vFeed


Tools no image

Published on May 11th, 2011 | by NJ Ouchn

0

CryptoNark v0.4.5 released

This is the main page for CryptoNark (aka ‘cnark.pl’), my port of sslthing.sh to Perl.  Although sslthing.sh may have been written as a hack tool, it had become useful for me more as a PCI Compliance checker.  All too often, when an ASV provides a scan report to a merchant, it is not unusual to see low- to mid-level alerts show up in the scan that a web site (or web sites) is exposing SSL2, weak ciphers, null ciphers, and/or anonymous ciphers and remediation of these vulnerabilities should be mitigated as soon as possible.

One of the problems with third-party scanning of your site is that the third-party scanner may charge you additional money to perform out-of-band re-scans in order for you to test to see if your remediation activities were successful.  A secondary problem is that the ASV is under no obligation to tell you how they determined that a particular vulnerability was discovered so it is up to you to figure it out.  CryptoNark scans your site and reports back all ciphers that an ssl client can successfully negotiate.

Please understand that the purpose of this tool is only intended to be used by a web site administrator scanning a site that he or she is directly responsible for supporting.  This tool was written because in an enterprise, validating a configuration change is just as important as providing implementation and backout plans and waiting for the next quarterly PCI scan was not an option for me.  If “you” are the individual or group of individuals who need to remediate secured web sites that allow weak encryption, this tool will help you.  NOTE:  CryptoNark does not check the validity of the certificate used to encrypt a web site–this is because it’s primary purpose from an SSL perspective is to check to see what ciphers are enabled.

Usage

cnark.pl  -h|–host <hostname> -p|–port <port>

[ -i|–insecure ] [ -xl| –kitchen-sink ]

Dependencies

cnark was initially written using Perl 5.8.8 but is now maintained on Perl 5.10.  Since Perl iterates through hashes in a randomly chosen order and because I want to maintain the sort order consistency for output purposes, the Perl module Tie::Hash::Indexed was used.  In addition to this module, IO::Socket::SSL is required as well.  If you have Perl installed, you probably have the cpan tool installed as well so if you do an ‘install Tie::Hash::Indexed’ and an ‘install IO::Socket::SSL’, the modules that these two depend on should be installed as well.  Finally, Term::ANSIColor is used to provide colorized output.

Change Log

  • Added HTTP PropFind Test, which is executed if the -xl option is specified.
  • Add supporting module: XML::LibXML
  • Disabled redirection on the unsafe URL checks. This was creating some false positives.

Download the current version from the Downloads page.

Tags: , , , ,


About the Author

"Passion is needed for any great work, and for the revolution, passion and audacity are required in big doses"



Back to Top ↑