CryptoNark

This is the main page for CryptoNark (aka 'cnark.pl'), my port of sslthing.sh to Perl.  Although sslthing.sh may have been written as a hack tool, it had become useful for me more as a PCI Compliance checker.  All too often, when an ASV provides a scan report to a merchant, it is not unusual to see low- to mid-level alerts show up in the scan that a web site (or web sites) is exposing SSL2, weak ciphers, null ciphers, and/or anonymous ciphers and remediation of these vulnerabilities should be mitigated as soon as possible.  

One of the problems with third-party scanning of your site is that the third-party scanner may charge you additional money to perform out-of-band re-scans in order for you to test to see if your remediation activities were successful.  A secondary problem is that the ASV is under no obligation to tell you how they determined that a particular vulnerability was discovered so it is up to you to figure it out.  CryptoNark scans your site and reports back all ciphers that an ssl client can successfully negotiate. 

Please understand that the purpose of this tool is only intended to be used by a web site administrator scanning a site that he or she is directly responsible for supporting.  This tool was written because in an enterprise, validating a configuration change is just as important as providing implementation and backout plans and waiting for the next quarterly PCI scan was not an option for me.  If "you" are the individual or group of individuals who need to remediate secured web sites that allow weak encryption, this tool will help you.

Please let me know of any issues by sending me a main at techstacks [at] gmail [dot] com or via twitter @techstacks.

Download

Download the current version from the Downloads page.

Usage

    cnark.pl  -h|--host <hostname> -p|--port <port>

           [ -i|--insecure ]

Dependencies

cnark was initially written using Perl 5.8.8 but is now maintained on Perl 5.10—it probably will not work without major modification on 5.8 perls due to it's use of many features only available in Perl >= Perl 5.10.  Since Perl iterates through hashes in a randomly chosen order and because I want to maintain the sort order consistency for output purposes, the Perl module Tie::Hash::Indexed was used.  In addition to this module, IO::Socket::SSL is required as well.  If you have Perl installed, you probably have the cpan tool installed as well so if you do an 'install Tie::Hash::Indexed' and an 'install IO::Socket::SSL', the modules that these two depend on should be installed as well.  Certificate validation is performed using the keystore provided by module Mozilla::CA. Finally, Term::ANSIColor is used to provide colorized output.

Note on Mozilla::CA usage: If you experience validation errors and you are certain that the certificate should be valid, try updating your installed version of Mozilla::CA. You could be using an older version that does not have the root or intermediate certificates installed.

Change Log

v0.5.7: Released on October 2, 2016. This version fixes a bug in SSL certificate validation with newer versions of SSLeay and IO::Socket::SSL.

v0.5.6: Released on November 15, 2014. This version adds additional openssl versions, marks all sslv3 connections as red in response to the Poodle vulnerability, and adds preliminary SHA-1/SHA-2 certificate detection. Please see the CryptoNark v0.5.6 release announcement for more information.

v0.5.5: Released on June 10, 2014. This version adds support for Windows (Windows 8.1 with Strawberry Perl 5.18.2 was the only tested configuration), including colorization support, and fixes some bugs that were uncovered while testing on newer versions of Perl and on Windows. Some users of newer versions of Perl were reporting uninitialized concatenation value messages under Perl > v5.12—these issues were fixed in this release. In addition, there is a known issue with SSLv2 connections when running under Windows with OpenSSL 1.0.1g. Some hosts may show a successful connection with SSL2 using cipher RC4-MD5. I'm still investigating this because it isn't happening for all hosts.

v0.5: Released June 2, 2014. This version add a few changes and new features to certificate validation and works around some bugs. Please see this post for more information on these changes: CryptoNark 0.5 Released

v0.4.9: Released on July 7, 2013. This version adds a new feature: cnark will now warn if the public key is less than 2048 bits. Public keys less than 2048 bits will be colored Red while those greater than or equal to 2048 bits will be Green.

v0.4.8: Released on June 12, 2013. This version changes the behavior of cryptonark, converting it back to an ssl tool from a generic tool. The -xl/--kitchen-sink options have been removed, which reduces the number of CPAN module dependencies needed to run. Elliptic curve ciphers have been added and if you are using openssl > 1.0.0, cryptonark will scan using TLS1.2 ciphers. Finally, MD5 ciphers are now flagged as weak. See the CryptoNark v0.4.8 announcement page for more details.

v0.4.7: Released on March 8, 2012.  This version modifies the behavior of the --insecure switch by disabling all certificate and host validation. This fixes a problem where cryptonark would fail when scanning an IP address or when scanning a host name other than the common name or subject alternative name bound to the certificate. In addition, when certificate validation is performed, the common name and all subject alternative names are displayed. Previous versions would only output the common name. See the CryptoNark v0.4.7 Released page for more information and background on this version.

v0.4.6: Released on July 31, 2011.  This version fixes three bugs that would only be duncovered if the extended tests were run. See the v0.4.6 release announcement for more information.

v0.4.5: Released on May 3, 2011.  This version changes the default redirection handler on the Unsafe URL checks to attempt to better filter out false positives.  Also new in this version, an HTTP PROPFIND scanner runs when IIS sites are detected (and the -xl command line argument is specified), in order to see if the "IIS HTTP PROPFIND is enabled" vulnerability is detected.

v0.4.1: Released on March 28, 2011.  This version embraces one of the Modern Perl principles by using what you can find on the CPAN when possible. CryptoNark now utilizes cpan module "Mozilla::CA", which is Mozilla's CA Certificate bundle in PEM format. This allows me to continue to just release a script without worrying about maintaining my own cacerts file.  In addition, I've added hostname verification support in the script.  cnark will now gracefully exit if the hostname on the site does not match the host name requested as a command line argument in the script.  Finally, I've embedded pod documentation in the script. Type "perldoc cnark.pl" at the command line will give you a man page!  See the 0.4.1 Release Announcement for more information.

v0.4: Released on November 14, 2010.  This version adds certificate verification support, which is enabled by default.  Two options, --insecure and --kitchen-sink were added as well.  Use --insecure if the site you are testing fails verification, which could be due to an invalid chain, self-signed certificate, expired certificate, etc.  --insecure disables certificate verification.  Also changed in this version is cryptonark's default behavior.  If the -xl or --kitchen-sink option is not passed, only the SSL-specific tests are run; if this option is passed, all tests are executed in full tattletale mode.  The 0.4 Release Announcement post has more details.

v0.3.6: Released on September 7, 2010.  This version added a couple more URLs to the unsafe URL check and re-implemented the SSLv3 checks.  See the v0.3.6 announcement post for more info on specifics.

v0.3.5: Released on March 15, 2010.  This version adds scans for URLs that one wouldn't normally want exposed to the Internet, like the Tomcat Manager, Apache's server status or info pages, etc.  

v0.3:  Released on November 21, 2009.  This version introduces a couple of new features and changes from v0.2.5.  First off, perl 5.10 is now required.  Some basic command line options have been introduced.  Run ./cnark.pl to view them.  CryptoNark will now perform an HTTP TRACE and HTTP TRACK call so you can now verify that these methods are disabled post-remediation.  Non-SSL servers can also be scanned now.  Setting the port number of the web server or site to something other than 443 will imply an HTTP-only scan, so ssl cipher testing will not be performed.    

v0.2.5:  Released September 18, 2009.  This version introduces a basic HTTP HEAD request that reports the web server type and version number.  This is useful as a check to make sure that server identity suppression has worked.  This release serves as an experiment into taking cryptonark into a new direction as a general purpose PCI Compliance verification tool. 

v0.2.1:  Released August 19, 2009.  This version removed the SSLv3 tests, which are redundant since sslv3 and tlsv1 support the same ciphers.

v0.2:  Released on July 26, 2009, this version introduced colorization of scan results.  A weak or anonymous cipher is displayed in Red.  SSLv2 is a special case because according to current PCI DSS interpretation of their requirements, you only need to disable SSLv2 on a site if that site is encrypting credit card transations.  Although disabling SSLv2 is still a best-practice, cnark will report medium and high grade encryption ciphers using the color green while weak and null ciphers will be colored red.  This way, as you rememdiate, you can keep re-scanning until everything comes up green.

v0.1:  Released on July 16, 2009, this is the initial version.  It is almost a direct port of sslthing.sh although there are some additions.  First, if provides a little more information about the cipher during output.  It also scans for Null and Anonymous ciphers, which sslthing does not appear to do.  Finally, cnark does not send any kind of HTTP message over the channel--it just reports the success or failure of the cipher used during handshake so if your web site utilizes some form of HTTP Authentication, you can still test with cnark where sslthing would fail.