ssl-checker/README.md

# SSL Checker
#### Python script that collects SSL/TLS information from hosts



## About

It's a simple script running in python that collects SSL/TLS information then it returns the group of information in JSON. It can also connect through your specified SOCKS server.

One of the good things about this script is that it will fully analyze the SSL certificate for security issues and will include the report in the output, CSV, or a JSON file.



## Requirements

You only need to install pyOpenSSL:

`pip install pyopenssl`

or

`pip install -r requirements.txt`



## Usage

```
./ssl_checker.py -h
usage: ssl_checker.py (-H [HOSTS [HOSTS ...]] | -f HOST_FILE) [-s HOST:PORT]
                      [-c FILENAME.CSV] [-j] [-J] [-a] [-v] [-h]

Collects useful information about given host's SSL certificates.

optional arguments:
  -H [HOSTS [HOSTS ...]], --host [HOSTS [HOSTS ...]]
                        Hosts as input separated by space
  -f HOST_FILE, --host-file HOST_FILE
                        Hosts as input from file
  -s HOST:PORT, --socks HOST:PORT
                        Enable SOCKS proxy for connection
  -c FILENAME.CSV, --csv FILENAME.CSV
                        Enable CSV file export
  -j, --json            Enable JSON in the output
  -J, --json-save       Enable JSON export individually per host
  -a, --analyze         Enable SSL security analysis on the host
  -v, --verbose         Enable verbose to see what is going on
  -h, --help            Show this help message and exit
```



Port is optional here. The script will use 443 if not specified.

`-f, --host-file` File containing hostnames for input

`-H, --host ` Enter the hosts separated by space

`-s, --socks ` Enable connection through SOCKS server

`-c, --csv ` Enable CSV file export by specifying filename.csv after this argument

`-j, --json ` Use this if you want to only have the result in JSON

`-J, --json-save` Use this if you want to save as JSON file per host

`-a, --analyze` This argument will include security analyze on the certificate. Takes more time. No result means failed to analyze. 

`-v, --verbose` Shows more output. Good for troubleshooting.

`-h, --help`	Shows the help and exit



## Censored?

No problem. Pass `-s/--socks` argument to the script with `HOST:PORT` format to connect through SOCKS proxy.

```
narbeh@narbeh-xps:~/ssl-checker$ ./ssl_checker.py -H facebook.com
+-------------------+
|Analyzing 1 host(s)|
+-------------------+

	[-] facebook.com         Failed: [Errno 111] Connection refused

+------------------------------------------------------+
| Successful: 0 | Failed: 1 | Duration: 0:00:00.710470 |
+------------------------------------------------------+

narbeh@narbeh-xps:~/ssl-checker$ ./ssl_checker.py -H facebook.com -s localhost:9050
+-------------------+
|Analyzing 1 host(s)|
+-------------------+

	[+] facebook.com

		Issued domain: *.facebook.com
		Issued by: DigiCert Inc
		Valid from: 2017-12-15
		Valid to: 2019-03-22 (334 days left)
		Validity days: 462
		Certificate S/N: 14934250041293165463321169237204988608
		Certificate version: 2
		Certificate algorithm: sha256WithRSAEncryption
		Expired: False

+------------------------------------------------------+
| Successful: 1 | Failed: 0 | Duration: 0:00:00.710470 |
+------------------------------------------------------+
```




## Example

```
narbeh@narbeh-laptop:~/ssl-checker$ ./ssl_checker.py -H time.com github.com:443
+---------------------+
| Analyzing 2 host(s) |
+---------------------+
	[+] time.com
	-------------
		Issued domain: time.com
		Issued to: None
		Issued by: Amazon (US)
		Valid from: 2018-11-07
		Valid to: 2019-12-07 (159 days left)
		Validity days: 395
		Certificate S/N: 10018094209647532371913518187860771165
		Certificate SHA1 FP: 64:C4:2E:AF:38:2A:28:64:A0:A8:B8:6B:02:05:86:1F:E7:F6:E5:FF
		Certificate version: 2
		Certificate algorithm: sha256WithRSAEncryption
		Expired: False
		Certificate SAN's: 
		 \_ DNS:time.com
		 \_ DNS:*.time.com


	[+] github.com
	---------------
		Issued domain: github.com
		Issued to: GitHub, Inc.
		Issued by: DigiCert Inc (US)
		Valid from: 2018-05-08
		Valid to: 2020-06-03 (338 days left)
		Validity days: 757
		Certificate S/N: 13324412563135569597699362973539517727
		Certificate SHA1 FP: CA:06:F5:6B:25:8B:7A:0D:4F:2B:05:47:09:39:47:86:51:15:19:84
		Certificate version: 2
		Certificate algorithm: sha256WithRSAEncryption
		Expired: False
		Certificate SAN's: 
		 \_ DNS:github.com
		 \_ DNS:www.github.com

+------------------------------------------------------+
| Successful: 2 | Failed: 0 | Duration: 0:00:01.429145 |
+------------------------------------------------------+
```



## Security Analyze

By passing `-a/--analyze` to the script, it will scan the certificate for security issues and vulnerabilities. It will also mark a grade for the certificate. **This will take more time to finish.**

```
narbeh@narbeh-xps:~/ssl-checker$ ./ssl_checker.py -H  narbeh.org:443 -a
+---------------------+
| Analyzing 1 host(s) |
+---------------------+

Warning: -a/--analyze is enabled. It takes more time...

	[+] narbeh.org

		Issued domain: narbeh.org
		Issued to: None
		Issued by: Let's Encrypt (US)
		Valid from: 2018-04-21
		Valid to: 2018-07-20 (88 days left)
		Validity days: 90
		Certificate S/N: 338163108483756707389368573553026254634358
		Certificate version: 2
		Certificate algorithm: sha256WithRSAEncryption
		Certificate grade: A
		Poodle vulnerability: False
		Heartbleed vulnerability: False
		Hearbeat vulnerability: True
		Freak vulnerability: False
		Logjam vulnerability: False
		Drown vulnerability: False
		Expired: False

+------------------------------------------------------+
| Successful: 1 | Failed: 0 | Duration: 0:00:01.429145 |
+------------------------------------------------------+
```



## JSON And CSV Output

Example only with the `-j/--json` argument which shows the JSON only. Perfect for piping to another tool.

```
narbeh@narbeh-xps:~/ssl-checker$ ./ssl_checker.py -j -H  narbeh.org:443 test.com
{"narbeh.org": {"issued_to": "narbeh.org", "cert_sans": "DNS:narbeh.org", "valid_till": "2019-12-26", "valid_from": "2019-09-27", "issuer_ou": null, "days_left": 25, "cert_ver": 2, "tcp_port": 443, "cert_alg": "sha256WithRSAEncryption", "issued_o": null, "cert_exp": false, "cert_sha1": "05:52:4E:89:1E:98:1D:40:C1:41:F4:DD:F7:51:86:20:27:CF:E7:7F", "issuer_c": "US", "issuer_cn": "Let's Encrypt Authority X3", "issuer_o": "Let's Encrypt", "validity_days": 90, "cert_sn": 293690843427182569577385918507679703674563}}
```



CSV export is also easy. After running the script with `-c/--csv` argument and specifying `filename.csv` after it, you'll have something like this:

```
narbeh@narbeh-xps:~/ssl-checker$ cat domain.csv 
narbeh.org
issued_to,narbeh.org
valid_till,2018-07-20
valid_from,2018-04-21
issuer_ou,None
cert_ver,2
cert_alg,sha256WithRSAEncryption
cert_exp,False
issuer_c,US
issuer_cn,Let's Encrypt Authority X3
issuer_o,Let's Encrypt
validity_days,90
cert_sn,338163108483756707389368573553026254634358
```



# Docker

If you want to run this script via docker, simply do create your image and run once:

```
$ docker build -t ssl-checker .
$ docker run -it --rm ssl-checker -H twitter.com
```



## Todo

- Enable timeout for connections and handshakes
- HTML export ability
- Make print_status cleaner and smarter



### Author

Narbeh Arakil
https://narbeh.org