Skip to content

Instantly share code, notes, and snippets.

@degan

degan/gist:70e8059507d173751294

Last active August 29, 2015 14:16
Show Gist options
  • Save degan/70e8059507d173751294 to your computer and use it in GitHub Desktop.
Save degan/70e8059507d173751294 to your computer and use it in GitHub Desktop.
Download ZIP
FREAK Attack server test
Raw
gistfile1.sh
see discussion below
@proxyblue
Copy link

Is there an example freak site that can be tested that prints "1"? All sites I have tested so far return 0.

@barbrick
Copy link

barbrick commented Mar 4, 2015

openssl s_client -cipher EXPORT -connect sohu.com:443 </dev/null 2>/dev/null |grep SSL-Session: -c

Prints 1

@kaspergrubbe
Copy link

This is how it looks for:

~$ bash freak.sh
Obtaining cipher list from OpenSSL 0.9.8zc 15 Oct 2014.
Testing EXP-ADH-DES-CBC-SHA...NO (sslv3 alert handshake failure)
Testing EXP-ADH-RC4-MD5...NO (sslv3 alert handshake failure)
Testing EXP-EDH-RSA-DES-CBC-SHA...NO (sslv3 alert handshake failure)
Testing EXP-EDH-DSS-DES-CBC-SHA...NO (sslv3 alert handshake failure)
Testing EXP-DES-CBC-SHA...YES
Testing EXP-RC2-CBC-MD5...YES
Testing EXP-RC4-MD5...YES
Testing EXP-RC2-CBC-MD5...YES
Testing EXP-RC4-MD5...YES

@dfaerch
Copy link

dfaerch commented Mar 5, 2015

WARNING: Upon further investigation, NONE of these openssl based methods are good enough. Not this gist and not my own suggestion earlier.

It looks like 'openssl s_client' does not "detect" a cipher it doesn't support it self. So if the machine you're testing FROM is fairly up-to-date, you may miss any ciphers that are already removed from your version. I haven't checked if this is a real-world-issue and i don't have time that right now, so i opt for a different detection mechanism, that will detect all combinations.

I suggest using nmap instead.

nmap --script ssl-enum-ciphers -p 443 sohu.com|grep EXPORT

This is a lot slower, but it catches all export ciphers.

And if you need a drop-in replacement for my earlier command, which prints 1 for vulnerable and 0 for clean:

nmap --script ssl-enum-ciphers -p 443 sohu.com|grep EXPORT -l |wc -l

@MalcolmPreen
Copy link

On my system (CentOS 6.6), nmap outputs on STDERR not STDOUT... so you need an extra 2>&1 to avoid false "safe" messages... ie

nmap --script ssl-enum-ciphers -p 443 sohu.com 2>&1 | grep EXPORT -l | wc -l

Edit...
Hmm... not quite true... for sohu.com (as above..) I need it... but for example, for mumsnet.com I didn't ?? Don't have time to experiment... but to be sure... I'd check the output....

@ebatista
Copy link

ebatista commented Mar 5, 2015

You can use this online tool to check if you webserver is vulnerable:

http://www.freakattacktest.tk

@degan
Copy link
Author

degan commented Mar 5, 2015

Great feedback and discussion, it looks like nmap is indeed a better method:

nmap --script ssl-enum-ciphers -p 443 sohu.com|grep EXPORT

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment