TLSAssistant

TLSAssistant is a fully-featured tool that combines state-of-the-art TLS analyzers with a report system that suggests appropriate mitigations and shows the full set of viable attacks. The companion page can be found here.

Features

Mitigations

Thanks to the integrated analyzers, TLSAssistant is currently able to detect and provide mitigations for:

• 3SHAKE
• Bar Mitzvah
• BREACH
• Client-Initiated Renegotiation DoS
• CRIME
• DROWN
• HSTS not preloaded
• HSTS not set
• HTTPS not enforced
• Lucky13
• Missing Certificate Transparency
• POODLE
• RC4NOMORE
• ROBOT
• SLOTH
• Sweet32
• Unsecure Android TrustManagers

Attack trees

TLSAssistant is able to graphically represent the analysis result using a set of custom attack trees. Each tree consists of:

• A goal (root). indicating which security property would be broken;
• Protocol/infrastructure subgoals. displaying which protocol or infrastructure can be exploited in order to achieve the root goal;
• Technique subgoals. showing the technique an attacker has to use in order to exploit the aforementioned protocol;
• Attacks (leaves). is divided into boxes. The first one lists the prerequisites an attacker needs, the second one describes the steps needed to exploit the vulnerability and, if needed, a third one shows how the attack is concluded.

The following image shows a simplified version of the output

STIX output

TLSAssistant is able to export the analysis result in STIX, a language used to share cyber threat intelligence (CTI) that can be represented with objects and their descriptive relationships. After every scan and for each discovered vulnerability, TLSAssistant generates a STIX bundle (JSON file) containing the following objects:

1. vulnerability;
2. course of action;
3. relationship;
4. observed data;
5. sighting.

The following image shows an example for the Bar Mitzvah attack

Dependencies

To be able to run TLSAssistant you will need a set of dependencies that can be automatically downloaded by running INSTALL.sh.

It will download (and place in the correct folders) the following:

• packages: aha, androguard, curl, git, graphviz, html2text, libxml2-utils, python2, wget;
• analyzers: mallodroid, testssl.sh, tlsfuzzer.

Note: TLSAssistant is not compatible with Windows Subsystem for Linux v1.

Download

You can install TLSAssistant by cloning this git repository:

git clone https://github.com/stfbk/tlsassistant.git

and running the INSTALL.sh script to install all the dependencies.

Usage

Once in the right directory, run

bash TLSAssistant.sh <parameters>

where

Parameters

• -h|--help show the help
• -s|--server [URL|IP] {port} analyze a server, default port: 443
• -d|--domain <URL> analyze the subdomains of a given website
• -l|--list <file> analyze the provided hosts list (one per line)
• -a|--apk <file> check an apk installer
• -x|--stix STIX output format
• -v [0|1|2|3] verbosity level

Verbosity level

• 0: mitigations' description
• 1: previous + code snippets [default]
• 2: previous + tools' individual reports
• 3: previous + highlighted attack trees

example: bash TLSAssistant.sh -s github.com

Credits

TLSAssistant exists thanks to the following open-source projects (from a to z):

• Androguard
• ctfr
• mallodroid
• markdown.bash
• python-stix2
• testssl.sh
• tlsfuzzer

License

Copyright 2019-2020, Fondazione Bruno Kessler

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Developed within Security & Trust Research Unit at Fondazione Bruno Kessler (Italy)