Scans over https, the available SSL/ TLS ciphers available for a given host.

tlswalk.sh

#!/usr/bin/env bash

set -o noclobber  # Avoid overlay files (echo "hi" > foo)
set -o errexit    # Used to exit upon error, avoiding cascading errors
# set -o nounset    # Exposes unset variables

#Setting up some colors for helping read the demo output
red=$(tput setaf 1)
green=$(tput setaf 2)
yellow=$(tput setaf 3)
blue=$(tput setaf 4)
cyan=$(tput setaf 6)
reset=$(tput sgr0)

# set -euo pipefail
#
# IFS=$'\n\t'
set -o errtrace
traperr() {
    echo "ERROR: ${BASH_SOURCE[1]} at about ${BASH_LINENO[0]}"
}

trap traperr ERR

DELAY=1
configuredClient=""
currentVersion="1.0"

commandExists() {
	command -v "$@" > /dev/null 2>&1
}

checkOpenSSL()
{
  if  ! commandExists openssl; then
    echo "Error: To use this tool openssl must be installed" >&2
    return 1
  else
    return 0
  fi
}

## This function determines which http get tool the system has installed and returns an error if there isnt one
getConfiguredClient()
{
  if commandExists curl; then
    configuredClient="curl"
  elif commandExists wget; then
    configuredClient="wget"
  elif ccommandExists http; then
    configuredClient="httpie"
  elif commandExists fetch; then
    configuredClient="fetch"
  else
    echo "Error: This tool reqires either curl, wget, httpie or fetch to be installed." >&2
    return 1
  fi
}

## Allows to call the users configured client without if statements everywhere
httpGet()
{
  case "$configuredClient" in
    curl)  curl -A curl -s "$@" ;;
    wget)  wget -qO- "$@" ;;
    httpie) http -b GET "$@" ;;
    fetch) fetch -q "$@" ;;
  esac
}

usage()
{
  cat <<EOF

${green}TLSWalk${reset} v$currentVersion
Scans over https, the available SSL/ TLS ciphers available for a given host.

${yellow}Usage:${reset} tlswalk [flag] or tlswalk [optionalDFlag] [FQDN]

  -h | --help		Show the help
  -v | --version 	Get the tool version
  -d | --delay 		Set the delay between requests sent to the site (default is 1 sec)
  -t | --help 		Set the target hostname/ FQDN

Examples:
  tlswalk -t github.com
  tlswalk -d 0.5 -t github.com

EOF
}

checkHostAvailability()
{
  httpGet $1 > /dev/null 2>&1 || { echo "Error: The host $HOST seems to be unreachable\nor there is no active internet connection" >&2; return 1; }
}

checkCiphers()
{
  ciphers=$(openssl ciphers 'ALL:eNULL' | sed -e 's/:/ /g') # grab all ciphers
  SERVER=$1:443 # setup the connection server
  for cipher in ${ciphers[*]}; do # for all possible ciphers
    result=$(echo | openssl s_client -cipher "$cipher" -connect $SERVER 2>&1)
    if [[ "$result" =~ ":error:" ]]; then
      if [[ -z $2 ]]; then
        error=$(echo -n $result | cut -d':' -f6)
        echo -e "$cipher - ${yellow}NO${reset} ($error)"  | column -t -c 3
      fi
    else
      if [[ "$result" =~ "Cipher is $cipher" || "$result" =~ "Cipher    :" ]]; then
        echo -e "$cipher - ${green}YES${reset}"  | column -t -c 3
      else
        if [[ -z $2 ]]; then
          echo  -e "$cipher - UNKNOWN RESPONSE - $result"  | column -t -c 3
        fi
      fi
    fi
    sleep $DELAY # sleep as to not overload the requests to the server
  done
}

checkOpenSSL || exit 1
getConfiguredClient || exit 1


if [[ $# == "0" ]]; then
  usage
  exit 1
# elif [[ $1 == "update" ]]; then
#   checkHostAvailability $1 || exit 1
#   update
#   exit 0
elif [[ $1 == "help" ]]; then
  usage
  exit 0
fi

# HOST=""

while [[ "$1" =~ ^- && ! "$1" == "--" ]]; do
  opt="$1"
  shift;
  case $opt in
  -V | --version )
    echo "${green}TLSWalk${reset} v$currentVersion"
    exit 0
    ;;
  -h | --help )
    usage
    exit 0
    ;;
  -d | --delay )
    DELAY=$1
    shift;
    ;;
  -t | --target )
    HOST=$1
    shift;
    ;;
  esac
done
# if [[ "$1" == '--' ]]; then shift; fi

echo -e "\nScanning ${green}$HOST${reset}\n"

checkHostAvailability $HOST || exit 1
checkCiphers $HOST || exit 1