CryptoNark v0.4.1 released
This is the main page for CryptoNark (aka ‘cnark.pl’), my port of sslthing.sh to Perl. Although sslthing.sh may have been written as a hack tool, it had become useful for me more as a PCI Compliance checker. All too often, when an ASV provides a scan report to a merchant, it is not unusual to see low- to mid-level alerts show up in the scan that a web site (or web sites) is exposing SSL2, weak ciphers, null ciphers, and/or anonymous ciphers and remediation of these vulnerabilities should be mitigated as soon as possible.
One of the problems with third-party scanning of your site is that the third-party scanner may charge you additional money to perform out-of-band re-scans in order for you to test to see if your remediation activities were successful. A secondary problem is that the ASV is under no obligation to tell you how they determined that a particular vulnerability was discovered so it is up to you to figure it out. CryptoNark scans your site and reports back all ciphers that an ssl client can successfully negotiate.
Please understand that the purpose of this tool is only intended to be used by a web site administrator scanning a site that he or she is directly responsible for supporting. This tool was written because in an enterprise, validating a configuration change is just as important as providing implementation and backout plans and waiting for the next quarterly PCI scan was not an option for me. If “you” are the individual or group of individuals who need to remediate secured web sites that allow weak encryption, this tool will help you. NOTE: CryptoNark does not check the validity of the certificate used to encrypt a web site–this is because it’s primary purpose from an SSL perspective is to check to see what ciphers are enabled.
Usage
cnark.pl -h|–host <hostname> -p|–port <port>
[ -i|–insecure ] [ -xl| –kitchen-sink ]
Dependencies
cnark was initially written using Perl 5.8.8 but is now maintained on Perl 5.10. Since Perl iterates through hashes in a randomly chosen order and because I want to maintain the sort order consistency for output purposes, the Perl module Tie::Hash::Indexed was used. In addition to this module, IO::Socket::SSL is required as well. If you have Perl installed, you probably have the cpan tool installed as well so if you do an ‘install Tie::Hash::Indexed’ and an ‘install IO::Socket::SSL’, the modules that these two depend on should be installed as well. Finally, Term::ANSIColor is used to provide colorized output.
Change Log
v0.4.1: Released on March 28, 2011. This version embraces one of the Modern Perl principles by using what you can find on the CPAN when possible. CryptoNark now utilizes cpan module “Mozilla::CA”, which is Mozilla’s CA Certificate bundle in PEM format. This allows me to continue to just release a script without worrying about maintaining my own cacerts file. In addition, I’ve added hostname verification support in the script. cnark will now gracefully exit if the hostname on the site does not match the host name requested as a command line argument in the script. Finally, I’ve embedded pod documentation in the script. Type “perldoc cnark.pl” at the command line will give you a man page! See the 0.4.1 Release Announcement for more information.
Download the current version from the Downloads page.