-
Notifications
You must be signed in to change notification settings - Fork 81
/
Copy pathtls.go
91 lines (84 loc) · 3.24 KB
/
tls.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
package main
import (
"bytes"
"crypto/tls"
"encoding/base64"
"errors"
"io"
"io/ioutil"
"math/rand"
"net"
"net/http"
"time"
)
var (
g2pkp, _ = base64.StdEncoding.DecodeString("MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnCoEd1zYUJE6BqOC4NhQSLyJP/EZcBqIRn7gj8Xxic4h7lr+YQ23MkSJoHQLU09VpM6CYpXu61lfxuEFgBLEXpQ/vFtIOPRT9yTm+5HpFcTP9FMN9Er8n1Tefb6ga2+HwNBQHygwA0DaCHNRbH//OjynNwaOvUsRBOt9JN7m+fwxcfuU1WDzLkqvQtLL6sRqGrLMU90VS4sfyBlhH82dqD5jK4Q1aWWEyBnFRiL4U5W+44BKEMYq7LqXIBHHOZkQBKDwYXqVJYxOUnXitu0IyhT8ziJqs07PRgOXlwN+wLHee69FM8+6PnG33vQlJcINNYmdnfsOEXmJHjfFr45yaQIDAQAB")
g3pkp, _ = base64.StdEncoding.DecodeString("MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAylJL6h7/ziRrqNpyGGjVVl0OSFotNQl2Ws+kyByxqf5TifutNP+IW5+75+gAAdw1c3UDrbOxuaR9KyZ5zhVACu9RuJ8yjHxwhlJLFv5qJ2vmNnpiUNjfmonMCSnrTykUiIALjzgegGoYfB29lzt4fUVJNk9BzaLgdlc8aDF5ZMlu11EeZsOiZCx5wOdlw1aEU1pDbcuaAiDS7xpp0bCdc6LgKmBlUDHP+7MvvxGIQC61SRAPCm7cl/q/LJ8FOQtYVK8GlujFjgEWvKgaTUHFk5GiHqGL8v7BiCRJo0dLxRMB3adXEmliK+v+IO9p+zql8H4p7u2WFvexH6DkkCXgMwIDAQAB")
g3ecc, _ = base64.StdEncoding.DecodeString("MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEG4ANKJrwlpAPXThRcA3Z4XbkwQvWhj5J/kicXpbBQclS4uyuQ5iSOGKcuCRt8ralqREJXuRsnLZo0sIT680+VQ==")
)
func testTls(ip string, config *GScanConfig, record *ScanRecord) bool {
start := time.Now()
conn, err := net.DialTimeout("tcp", net.JoinHostPort(ip, "443"), config.Tls.ScanMaxRTT)
if err != nil {
return false
}
defer conn.Close()
var serverName string
if len(config.Tls.ServerName) == 0 {
serverName = randomHost()
} else {
serverName = config.Tls.ServerName[rand.Intn(len(config.Tls.ServerName))]
}
tlscfg := &tls.Config{
InsecureSkipVerify: true,
MinVersion: tls.VersionTLS10,
MaxVersion: tls.VersionTLS12,
CipherSuites: []uint16{
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
},
ServerName: serverName,
}
tlsconn := tls.Client(conn, tlscfg)
defer tlsconn.Close()
tlsconn.SetDeadline(time.Now().Add(config.Tls.HandshakeTimeout))
if err = tlsconn.Handshake(); err != nil {
return false
}
if config.Tls.Level > 1 {
pcs := tlsconn.ConnectionState().PeerCertificates
if pcs == nil || len(pcs) < 2 {
return false
}
if org := pcs[0].Subject.Organization; len(org) == 0 || org[0] != "Google Inc" {
return false
}
pkp := pcs[1].RawSubjectPublicKeyInfo
if !bytes.Equal(g2pkp, pkp) && !bytes.Equal(g3pkp, pkp) { // && !bytes.Equal(g3ecc, pkp[:]) {
return false
}
}
if config.Tls.Level > 2 {
url := "https://" + config.Tls.HTTPVerifyHosts[rand.Intn(len(config.Tls.HTTPVerifyHosts))]
req, _ := http.NewRequest(http.MethodGet, url, nil)
req.Close = true
c := http.Client{
Transport: &http.Transport{
DialTLS: func(network, addr string) (net.Conn, error) { return tlsconn, nil },
},
CheckRedirect: func(req *http.Request, via []*http.Request) error {
return errors.New("fuck redirect")
}}
resp, _ := c.Do(req)
if resp == nil || (resp.StatusCode < 200 || resp.StatusCode >= 400) {
return false
}
if resp.Body != nil {
io.Copy(ioutil.Discard, resp.Body)
resp.Body.Close()
}
}
record.RTT = record.RTT + time.Since(start)
return true
}