OpenSSL on 64 bit Windows with ChaCha and Poly1305 support

Note: see for the latest binary. The version below is obsoleted by newer builds

The main development branch of OpenSSL doesn't have support yet for the (relatively new) ChaCha 20 and Poly1305 ciphers. These can be found however on the 1.0.2-aead branch.

By slightly modifying some makefiles the source can be compiled for 64-bit Windows using mingw64 and msys.

Please find a binary build from a 27-05-2014 snapshot of the source code (1.0.2-aead branch) with assembly code enabled (imported from the 1.0.2 stable branch), and a lot of insecure, new and experimental ciphers enabled. I added the GOST engine gosteay32.dll as well.

The source code for this build can be found at

Build commands:

  • Configure mingw64 shared experimental-jpake enable-md2 enable-rc5 enable-rfc3779 enable-ssl-trace enable-ec_nistp_64_gcc_128 enable-static-engine --openssldir=c:/tools
  • make depend
  • make util/libeay.num
  • make util/ssleay.num
  • make
  • make test

Enabled ciphers:

  • DH-DSS-AES256-GCM-SHA384
  • DH-RSA-AES256-GCM-SHA384
  • DHE-RSA-AES256-SHA256
  • DHE-DSS-AES256-SHA256
  • DH-RSA-AES256-SHA256
  • DH-DSS-AES256-SHA256
  • GOST2001-GOST89-GOST89
  • GOST94-GOST89-GOST89
  • ADH-AES256-GCM-SHA384
  • ADH-AES256-SHA256
  • ADH-AES256-SHA
  • ECDH-RSA-AES256-SHA384
more ...

test_bn fails for OpenSSL on Windows

Compiling OpenSSL on Windows using MSYS and mingw64 is pretty straightforward. However, one of the tests (test_bn) to verify OpenSSL fails: The temporary file that test_bncreates contains Windows newline characters (\r\n) instead of the Unix type newline charater (\n).

The original regular expression checks for a zero (0) at the beginning of a line, and a newline character (\n).


A change to the regular expression that test_bn uses fixes this problem, and can be used on Unix as well as Windows environments. This makes the Makefile more cross-platform friendly. The modified regular expression checks for a zero (0) at the beginning of a line, an optional Windows newline character (\r) and a newline character (\n).


md5sum: 1032dff7f957c4d1cdfa96af305c152b
Here's the patchfile (can be applied in the source directory using patch -Np1)
--- openssl-1.0.1g/test/Makefile 2014-04-07 16:55:44 +0000 +++ patched/test/Makefile 2014-05-06 00:07:20 +0000 @@ -227,7 +227,7 @@ @../util/ ./$(BNTEST) >tmp.bntest @echo quit >>tmp.bntest @echo "running bc" - @) {if (/^test (.*)/) {print STDERR "\nverify $$1";} elsif (!/^0$$/) {die "\nFailed! bc: $$_";} else {print STDERR "."; $$i++;}} print STDERR "\n$$i tests passed\n"' + @) {if (/^test (.*)/) {print STDERR "\nverify …
more ...


If you're like me, you don't want to spend your precious memory on remembering awkward command line parameters. However, lots of tools require exactly that: awkward command line parameters.

To simplify scanning of hosts for network vulnerabilities I wrote a simple wrapper script around several open source security tools. The script lets you analyze one or several hosts for common misconfiguration vulnerabilities and weaknesses.
My main objective in writing the script was to make it as easy as possible to perform generic security tests, without any heavy prerequisites, make the script as informative as possible, and make use of open source tools.

Note that the latest version is the Python version - please use that one.

How to install

Clone the git archive using the command

git clone


Linux, and nmap


  • curl
    for fingerprinting and to test for TRACE
  • dig
    to test for recursive DNS servers
  • git
    to update the script
  • nikto
    for webscanning
    to check the SSL configuration


Oh irony - the command line parameters for the tool:

usage: [OPTION]... [HOST]

Scanning options:
 -a, --all perform all basic scans
 --max perform all advanced scans (more thorough)
 -b, --basic …
more ...

securing AMFPHP

I regulary run into Flash applications when I perform a web application penetration test. One of the most widely used server frameworks for communicating with a Flash object is AMFPHP.

Unfortunately the default installation of AMFPHP is insecure. A system administrator or developer actively has to secure the installation, which is often forgotten.

There are some tips lying around the Internet how to secure an AMFPHP installation. The summary:
In the root of your AMFPHP deployment,
  • delete the DiscoveryService.php file
  • Delete the browser folder and its contents
  • Edit gateway.php and set the PRODUCTION_SERVER property to true

Of course it's at least as important to write secure code, harden your server and implement proper patch and maintenance procedures.

more ...

unsafe HTTP methods

Vulnerability name: Unsafe HTTP methods

  • Web server HTTP Trace/Track method support
  • Cross-site tracing vulnerability
  • Dangerous HTTP methods
Although this is a server configuration issue, the client is at risk here
Disable TRACE and/or TRACK and/or DEBUG methods


Using curl , one can employ one of the methods by hand:

curl -sIX TRACE $TARGET | awk 'NR==1 {print $2}'

Vulnerable when: the result is 200

One should expect (not vulnerable) 405 (Method Not Allowed) or 501 (Not Implemented) results.

This executes the TRACE method against $TARGET , and prints out the HTTP status code using awk . The -I parameter fetches the head only, -s stands for silent mode, and -X specifies the method.

The easiest way to test whether a server is vulnerable is by using the script [1].

This script uses curl as well as nmap to perform multiple tests. --trace


When an OPTIONS method is issued, the webserver should return the supported methods. Some web servers have a habit of replying with methods that are in fact not supported - which does not combine nicely with inferior security scanners (and pentesters, I might add) that relying …

more ...