Documentation
¶
Index ¶
- func FormatToSerialNumber(serialNumber *big.Int) string
- func GetCiphersWithLevel(cipherList []string, SecLevel ...CipherSecLevel) []string
- func GetConn(ctx context.Context, hostname, ip, port string, inputOpts *Options) (net.Conn, error)
- func GetUniqueDomainsFromCert(resp *CertificateResponse) []string
- func IntersectStringSlices(s1 []string, s2 []string) []string
- func IsClientCertRequiredError(err error) bool
- func IsExpired(notAfter time.Time) bool
- func IsMisMatchedCert(host string, alternativeNames []string) bool
- func IsSelfSigned(authorityKeyID, subjectKeyID []byte, SANs []string) bool
- func IsTLSRevoked(options *Options, cert *x509.Certificate) bool
- func IsUntrustedCA(certs []*x509.Certificate) bool
- func IsWildCardCert(names []string) bool
- func IsZTLSRevoked(options *Options, cert *zx509.Certificate) bool
- func IsZTLSUntrustedCA(certs []ztls.SimpleCertificate) bool
- func MD5Fingerprint(data []byte) string
- func ParseASN1DNSequenceWithZpkix(data []byte) string
- func ParseASN1DNSequenceWithZpkixOrDefault(data []byte, defaultValue string) string
- func PemEncode(cert []byte) string
- func SHA1Fingerprint(data []byte) string
- func SHA256Fingerprint(data []byte) string
- type CertificateDistinguishedName
- type CertificateResponse
- type CertificateResponseFingerprintHash
- type CipherSecLevel
- type CipherTypes
- type ConnectOptions
- type EnumMode
- type Implementation
- type Options
- type Response
- type TlsCiphers
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func FormatToSerialNumber ¶ added in v1.0.6
FormatToSerialNumber converts big.Int to colon seperated hex string Example: 17034156255497985825694118641198758684 -> 0C:D0:A8:BE:C6:32:CF:E6:45:EC:A0:A9:B0:84:FB:1C
func GetCiphersWithLevel ¶ added in v1.0.6
func GetCiphersWithLevel(cipherList []string, SecLevel ...CipherSecLevel) []string
GetCiphersWithLevel returns list of ciphers that have given secLevel
func GetUniqueDomainsFromCert ¶ added in v1.1.6
func GetUniqueDomainsFromCert(resp *CertificateResponse) []string
GetUniqueDomainsFromCert returns unique domains extracted from certificate response
func IntersectStringSlices ¶ added in v1.0.6
IntersectStringSlices returns intersection of two string slices
func IsClientCertRequiredError ¶ added in v1.1.7
IsClientCertRequiredError checks if the error is due to a client certificate being required by the server
func IsMisMatchedCert ¶ added in v0.0.4
IsMisMatchedCert returns true if cert names(subject common name + alternative names) does not contain host
func IsSelfSigned ¶
IsSelfSigned returns true if the certificate is self-signed
func IsTLSRevoked ¶ added in v0.0.9
func IsTLSRevoked(options *Options, cert *x509.Certificate) bool
IsTLSRevoked returns true if the certificate has been revoked or failed to parse
func IsUntrustedCA ¶ added in v1.0.6
func IsUntrustedCA(certs []*x509.Certificate) bool
IsUntrustedCA returns true if the certificate is a self-signed CA
func IsWildCardCert ¶ added in v0.0.6
IsWildCardCert returns true if the certificate is a wildcard certificate
func IsZTLSRevoked ¶ added in v0.0.9
func IsZTLSRevoked(options *Options, cert *zx509.Certificate) bool
IsZTLSRevoked returns true if the certificate has been revoked
func IsZTLSUntrustedCA ¶ added in v1.0.6
func IsZTLSUntrustedCA(certs []ztls.SimpleCertificate) bool
IsZTLSUntrustedCA returns true if the certificate is a self-signed CA
func MD5Fingerprint ¶
MD5Fingerprint creates a fingerprint of data using the MD5 hash algorithm.
func ParseASN1DNSequenceWithZpkix ¶ added in v0.0.6
ParseASN1DNSequenceWithZpkix tries to parse raw ASN1 of a TLS DN with zpkix and zasn1 library which includes additional information not parsed by go standard library which may be useful.
If the parsing fails, a blank string is returned and the standard library data is used.
func ParseASN1DNSequenceWithZpkixOrDefault ¶ added in v0.0.6
ParseASN1DNSequenceWithZpkixOrDefault return the parsed value of ASN1DNSequence or a default string value
func SHA1Fingerprint ¶
SHA1Fingerprint creates a fingerprint of data using the SHA1 hash algorithm.
func SHA256Fingerprint ¶
SHA256Fingerprint creates a fingerprint of data using the SHA256 hash algorithm.
Types ¶
type CertificateDistinguishedName ¶
type CertificateDistinguishedName struct {
Country []string `json:"country,omitempty"`
Organization []string `json:"organization,omitempty"`
OrganizationalUnit []string `json:"organizational_unit,omitempty"`
Locality []string `json:"locality,omitempty"`
Province []string `json:"province,omitempty"`
StreetAddress []string `json:"street_address,omitempty"`
CommonName string `json:"common_name,omitempty"`
}
CertificateDistinguishedName is a distinguished certificate name
type CertificateResponse ¶
type CertificateResponse struct {
// Expired specifies whether the certificate has expired
Expired bool `json:"expired,omitempty"`
// SelfSigned returns true if the certificate is self-signed
SelfSigned bool `json:"self_signed,omitempty"`
// MisMatched returns true if the certificate is mismatched
MisMatched bool `json:"mismatched,omitempty"`
// Revoked returns true if the certificate is revoked
Revoked bool `json:"revoked,omitempty"`
// Untrusted is true if the certificate is untrusted
Untrusted bool `json:"untrusted,omitempty"`
// NotBefore is the not-before time for certificate
NotBefore time.Time `json:"not_before,omitempty"`
// NotAfter is the not-after time for certificate
NotAfter time.Time `json:"not_after,omitempty"`
// SubjectDN is the distinguished name for cert
SubjectDN string `json:"subject_dn,omitempty"`
// SubjectCN is the common name for cert
SubjectCN string `json:"subject_cn,omitempty"`
// SubjectOrg is the organization for cert subject
SubjectOrg []string `json:"subject_org,omitempty"`
// SubjectAN is a list of Subject Alternative Names for the certificate
SubjectAN []string `json:"subject_an,omitempty"`
// Domains is list of deduplicated subject_cn + subject_an
Domains []string `json:"domains,omitempty"`
//Serial is the certificate serial number
Serial string `json:"serial,omitempty"`
// IssuerDN is the distinguished name for cert
IssuerDN string `json:"issuer_dn,omitempty"`
// IssuerCN is the common name for cert
IssuerCN string `json:"issuer_cn,omitempty"`
// IssuerOrg is the organization for cert issuer
IssuerOrg []string `json:"issuer_org,omitempty"`
// Emails is a list of Emails for the certificate
Emails []string `json:"emails,omitempty"`
// FingerprintHash is the hashes for certificate
FingerprintHash CertificateResponseFingerprintHash `json:"fingerprint_hash,omitempty"`
// Certificate is the raw certificate in PEM format
Certificate string `json:"certificate,omitempty"`
// WildCardCert is true if tls certificate is a wildcard certificate
WildCardCert bool `json:"wildcard_certificate,omitempty"`
}
CertificateResponse is the response for a certificate
func Convertx509toResponse ¶ added in v1.0.3
func Convertx509toResponse(options *Options, hostname string, cert *x509.Certificate, showcert bool) *CertificateResponse
type CertificateResponseFingerprintHash ¶
type CertificateResponseFingerprintHash struct {
// MD5 is the md5 hash for certificate
MD5 string `json:"md5,omitempty"`
// SHA1 is the sha1 hash for certificate
SHA1 string `json:"sha1,omitempty"`
// SHA256 is the sha256 hash for certificate
SHA256 string `json:"sha256,omitempty"`
}
CertificateResponseFingerprintHash is a response for fingerprint hash of cert
type CipherSecLevel ¶ added in v1.0.6
type CipherSecLevel uint
CipherSecLevel
const ( All CipherSecLevel = iota //Default Weak Insecure Secure Unknown )
func GetCipherLevel ¶ added in v1.0.6
func GetCipherLevel(cipherName string) CipherSecLevel
GetCipherLevel returns security level of given cipher
type CipherTypes ¶ added in v1.0.6
type CipherTypes struct {
Weak []string `json:"weak,omitempty"`
Insecure []string `json:"insecure,omitempty"`
Secure []string `json:"secure,omitempty"`
Unknown []string `json:"unknown,omitempty"` // cipher type not know to tlsx
}
func IdentifyCiphers ¶ added in v1.0.6
func IdentifyCiphers(cipherList []string) CipherTypes
IdentifyCiphers identifies type of ciphers from given cipherList
func (*CipherTypes) ColorCode ¶ added in v1.0.6
func (c *CipherTypes) ColorCode(a aurora.Aurora) CipherTypes
ColorCode returns a clone of CipherTypes with Colored Strings
type ConnectOptions ¶ added in v0.0.4
type ConnectOptions struct {
SNI string
VersionTLS string
Ciphers []string
CipherLevel []CipherSecLevel // Only used in cipher enum mode
EnumMode EnumMode // Enumeration Mode (version or ciphers)
}
type Implementation ¶
type Implementation interface {
// Connect connects to a host and grabs the response data
ConnectWithOptions(hostname, ip, port string, options ConnectOptions) (*Response, error)
EnumerateCiphers(hostname, ip, port string, options ConnectOptions) ([]string, error)
// SupportedTLSVersions returns the list of supported tls versions
SupportedTLSVersions() ([]string, error)
// SupportedTLSCiphers returns the list of supported tls ciphers
SupportedTLSCiphers() ([]string, error)
}
Implementation is an interface implemented by TLSX client
type Options ¶
type Options struct {
// OutputFile is the file to write output to
OutputFile string
// Inputs is a list of inputs to process
Inputs goflags.StringSlice
// InputList is the list of inputs to process
InputList string
// ServerName is the optional server-name for tls connection
ServerName goflags.StringSlice
// RandomForEmptyServerName in case of empty sni
RandomForEmptyServerName bool
// ReversePtrSNI performs a reverse PTR query to obtain SNI from IP
ReversePtrSNI bool
// Verbose enables display of verbose output
Verbose bool
// Version shows the version of the program
Version bool
// JSON enables display of JSON output
JSON bool
// DisplayDns enables display of unique hostname from SSL certificate response
DisplayDns bool
// TLSChain enables printing TLS chain information to output
TLSChain bool
// Deprecated: AllCiphers exists for historical compatibility and should not be used
AllCiphers bool
// ProbeStatus enables writing of errors with json output
ProbeStatus bool
// CertsOnly enables early SSL termination using ztls flag
CertsOnly bool
// RespOnly displays TLS respones only in CLI output
RespOnly bool
// Silent enables silent output display
Silent bool
// NoColor disables coloring of CLI output
NoColor bool
// Retries is the number of times to retry TLS connection
Retries int
// Timeout is the number of seconds to wait for connection
Timeout int
// Concurrency is the number of concurrent threads to process
Concurrency int
// Delay is the duration to wait between requests in each thread
Delay string
// Port is the ports to make request to
Ports goflags.StringSlice
// Ciphers is a list of custom ciphers to use for connection
Ciphers goflags.StringSlice
// CACertificate is the CA certificate for connection
CACertificate string
// MinVersion is the minimum tls version that is acceptable
MinVersion string
// MaxVersion is the maximum tls version that is acceptable
MaxVersion string
// Resolvers contains custom resolvers for the tlsx client
Resolvers goflags.StringSlice
// ScanMode is the tls connection mode to use
ScanMode string
// VerifyServerCertificate enables optional verification of server certificates
VerifyServerCertificate bool
// OpenSSL Binary Path
OpenSSLBinary string
// SAN displays Subject Alternative Names
SAN bool
// CN displays Subject Common Name
CN bool
// SO displays Subject Organization Name
SO bool
// TLSVersion displays used TLS version
TLSVersion bool
// Cipher displays used cipher
Cipher bool
// Expired displays validity of TLS certificate
Expired bool
// SelfSigned displays if cert is self-signed
SelfSigned bool
// Untrusted displays if cert is untrusted
Untrusted bool
// MisMatched displays if the cert is mismatched
MisMatched bool
// Revoked displays if the cert is revoked
Revoked bool
// HardFail defines Revoke status when there are parse failures or other errors
// If HardFail is true then on any error certificate is considered as revoked
HardFail bool
// Hash is the hash to display for certificate
Hash string
// Jarm calculate jarm fingerprinting with multiple probes
Jarm bool
// Cert displays certificate in pem format
Cert bool
// Ja3 displays ja3 fingerprint hash
Ja3 bool
// Ja3s displays ja3s fingerprint hash
Ja3s bool
// Scan all IP's
ScanAllIPs bool
// IP Version to use for scanning
IPVersion goflags.StringSlice
// WildcardCertCheck enables wildcard certificate check
WildcardCertCheck bool
// TlsVersionsEnum enumerates supported tls versions
TlsVersionsEnum bool
// TlsCiphersEnum enumerates supported ciphers per TLS protocol
TlsCiphersEnum bool
// TLSCipherSecLevel
TLsCipherLevel []string
// ClientHello include client hello (only ztls)
ClientHello bool
// ServerHello include server hello (only ztls)
ServerHello bool
// HealthCheck performs a capabilities healthcheck
HealthCheck bool
// DisableUpdateCheck disables checking update
DisableUpdateCheck bool
// CipherConcurrency
CipherConcurrency int
// Fastdialer is a fastdialer dialer instance
Fastdialer *fastdialer.Dialer
// Serail displays certiface serial number
Serial bool
// Proxy is the proxy to use for tlsx
Proxy string
// CTLogs enables certificate transparency logs streaming mode
CTLogs bool
// CTLBeginning when true starts CT logs streaming from index 0
CTLBeginning bool
// CTLIndex allows specifying custom start index per log in the form <logURL>=<index>
CTLIndex goflags.StringSlice
// PDCP related options
// Dashboard enables PDCP dashboard upload
Dashboard bool
// DashboardUpload specifies a file to upload to PDCP dashboard
DashboardUpload string
// PDCPAPIKey is the API key for PDCP authentication
PDCPAPIKey string
// PDCPTeamID is the team ID for PDCP uploads
PDCPTeamID string
// PDCPAssetID is the asset ID for PDCP uploads
PDCPAssetID string
// PDCPAssetName is the asset name for PDCP uploads
PDCPAssetName string
}
Options contains configuration options for tlsx client
type Response ¶
type Response struct {
// Timestamp is the timestamp for certificate response
Timestamp *time.Time `json:"timestamp,omitempty"`
// Host is the host to make request to
Host string `json:"host"`
// IP is the IP address the request was made to
IP string `json:"ip,omitempty"`
// Port is the port to make request to
Port string `json:"port"`
// ProbeStatus is false if the tls probe failed
ProbeStatus bool `json:"probe_status"`
// Error is the optional error for tls request included
// with errors_json flag.
Error string `json:"error,omitempty"`
// Version is the tls version responded by the server
Version string `json:"tls_version,omitempty"`
// Cipher is the cipher for the tls request
Cipher string `json:"cipher,omitempty"`
// CertificateResponse is the leaf certificate embedded in json
*CertificateResponse `json:",inline"`
// TLSConnection is the client used for TLS connection
// when ran using scan-mode auto.
TLSConnection string `json:"tls_connection,omitempty"`
// Chain is the chain of certificates
Chain []*CertificateResponse `json:"chain,omitempty"`
JarmHash string `json:"jarm_hash,omitempty"`
Ja3Hash string `json:"ja3_hash,omitempty"`
Ja3sHash string `json:"ja3s_hash,omitempty"`
ServerName string `json:"sni,omitempty"`
VersionEnum []string `json:"version_enum,omitempty"`
TlsCiphers []TlsCiphers `json:"cipher_enum,omitempty"`
ClientHello *ztls.ClientHello `json:"client_hello,omitempty"`
ServerHello *ztls.ServerHello `json:"servers_hello,omitempty"`
ClientCertRequired *bool `json:"client_cert_required,omitempty"`
// CTLogSource is the Certificate Transparency log source for CT logs mode
CTLogSource string `json:"ctl_source,omitempty"`
// CTLogIndex is the index/offset of this entry in the CT log
CTLogIndex uint64 `json:"ctl_index,omitempty"`
// CTLogTreeSize is the total number of entries in the CT log (head)
CTLogTreeSize uint64 `json:"ctl_tree_size,omitempty"`
// CTLogLag is the number of pending entries (TreeSize - Index)
CTLogLag uint64 `json:"ctl_lag,omitempty"`
}
Response is the response returned for a TLS grab event
type TlsCiphers ¶ added in v0.0.6
type TlsCiphers struct {
Version string `json:"version,omitempty"`
Ciphers CipherTypes `json:"ciphers,omitempty"`
}
Source Files
Click to show internal directories.
Click to hide internal directories.