PLC/vPLC>> keycloak-scanner>> 返回
项目作者: NeuronAddict

项目描述 :
Keycloak security scanner
高级语言: Python
项目地址: git://github.com/NeuronAddict/keycloak-scanner.git
创建时间: 2020-01-27T14:43:50Z
项目社区:https://github.com/NeuronAddict/keycloak-scanner
开源协议:Apache License 2.0
下载


keycloak-scanner

Introduction

This scanner scan keycloak for known vulnerabilities.

Installation

  1. pip install --upgrade keycloak-scanner

Example

  1. $ git clone https://github.com/NeuronAddict/keycloak-scanner
  2. $ cd keycloak-scanner
  3. $ docker-compose -f itests/docker-compose.yml up -d
  4. $ python3 itests/wait-docker-compose.py # just wait keycloak to be load # may be you neeed 'pip install waiting'
  5. python3 itests/wait-docker-compose.py           
  6. ('Connection aborted.', ConnectionResetError(104, 'Connection reset by peer'))
  7. ...
  8. HTTPConnectionPool(host='localhost', port=8080): Read timed out. (read timeout=1)
  9. HTTPConnectionPool(host='localhost', port=8080): Read timed out. (read timeout=1)
  10. Keycloak seems to be loaded
  11. $ keycloak-scanner http://localhost:8080 --realms master --clients account --username admin --password Pa55w0rd 
  12. $ # http://localhost:8080  # url to test 
  13. $ #--realms master  # realms to scan, check if a realm exists and use this realms to further scans
  14. $ #--clients account  # clients to scan, check if a client exists and use it to further scans
  15. $ #--username admin  # add a username to test the auth process 
  16. $ #--password Pa55w0rd  # password to test a password auth 
  17. [INFO] Start scanner RealmScanner...
  18. [INFO] Find realm master (http://localhost:8080/auth/realms/master)
  19. [INFO] Public key for realm master : MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyF7ytt1AcJaN67GkLKNrPL6ljoTyYMzMFZ/fXmEJw52yvAXCqE2qFM4MH+fRDfzYcougyOIwNHbDqfAmKzKpeYGi+4JSaSmDGpZVuz2aDkncyXh6uA4IanjBai7IhEeWDY6HCcLxkd/ppfNclmfOrEGJGbFoz+QCFiNbWzSr0mAo1S3WmgC13297nK5iunR+eJSqCbg3FXn+8RZcwhNHhKSGV75G4ZnBDLcBcaEUflBWshv2gAErZktT0tdEtXNRpv4vAvp0yEvAKSPVOESpnZW7PFNtBPI/+GlaAWxEC9V58qzhiRTJ+MU3fzwcBMRz4DmptdSN6bDLvkPr5eS9JQIDAQAB
  20. [INFO] Start scanner WellKnownScanner...
  21. [INFO] Find a well known for realm Realm('master', 'http://localhost:8080/auth/realms/master', {'realm': 'master', 'public_key': 'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyF7ytt1AcJaN67GkLKNrPL6ljoTyYMzMFZ/fXmEJw52yvAXCqE2qFM4MH+fRDfzYcougyOIwNHbDqfAmKzKpeYGi+4JSaSmDGpZVuz2aDkncyXh6uA4IanjBai7IhEeWDY6HCcLxkd/ppfNclmfOrEGJGbFoz+QCFiNbWzSr0mAo1S3WmgC13297nK5iunR+eJSqCbg3FXn+8RZcwhNHhKSGV75G4ZnBDLcBcaEUflBWshv2gAErZktT0tdEtXNRpv4vAvp0yEvAKSPVOESpnZW7PFNtBPI/+GlaAWxEC9V58qzhiRTJ+MU3fzwcBMRz4DmptdSN6bDLvkPr5eS9JQIDAQAB', 'token-service': 'http://localhost:8080/auth/realms/master/protocol/openid-connect', 'account-service': 'http://localhost:8080/auth/realms/master/account', 'tokens-not-before': 0}) http://localhost:8080/auth/realms/master/.well-known/openid-configuration
  22. [INFO] Start scanner ClientScanner...
  23. [INFO] Find a client for realm master: account
  24. [INFO] Start scanner LoginScanner...
  25. [+] LoginScanner - Form login work for admin on realm master, client account, (http://localhost:8080/auth/realms/master/account?session_state=4c152780-3980-439c-8e9d-15139ee19afa&code=2f821574-34e0-4917-8b00-c87c6fd302b0.4c152780-3980-439c-8e9d-15139ee19afa.3e118dc6-4780-42cf-90e7-abd81c1e7046)
  26. [+] LoginScanner - Form login work for admin on realm master, client account, (http://localhost:8080/auth/realms/master/account?session_state=14a6cbcc-1b76-4b52-aa27-982a06b8c2a1&code=656fc3c9-3ea6-44af-9037-85288f471ab7.14a6cbcc-1b76-4b52-aa27-982a06b8c2a1.3e118dc6-4780-42cf-90e7-abd81c1e7046)
  27. [INFO] Start scanner SecurityConsoleScanner...
  28. [WARN] Result of SecurityConsoleScanner as no results (void list), subsequent scans can be void too.
  29. [INFO] Start scanner OpenRedirectScanner...
  30. [INFO] Start scanner FormPostXssScanner...
  31. [INFO] Start scanner NoneSignScanner...

scan types :

  • realm : check if a realm exists
  • client : check if a client exists in all realms
  • well_known : get well_known for all realms
  • login : test login against all clients / realms
  • client registration : try to add a new client (WARNING, client is deleted after test, if its not the case, be sure to make it manually)
  • OpenRedirect : check if attack authorization flow via open redirection (unvalidated redirect_uri) is possible
  • form post : check CVE 2018 14655
  • none sign : check if none sign algorithm is supported

Help

  1. $ keycloak-scanner --help
  2. usage: keycloak-scanner [-h] --realms REALMS --clients CLIENTS [--proxy PROXY]
  4.                         [--username USERNAME] [--password PASSWORD]
  6.                         [--ssl-noverify] [--verbose] [--no-fail] [--fail-fast]
  8.                         [--version]
  10.                         (--registration-callback REGISTRATION_CALLBACK | --registration-callback-list REGISTRATION_CALLBACK_LIST)
  12.                         base_url
  14. KeyCloak vulnerabilities scanner.
  16. positional arguments:
  18.   base_url              URL to scan. ex http://localhost:8080
  20. optional arguments:
  22.   -h, --help            show this help message and exit
  24.   --realms REALMS       Comma separated list of custom realms to test. ie :
  26.                         master
  28.   --clients CLIENTS     Comma separated list of custom clients to test. On
  30.                         default installation, use account,admin-
  32.                         cli,broker,realm-management,security-admin-console
  34.   --proxy PROXY         Use a great proxy like BURP ;)
  36.   --username USERNAME   If a username is specified, try to connect and attack
  38.                         a token. If no password, try username as password.
  40.   --password PASSWORD   password to test with username
  42.   --ssl-noverify        Do not verify ssl certificates
  44.   --verbose             Verbose mode
  46.   --no-fail             Always exit with code 0 (by default, fail with an exit
  48.                         code 4 if a vulnerability is discovered or 8 if an
  50.                         error occur). Do NOT fail before all test are done.
  52.   --fail-fast           Fail immediately if an error occur.
  54.   --version             show program's version number and exit
  56.   --registration-callback REGISTRATION_CALLBACK
  58.                         Callback url to use on client registration test
  60.   --registration-callback-list REGISTRATION_CALLBACK_LIST
  62.                         File with one callback to test for registration by
  64.                         line
  66. Scans : 
  68. - list realms
  70. - Search well-known files
  72. - Search for clients
  74. - Search for valid logins
  76. - Try client registration
  78. - Search for security-admin-console and secret inside
  80. - Search for open redirect via unvalidated redirect_uri
  82. - Search for CVE-2018-14655 (reflected XSS)
  84. - None alg in refresh token
  86. Bugs, feature requests, request another scan, questions : https://github.com/NeuronAddict/keycloak-scanner.
  88. *** Use it on production systems at your own risk ***

Install with source code

With venv:

  1. cd keycloak-scanner
  2. python3 -m venv venv
  3. source venv/bin/activate
  4. pip install -e . # with -e, git pull will update code
  5. keycloak-scanner

Or without venv :

  1. cd keycloak-scanner
  2. sudo pip3 install . # use sudo for install for all users
  3. keycloak-scanner

TODO

  • password dictionary support
  • Scanner details via command line