Skip to content

badkeys/badkeys

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

175 Commits

.github/workflows

.github/workflows

 
 

badkeys

badkeys

 
 

tests

tests

 
 

.gitignore

.gitignore

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

badkeys-cli

badkeys-cli

 
 

pyproject.toml

pyproject.toml

 
 

requirements.txt

requirements.txt

 
 

runci.sh

runci.sh

 
 

Repository files navigation

badkeys

Tool and library to check cryptographic public keys for known vulnerabilities

what?

badkeys checks public keys in a variety of formats for known vulnerabilities. A web version can be found at badkeys.info.

install

badkeys can be installed via pip:

pip3 install badkeys

Alternatively you can call ./badkeys-cli directly from the git repository.

usage

Before using badkeys you need to download the blocklist data:

badkeys --update-bl

After that you can call badkeys and pass files with cryptographic public keys as the parameter:

badkeys test.crt my.key

It will automatically try to detect the file format. Supported are public and private keys in PEM format (both PKCS #1 and PKCS #8), X.509 certificates, certificate signing requests (CSRs) and SSH public keys. You can find some test keys in the tests/data directory.

By default badkeys will only output information about vulnerable keys, meaning there will be no output if no vulnerabilities are found. The -a parameter creates output for all keys.

scanning

badkeys can directly scan SSH and TLS hosts and automatically check their public keys. This can be enabled with the parameters -s (for SSH) and -t (for TLS). By default SSH will be scanned on port 22 and TLS will be scanned on several ports for common protocols (https/443, smtps/465, ldaps/636, ftps/990, imaps/993, pop3s/995 and 8443, which is commonly used as a non-standard https port).

Alternative ports can be configured with --tls-ports and --ssh-ports.

TLS and SSH scanning can be combined:

badkeys -ts example.org

Note that the scanning modes have limitations. It is often more desirable to use other tools to collect TLS/SSH keys and scan them locally with badkeys.

SSH scanning needs paramiko as an additional dependency.

TLS scanning can't detect multiple certificates on one host (e.g. ECDSA and RSA). This is a limitation of Python's ssl.get_server_certificate() function.

Python module and API

badkeys can also be used as a Python module. However currently the software is in alpha state and the API may change regularly.

about

badkeys was written by Hanno Böck.

This work was originally funded in 2022 by Industriens Fond through the CIDI project (Cybersecure IOT in Danish Industry) and the Center for Information Security and Trust (CISAT) at the IT University of Copenhagen, Denmark.

About

Tool to find common vulnerabilities in cryptographic public keys

badkeys.info/

Topics

security cryptography rsa publickey

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

154 stars

Watchers

6 watching

Forks

14 forks
Report repository

Releases 1

0.0.7 Latest
Apr 20, 2024

Packages

No packages published

Languages