kontrola

#!/usr/bin/env bash
# ------------------------------------------------------------------------------
# kontrola 
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in 
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
#
# ------------------------------------------------------------------------------

###### Variables to define ######
# use static list (DEFAULT) instead of discovering hosts on a subnet
static_file="domains.txt"

# run discovery over a subnet to find live hosts to check
#discovery="no"
# discovery subnet ie- 10.10.0.0/16 (DEFUALT: localhosts-ip/32)
#discovery_subnet=""

# days until certificate expiriation
days_warning="30"

# ports to check for SSL certifcates
port_list="443"
#port_list="443 8443"
#port_list="25 110 143 443 465 587 993 995 8443 8889"

# openssl s_client timeout
scan_timeout="5"

# path to write html report to
report_path="html"
#################################


preFlight () {
    echo "* Preflight..."
    for cli in awk date egrep grep nmap openssl timeout tr;
    do
        if ! type "$cli" > /dev/null 2>&1; then echo "ERROR: $cli is not installed, or in the PATH. Aborting."; fi
    done
    echo "  - passed"
}


findHosts(){
    echo "* Discovery..."
    if [ "${discovery}" == 'yes' ]; then
        echo "yes"
        if [ -z "$discovery_subnet" ]; then
            discovery_subnet="$(ping -c1 $(hostname) | head -n1 | awk -F"(" '{print $2}' | awk -F")" '{print $1}')/24"
        fi
        echo -n "   - scanning $discovery_subnet subnet for live hosts"
        nmap -sn $discovery_subnet | grep 'Nmap scan report for' | cut -f5 -d' ' > $static_file
        echo "$(cat scan_list | wc -l) found"
    else
        echo "  - not requested"
    fi
}


sanitizeLists(){
    echo "* Sanitize..."
    echo "  - separating domain names from ips"
    egrep '(([0-9]|[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])' $static_file > static_file_ips
    egrep -v '(([0-9]|[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])' $static_file > static_file_domains

    if [ -f static_file_ips ]; then 
        echo "  - trying to resolve found ips"
        #cat static_file_ips | xargs -n1 dig +noall +answer -x | awk '{print $5}' > static_file_ips.resolved
        cat static_file_ips | xargs -n1 dig +noall +answer | awk '{print $5}' > static_file_ips.resolved
    fi

    echo "  - building list with domains and any unresolvabled ips"
    cat static_file_ips.resolved static_file_domains > pre_scan_list

    echo "  - removing dupes from completed list"
    awk '!x[$0]++' pre_scan_list > scan_list
    echo "  - list contains $(cat scan_list | wc -l) entries"
}


scanHosts(){
    echo "* Scanning..."
    echo "${port_list[@]}" | tr ' ' '\n' > port_list
    echo "   - scanning $(cat scan_list | wc -l) hosts for ports $(cat port_list)"
    touch combo_list.base
    cat scan_list | while read host_ip
    do
        cat port_list | while read host_port
        do
            echo "      $host_ip:$host_port"
            scan_result=$(nmap -p T:$host_port --open -n $host_ip |awk -F'/' '/open/ {print $1}' | wc -l)
            if [ "$scan_result" == "1" ]; then
                echo $host_ip:$host_port >> combo_list.base
            fi
        done
    done 

    if [[ "$(cat combo_list.base | wc -l)" -lt "1" ]]; then
        echo "ERROR: no host responses, look at remaining _list files for details"; exit 1
    fi

    echo "   - building new host:port combo list"
    awk '!x[$0]++' combo_list.base > combo_list
    combos_found=$(cat combo_list | wc -l)
    if [ "$combos_found" == "0" ]; then
        echo "ERROR: no hostnames:port found to scan, look at remaining _list files for details"
        exit 1
    fi

    echo "   - found $combos_found host:port combos for interrogation"
}


querySsl(){
    echo "* Querying SSL..."
    touch green_list.csv yellow_list.csv red_list.csv misconfigured_list
    echo "   - querying the $combos_found host:port combos"
    now_epoch=$( date +%s )
    cat combo_list | while read combo_set
    do
        echo -n "       $combo_set   "
        expiry_date=$( echo | timeout $scan_timeout openssl s_client -showcerts -connect $combo_set 2>/dev/null | openssl x509 -inform pem -noout -enddate | cut -d "=" -f 2 )
        echo -n " $expiry_date";
        expiry_epoch=$( date -d "$expiry_date" +%s )
        expiry_days="$(( ($expiry_epoch - $now_epoch) / (3600 * 24) ))"
        echo "    $expiry_days days"
        if [[ "$expiry_days" -lt "1" ]]; then
            if [[ -n "$combo_set" ]] && [[ -n "$expiry_date" ]] && [[ -n "$expiry_days" ]]; then 
cat >> red_list.csv <<EOF
$combo_set,$expiry_date,$expiry_days
EOF
        else
cat >> misconfigured_list <<EOF
<tr><td>$combo_set</td><td>...</td><td>...</td></tr>
EOF
            fi
        elif [[ "$expiry_days" -lt "$days_warning" ]]; then
            if [[ -n "$combo_set" ]] && [[ -n "$expiry_date" ]] && [[ -n "$expiry_days" ]]; then 
cat >> yellow_list.csv <<EOF
$combo_set,$expiry_date,$expiry_days
EOF
        else
cat >> misconfigured_list <<EOF
<tr><td>$combo_set</td><td>...</td><td>...</td></tr>
EOF
            fi
        else
            if [[ -n "$combo_set" ]] && [[ -n "$expiry_date" ]] && [[ -n "$expiry_days" ]]; then 
cat >> green_list.csv <<EOF
$combo_set,$expiry_date,$expiry_days
EOF
        else
cat >> misconfigured_list <<EOF
<tr><td>$combo_set</td><td>...</td><td>...</td></tr>
EOF
            fi
        fi
    done
    echo "   - separate lists built for expired, expiring, and valid"
}


genReport(){
    echo "* Report..."
    time_stamp=$(date +"%b %d, %Y at %k:%M:%S")
    simple_time_stamp=$(date +"%Y")-$(date +"%m")-$(date +"%d")
    csv_report=$simple_time_stamp-ssl-report.csv
    echo "  - creating report path"
    if [ -d "$report_path" ]; then
        rm -rf $report_path/*
    fi
    if [[ ${discovery+x} ]]; then
        report_path=$report_path/$(echo $discovery_subnet | cut -d"/" -f1)
    fi
    if [ ! -d "$report_path" ]; then
        mkdir -p $report_path
    fi
    #<!--cp -R src/css src/favicon.ico src/js src/webfonts $report_path-->

    echo "  - sorting output lists"
    ### Sort and Format files (TODO do both of these functions in a loop)
    # sort output by the days remaining, or after expiration
    awk '{print $0 }' red_list.csv | sort -t "," -k 3 -n -o red_list.sorted red_list.csv 
    awk '{print $0 }' yellow_list.csv | sort -t "," -k 3 -n -o yellow_list.sorted yellow_list.csv 
    awk '{print $0 }' green_list.csv | sort -t "," -k 3 -n -o green_list.sorted green_list.csv 

    # format sorted lists to have html
	while read INPUT ; 
    do
  	    echo "<tr><td>${INPUT//,/</td><td>}</td></tr>" ;
	done < red_list.sorted > red_list ;

	while read INPUT ; 
    do
  	    echo "<tr><td>${INPUT//,/</td><td>}</td></tr>" ;
	done < yellow_list.sorted > yellow_list ;

	while read INPUT ; 
    do
  	    echo "<tr><td>${INPUT//,/</td><td>}</td></tr>" ;
	done < green_list.sorted > green_list ;

    echo "  - building html report"

###### BUILD REPORT PAGES
#### SUMMARY
    echo "      summary page"
    cat src/header_index.html >> $report_path/index.html

cat <<EOF >> $report_path/index.html
<div class="container">
<div class="row">
<div class="col-sm-4">
<div class="card text-center text-white bg-danger" style="width: 18rem;">
<div class="card-body">
<h1 class="card-title">$(cat red_list | wc -l)</h5>
<a href="expired.html" class="btn btn-light">Expired</a>
</div>
</div>
</div>
<div class="col-sm-4">
<div class="card text-center text-white bg-warning" style="width: 18rem;">
<div class="card-body">
<h1 class="card-title">$(cat yellow_list | wc -l)</h5>
<a href="expiring.html" class="btn btn-light">Expiring</a>
</div>
</div>
</div>
<div class="col-sm-4">
<div class="card text-center text-white bg-success" style="width: 18rem;">
<div class="card-body">
<h1 class="card-title">$(cat green_list | wc -l)</h5>
<a href="valid.html" class="btn btn-light">Valid</a>
</div>
</div>
</div>
<!--<div class="col-sm-3">
<div class="card text-center text-white bg-secondary" style="width: 18rem;">
<div class="card-body">
<h1 class="card-title">$(cat misconfigured_list | wc -l)</h5>
<a href="misconfigured.html" class="btn btn-light">Misconfigured</a>
</div>
</div>
</div>-->
<!--</div>
</div>-->
EOF

    cat src/search.html >> $report_path/index.html 

cat <<EOF >> $report_path/index.html
<div align="center"><p class="text-center text-muted">Scan completed $(echo $time_stamp)  |  <a class="text-muted" href="$csv_report" alt="$csv_report">Export as CSV</a></p></div>
EOF

    cat src/footer.html >> $report_path/index.html
####

#### EXPIRED
    echo "      expired page"
    cat src/header.html >> $report_path/expired.html

cat <<EOF >> $report_path/expired.html
<div class="container">
<h2><span style="color: Red;"><i class="fas fa-circle" style="red"></i></span> Expired</h2>
<p>The scan on $(echo $time_stamp) found that the following SSL certificates have expired</p>            
<table class="table">
<thead>
<tr>
<th>Hostname:port</th>
<th>Expiration date</th>
<th>Days since expiration</th>
</tr>
</thead>
<tbody>
EOF

    cat red_list >> $report_path/expired.html
    cat src/footer.html >> $report_path/expired.html
####

#### EXPIRING
    echo "      expiring page"
    cat src/header.html >> $report_path/expiring.html

cat <<EOF >> $report_path/expiring.html
<div class="container">
<h2><span style="color: Yellow;"><i class="fas fa-circle" style="red"></i></span> Expiring</h2>
<p>The scan on $(echo $time_stamp) found that the following SSL certificates are expiring within $(echo $days_warning) days</p>
<table class="table">
<thead>
<tr>
<th>Hostname:port</th>
<th>Expiration date</th>
<th>Days until expiration</th>
</tr>
</thead>
<tbody>
EOF

    cat yellow_list >> $report_path/expiring.html
    cat src/footer.html >> $report_path/expiring.html

####

#### VALID 
    echo "      valid page"
    cat src/header.html >> $report_path/valid.html

cat <<EOF >> $report_path/valid.html
<div class="container">
<h2><span style="color: Green;"><i class="fas fa-circle" style="red"></i></span> Valid</h2>
<p>The scan on $(echo $time_stamp) found that the following SSL certificates are valid for more than $(echo $days_warning) days</p>            
<table class="table">
<thead>
<tr>
<th>Hostname:port</th>
<th>Expiration date</th>
<th>Days until expiration</th>
</tr>
</thead>
<tbody>
EOF

    cat green_list >> $report_path/valid.html
    cat src/footer.html >> $report_path/valid.html

#### MISCONFIGURED 
    cat src/header.html >> $report_path/misconfigured.html

cat <<EOF >> $report_path/misconfigured.html
<div class="container">
<h2><span style="color: Gray;"><i class="fas fa-circle" style="red"></i></span> Misconfigured</h2>
<p>$(echo $time_stamp) - the following SSL certificates are misconfigured, and unable to be checked. Please check them manually</p>            
<table class="table">
<thead>
<tr>
<th>Hostname:port</th>
<th>Expiration date</th>
<th>Days until expired</th>
</tr>
</thead>
<tbody>
EOF

    cat misconfigured_list >> $report_path/misconfigured.html
    cat src/footer.html >> $report_path/misconfigured.html
}


genCsv(){
    echo "* CSV file..."
    echo "  - building csv file"
    echo "      header"
    echo "Hostname,IP Address,Port,Expiration Date,Status,Days +/-" > $csv_report

    echo "      expired list"
    cat red_list.sorted | while read line
    do
       hostname=$(echo $line | awk -F":" '{print $1}')
       ip_address=$(dig +noall +answer $hostname | egrep -o '(([0-9]|[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])')
       port=$(echo $line | awk -F":" '{print $2}' | cut -d"," -f1)
       expiration=$(echo $line | awk -F"," '{print $2}')
       status="expired"
       days=$(echo $line | awk -F"," '{print $3}')
       echo -n $hostname >> $csv_report
       echo -n "," >> $csv_report
       echo -n $ip_address >> $csv_report
       echo -n "," >> $csv_report
       echo -n $port >> $csv_report
       echo -n "," >> $csv_report
       echo -n $expiration >> $csv_report
       echo -n "," >> $csv_report
       echo -n $status >> $csv_report
       echo -n "," >> $csv_report
       echo $days >> $csv_report
    done

    echo "      expiring list"
    cat yellow_list.sorted | while read line
    do
       hostname=$(echo $line | awk -F":" '{print $1}')
       ip_address=$(dig +noall +answer $hostname | egrep -o '(([0-9]|[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])')
       port=$(echo $line | awk -F":" '{print $2}' | cut -d"," -f1)
       expiration=$(echo $line | awk -F"," '{print $2}')
       status="expiring"
       days=$(echo $line | awk -F"," '{print $3}')
       echo -n $hostname >> $csv_report
       echo -n "," >> $csv_report
       echo -n $ip_address >> $csv_report
       echo -n "," >> $csv_report
       echo -n $port >> $csv_report
       echo -n "," >> $csv_report
       echo -n $expiration >> $csv_report
       echo -n "," >> $csv_report
       echo -n $status >> $csv_report
       echo -n "," >> $csv_report
       echo $days >> $csv_report
    done

    echo "      valid list"
    cat green_list.sorted | while read line
    do
       hostname=$(echo $line | awk -F":" '{print $1}')
       ip_address=$(dig +noall +answer $hostname | egrep -o '(([0-9]|[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])')
       port=$(echo $line | awk -F":" '{print $2}' | cut -d"," -f1)
       expiration=$(echo $line | awk -F"," '{print $2}')
       status="valid"
       days=$(echo $line | awk -F"," '{print $3}')
       echo -n $hostname >> $csv_report
       echo -n "," >> $csv_report
       echo -n $ip_address >> $csv_report
       echo -n "," >> $csv_report
       echo -n $port >> $csv_report
       echo -n "," >> $csv_report
       echo -n $expiration >> $csv_report
       echo -n "," >> $csv_report
       echo -n $status >> $csv_report
       echo -n "," >> $csv_report
       echo $days >> $csv_report
    done
}


genSearch(){
    echo "* Search results..."
    tail -n+2 $csv_report > search_list.csv
    echo "  - building js file"
    echo "      header"
    echo "var tipuesearch = {"pages": [" > search_list

    cat search_list.csv | while read search_line
    do
        title=$(echo $search_line | awk -F"," '{print $1}')
        text=$(echo $search_line | awk -F"," '{print $2}')
        port=$(echo $search_line | awk -F"," '{print $3}')
        status=$(echo $search_line | awk -F"," '{print $5}')
        echo "     {\"title\": \"${title}\", \"text\": \"Certificate on ${title} (${text}:${port}) is ${status}\", \"url\": \"${status}.html\"}," >> search_list
    done

    echo "      footer"
    echo "]};" >> search_list
    mv search_list src/js/tipuesearch/tipuesearch_content.js
}


deployReport(){
    echo "* Deploying..."
    echo "  - html support files"
    cp -R src/css src/favicon.ico src/js src/webfonts $report_path
    echo "  - csv report file"
    mv $csv_report $report_path
}


cleanUp(){
    rm -rf *_list*
    rm -rf static_file_*
    rm -rf *-ssl-report.csv
    rm -rf src/js/tipuesearch/tipuesearch_content.js
}


##### Program #####
preFlight;
cleanUp;
findHosts;
sanitizeLists;
scanHosts;
querySsl;
genReport;
genCsv;
genSearch;
deployReport;
cleanUp;
###################


exit 0