// Skipped descibes the "grade" of a scan that has been skipped.
	Skipped
)

func (Grade) String

func (g Grade) String() string

String gives the name of the Grade as a string.

type Output

type Output interface{}

Output is the result of a scan, to be stored for potential use by later Scanners.

type Result

type Result struct {
	Family, Scanner string
	ScannerResult
}

A Result contains a ScannerResult along with it's scanner and family names.

type Scanner

type Scanner struct {
	// Description describes the nature of the scan to be performed.
	Description string `json:"description"`
	// contains filtered or unexported fields
}

Scanner describes a type of scan to perform on a host.

func (*Scanner) Scan

func (s *Scanner) Scan(addr, hostname string) (Grade, Output, error)

Scan performs the scan to be performed on the given host and stores its result.

type ScannerResult

type ScannerResult struct {
	Grade  string `json:"grade"`
	Output Output `json:"output,omitempty"`
	Error  string `json:"error,omitempty"`
}

ScannerResult contains the result for a single scan.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL