0 purchases
badkeys 0.0.11
badkeys
Tool and library to check cryptographic public keys for known vulnerabilities
what?
badkeys checks public keys in various formats for known vulnerabilities. A web version
can be found at badkeys.info.
install
badkeys can be installed via pip:
pip3 install badkeys
Alternatively, you can call ./badkeys-cli directly from the git repository.
usage
Before using badkeys, you need to download the blocklist data:
badkeys --update-bl
After that, you can call badkeys and pass files with cryptographic public keys as the
parameter:
badkeys test.crt my.key
It will automatically try to detect the file format. Supported are public and private
keys in PEM format (both PKCS #1 and PKCS #8), X.509 certificates, certificate signing
requests (CSRs) and SSH public keys. You can find some test keys in the tests/data
directory.
By default, badkeys will only output information about vulnerable keys, meaning no
output will be generated if no vulnerabilities are found. The -a parameter creates
output for all keys.
scanning
badkeys can scan SSH and TLS hosts and automatically check their public keys. This can
be enabled with the parameters -s (SSH) and -t (TLS). By default, SSH will be
scanned on port 22 and TLS will be scanned on several ports for common protocols
(https/443, smtps/465, ldaps/636, ftps/990, imaps/993, pop3s/995 and 8443, which is
commonly used as a non-standard https port).
Alternative ports can be configured with --tls-ports and --ssh-ports.
TLS and SSH scanning can be combined:
badkeys -ts example.org
Note that the scanning modes have limitations. It is often more desirable to use other
tools to collect TLS/SSH keys and scan them locally with badkeys.
SSH scanning needs paramiko as an additional dependency.
TLS scanning can't detect multiple certificates on one host (e.g. ECDSA and RSA). This
is a limitation of Python's ssl.get_server_certificate() function.
Python module and API
badkeys can also be used as a Python module. However, currently the software is in beta
state and the API may change regularly.
about
badkeys was written by Hanno Böck.
This work was initially funded in 2022 by Industriens Fond through the CIDI project
(Cybersecure IOT in Danish Industry) and the Center for Information Security and Trust
(CISAT) at the IT University of Copenhagen, Denmark.
For personal and professional use. You cannot resell or redistribute these repositories in their original state.
There are no reviews.