| 1 |
# MASSPIE |
| 2 |
|
| 3 |
_Mass-scanning port `25/tcp` and checking if STARTTLS is enforced and validates_ |
| 4 |
|
| 5 |
## REQUIREMENTS |
| 6 |
|
| 7 |
- at least 100Mbit/s up/down public network pipe |
| 8 |
- quite a few cores to handle many DNS and SSL processes |
| 9 |
- [MASSCAN: Mass IP port scanner](https://github.com/robertdavidgraham/masscan) |
| 10 |
- the `host` command from BIND |
| 11 |
- OpenSSL or LibreSSL (`s_client`) |
| 12 |
|
| 13 |
## SYSPREP |
| 14 |
|
| 15 |
You will have to adapt the rate to your network pipe and CPU power. This is why it's good to have some performance monitoring tools available. |
| 16 |
|
| 17 |
Slackware |
| 18 |
|
| 19 |
slackpkg install bind traceroute nmap htop iftop |
| 20 |
sbopkg -i nload |
| 21 |
#ntop |
| 22 |
slackpkg install gcc-10 git libcap make |
| 23 |
git clone https://github.com/robertdavidgraham/masscan |
| 24 |
cd masscan/ |
| 25 |
make >/dev/null && echo BUILT |
| 26 |
make install >/dev/null && echo INSTALLED |
| 27 |
mkdir -p /etc/masscan/ |
| 28 |
cp -i data/exclude.conf /etc/masscan/exclude.conf.sample |
| 29 |
|
| 30 |
Ubuntu |
| 31 |
|
| 32 |
apt install dnsutils traceroute nmap htop iftop nload masscan |
| 33 |
#ntop |
| 34 |
|
| 35 |
Ready to go |
| 36 |
|
| 37 |
which masscan |
| 38 |
masscan -V |
| 39 |
|
| 40 |
Don't forget to define the exclude list e.g. |
| 41 |
|
| 42 |
vi /etc/masscan/exclude.conf |
| 43 |
|
| 44 |
0.0.0.0/8 |
| 45 |
10.0.0.0/8 |
| 46 |
100.64.0.0/10 |
| 47 |
127.0.0.0/8 |
| 48 |
169.254.0.0/16 |
| 49 |
172.16.0.0/12 |
| 50 |
192.0.0.0/24 |
| 51 |
192.0.0.0/29 |
| 52 |
192.0.0.170/32 |
| 53 |
192.0.0.171/32 |
| 54 |
192.0.2.0/24 |
| 55 |
192.88.99.0/24 |
| 56 |
192.168.0.0/16 |
| 57 |
198.18.0.0/15 |
| 58 |
198.51.100.0/24 |
| 59 |
203.0.113.0/24 |
| 60 |
240.0.0.0/4 |
| 61 |
255.255.255.255/32 |
| 62 |
|
| 63 |
## INITIAL SCAN |
| 64 |
|
| 65 |
_as root_ |
| 66 |
|
| 67 |
month=`date +%Y%m` |
| 68 |
mkdir -p ~/mass/$month/ |
| 69 |
cd ~/mass/$month/ |
| 70 |
screen -S $month |
| 71 |
|
| 72 |
ping 208.67.220.220 |
| 73 |
htop |
| 74 |
iftop |
| 75 |
nload |
| 76 |
|
| 77 |
time masscan 0.0.0.0/0 -p25 --excludefile /etc/masscan/exclude.conf --rate=250000 -oG massp25.og |
| 78 |
|
| 79 |
You might adjust the rate according to your network bandwidth, cpu power and most of all, on how long you are willing to wait e.g. 8 to 9 hours is acceptable to me. |
| 80 |
|
| 81 |
## INSTALLATION |
| 82 |
|
| 83 |
_as user_ |
| 84 |
|
| 85 |
Now move the scanned materials to user's home directory. Got 11 to 13 millions? |
| 86 |
|
| 87 |
grep -v ^# ~/mass/$month/massp25.og | wc -l |
| 88 |
mv ~/mass/$month/ ~mass/ |
| 89 |
chown -R mass:users ~mass/$month/ |
| 90 |
|
| 91 |
and switch to it |
| 92 |
|
| 93 |
su - mass |
| 94 |
|
| 95 |
Then grab the Masspie scripts and start a GNU/Screen session in there |
| 96 |
|
| 97 |
svn checkout https://svn.osdn.net/svnroot/masspie/ |
| 98 |
cd masspie/ |
| 99 |
|
| 100 |
month=`date +%Y%m` |
| 101 |
cd ~/mass/$month/ |
| 102 |
screen -S masspie |
| 103 |
|
| 104 |
## IPREV CHECK |
| 105 |
|
| 106 |
_As user and heavy CPU times_ |
| 107 |
|
| 108 |
Stress some DNS forwarder, possibly yours, or your ISP's. This can be split across multiple servers. Eventually switch around the order of nameservers into `resolv.conf` e.g. first server points to DNS1 and second server points to DNS2. |
| 109 |
|
| 110 |
vi /etc/resolv.conf |
| 111 |
|
| 112 |
cd ~/$month/ |
| 113 |
ls -lF massp25.og |
| 114 |
#rm -rf splitted/ |
| 115 |
#rm -f splitted/*.ptr splitted/*.weird |
| 116 |
~/masspie/checkiprev.bash |
| 117 |
ls -lF massp25.og.ip.sort |
| 118 |
ls -F splitted/ip[0-9][0-9][0-9] |
| 119 |
tail splitted/ip099 |
| 120 |
tail -G splitted/ip099.ptr |
| 121 |
|
| 122 |
and check the CPU load with `htop` |
| 123 |
|
| 124 |
## CUSTOM OPENSSL |
| 125 |
|
| 126 |
_Exit when EHLO/STARTTLS was not advertised_ |
| 127 |
|
| 128 |
git clone git://git.openssl.org/openssl.git |
| 129 |
cd openssl/ |
| 130 |
patch -p1 < ../openssl-shut.patch |
| 131 |
|
| 132 |
removepkg openssl |
| 133 |
#keep openssl-solibs as the whole system depends on it |
| 134 |
mv /etc/ssl/ /etc/ssl.old/ |
| 135 |
|
| 136 |
./config --openssldir=/etc/ssl |
| 137 |
#perl configdata.pm --dump |
| 138 |
time make -j8 >/dev/null && echo BUILT |
| 139 |
time make -j8 install >/dev/null && echo INSTALLED |
| 140 |
ls -lF /usr/local/lib64/libssl.so |
| 141 |
ls -lF /usr/local/lib64/libcrypto.so |
| 142 |
ls -lF /usr/local/include/openssl/aes.h |
| 143 |
#cat /etc/ld.so.conf |
| 144 |
ldconfig |
| 145 |
update-ca-certificates |
| 146 |
|
| 147 |
## VALID CN/SAN CHECK |
| 148 |
|
| 149 |
for x in `seq -w 000 999`; do ./sslcheck.bash x$x.ptr & done; unset x |
| 150 |
jobs |
| 151 |
|
| 152 |
## CERTIFICATE CHECK |
| 153 |
|
| 154 |
Grab the [latest concatenated Mozilla CA bundle](https://curl.haxx.se/docs/caextract.html) |
| 155 |
|
| 156 |
cd /etc/ssl/ |
| 157 |
curl -s --remote-name --time-cond - https://curl.haxx.se/ca/cacert.pem |
| 158 |
sha256sum cacert.pem | tee -a cacert.pem.sha2 |
| 159 |
|
| 160 |
#2020/01/01 |
| 161 |
#adf770dfd574a0d6026bfaa270cb6879b063957177a991d453ff1d302c02081f cacert.pem |
| 162 |
|
| 163 |
Now make sure you're in position to validate certificates. |
| 164 |
|
| 165 |
ehlo=YOUR-IPREV |
| 166 |
mx=xc.nethence.com |
| 167 |
echo Q | /usr/local/bin/openssl -4 s_client -showcerts -verify 5 -CAfile cacert.pem -starttls smtp -name $ehlo -servername $mx -connect $mx:25 -crlf > $mx.chain.crt |
| 168 |
#-CApath /etc/ssl/certs |
| 169 |
#-brief |
| 170 |
|
| 171 |
Note `-showcerts` helps to get the intermediate certificate here. |
| 172 |
|
| 173 |
/usr/local/bin/openssl crl2pkcs7 -nocrl -certfile $mx.chain.crt | openssl pkcs7 -print_certs -noout |
| 174 |
|
| 175 |
/usr/local/bin/openssl verify -verbose -issuer_checks -verify_return_error -CAfile cacert.pem -untrusted $mx.chain.crt -no_alt_chains -ignore_critical $mx.chain.crt |
| 176 |
#-CApath /etc/ssl/certs |
| 177 |
#-crl_download -crl_check |
| 178 |
|
| 179 |
Note `-untrusted` helps to define the intermediate certificate for chain validation. |
| 180 |
|
| 181 |
Then finally proceed with mass validation. |
| 182 |
|
| 183 |
for x in `seq -w 000 999`; do ./sslvalid.bash x$x.ptr.validcn & done; unset x |
| 184 |
jobs |
| 185 |
|
| 186 |
## PTR DOMAINS |
| 187 |
|
| 188 |
We further need to look at MX records to query correct TLSA records, and to get MX records, we need zone names. We will not obtain all of public zones, but here's an attempt to get some using the PTRs we've collected. |
| 189 |
|
| 190 |
./checkdomains.bash |
| 191 |
|
| 192 |
## MXes & DANE |
| 193 |
|
| 194 |
Now we can query MX against a few domains and eventually seek for DANE-enabled SMTP hosts (including PKIX-TA/EE). |
| 195 |
|
| 196 |
./dane.bash |
| 197 |
|
| 198 |
## ADDITIONAL NOTES |
| 199 |
|
| 200 |
The second-level domain public suffixes in file `SLDs` were obtained as such |
| 201 |
|
| 202 |
wget https://raw.githubusercontent.com/gavingmiller/second-level-domains/master/SLDs.csv |
| 203 |
cut -f2 -d, SLDs.csv | sed 's/^\.//' > SLDs |
| 204 |
dos2unix SLDs |
| 205 |
|