2018-04-18 09:48:19 +04:30
# SSL Checker
2020-05-11 17:03:38 +04:00
#### Python script that collects SSL/TLS information from hosts
2018-04-18 09:48:19 +04:30
2020-05-24 02:16:55 +04:00
2018-04-18 16:32:41 +04:30
## About
2018-04-18 09:48:19 +04:30
2020-05-22 11:56:27 +04:00
It's a simple script running in python that collects SSL/TLS information then it returns the group of information in JSON. It can also connect through your specified SOCKS server.
2018-04-18 09:48:19 +04:30
2020-05-22 11:56:27 +04:00
One of the good things about this script is that it will fully analyze the SSL certificate for security issues and will include the report in the output, CSV, or a JSON file.
2018-04-22 14:44:04 +04:30
2020-05-24 02:16:55 +04:00
2018-04-18 16:32:41 +04:30
## Requirements
2020-05-11 17:03:38 +04:00
You only need to install pyOpenSSL:
2018-04-18 16:32:41 +04:30
`pip install pyopenssl`
2019-06-30 18:14:24 +04:30
or
`pip install -r requirements.txt`
2020-05-24 02:16:55 +04:00
2018-04-18 16:32:41 +04:30
## Usage
2018-04-18 09:48:19 +04:30
2018-04-21 09:39:24 +04:30
```
2018-04-19 14:35:50 +04:30
./ssl_checker.py -h
2020-05-11 17:03:38 +04:00
usage: ssl_checker.py (-H [HOSTS [HOSTS ...]] | -f HOST_FILE) [-s HOST:PORT]
2020-07-19 16:04:59 +04:30
[-c FILENAME.CSV] [-j] [-S] [-J] [-a] [-v] [-h]
2018-04-22 14:44:04 +04:30
Collects useful information about given host's SSL certificates.
2018-04-19 14:35:50 +04:30
optional arguments:
-H [HOSTS [HOSTS ...]], --host [HOSTS [HOSTS ...]]
Hosts as input separated by space
2018-09-18 12:45:24 -04:00
-f HOST_FILE, --host-file HOST_FILE
Hosts as input from file
2018-04-21 16:05:41 +04:30
-s HOST:PORT, --socks HOST:PORT
Enable SOCKS proxy for connection
2018-04-21 17:29:52 +04:30
-c FILENAME.CSV, --csv FILENAME.CSV
Enable CSV file export
2018-04-22 14:44:04 +04:30
-j, --json Enable JSON in the output
2020-07-19 16:04:59 +04:30
-S, --summary Enable summary output only
2020-05-11 17:03:38 +04:00
-J, --json-save Enable JSON export individually per host
-a, --analyze Enable SSL security analysis on the host
2020-06-23 19:17:11 +04:30
-v, --verbose Enable verbose to see what is going on
2018-04-19 14:35:50 +04:30
-h, --help Show this help message and exit
```
2018-04-18 09:59:32 +04:30
Port is optional here. The script will use 443 if not specified.
2018-04-18 09:48:19 +04:30
2018-09-18 12:45:24 -04:00
`-f, --host-file` File containing hostnames for input
2018-04-21 17:38:40 +04:30
`-H, --host ` Enter the hosts separated by space
2018-04-19 21:11:32 +04:30
2018-04-21 17:38:40 +04:30
`-s, --socks ` Enable connection through SOCKS server
2018-04-21 16:05:41 +04:30
2018-04-22 14:44:04 +04:30
`-c, --csv ` Enable CSV file export by specifying filename.csv after this argument
2018-04-21 17:38:40 +04:30
`-j, --json ` Use this if you want to only have the result in JSON
2018-04-21 17:29:52 +04:30
2020-07-19 16:04:59 +04:30
`-S, --summary ` This argument will show quick summary in the output
2020-05-11 17:03:38 +04:00
`-J, --json-save` Use this if you want to save as JSON file per host
2019-06-30 17:32:02 +04:30
`-a, --analyze` This argument will include security analyze on the certificate. Takes more time. No result means failed to analyze.
2018-04-21 17:29:52 +04:30
2020-06-23 19:17:11 +04:30
`-v, --verbose` Shows more output. Good for troubleshooting.
2018-04-21 17:38:40 +04:30
`-h, --help` Shows the help and exit
2018-04-19 14:35:50 +04:30
2020-05-24 02:16:55 +04:00
2018-04-18 16:32:41 +04:30
## Example
2018-04-18 09:48:19 +04:30
2018-04-21 09:39:24 +04:30
```
2019-06-30 17:28:25 +04:30
narbeh@narbeh -laptop:~/ssl-checker$ ./ssl_checker.py -H time.com github.com:443
+---------------------+
| Analyzing 2 host(s) |
+---------------------+
[+] time.com
-------------
Issued domain: time.com
2018-04-22 14:44:04 +04:30
Issued to: None
2019-06-30 17:28:25 +04:30
Issued by: Amazon (US)
2020-07-19 16:04:59 +04:30
Valid from: 2019-09-06
Valid to: 2020-10-06 (78 days left)
Validity days: 396
Certificate valid: True
Certificate S/N: 20641318859548253362475798736742284477
Certificate SHA1 FP: D5:CE:1B:77:AB:59:C9:BE:37:58:0F:5D:73:97:64:98:C4:3E:43:30
2018-04-21 14:11:41 +04:30
Certificate version: 2
Certificate algorithm: sha256WithRSAEncryption
Expired: False
2019-06-30 17:28:25 +04:30
Certificate SAN's:
\_ DNS:time.com
\_ DNS:*.time.com
[+] github.com
---------------
Issued domain: github.com
Issued to: GitHub, Inc.
Issued by: DigiCert Inc (US)
2020-07-19 16:04:59 +04:30
Valid from: 2020-05-05
Valid to: 2022-05-10 (659 days left)
Validity days: 735
Certificate valid: True
Certificate S/N: 7101927171473588541993819712332065657
Certificate SHA1 FP: 5F:3F:7A:C2:56:9F:50:A4:66:76:47:C6:A1:8C:A0:07:AA:ED:BB:8E
2018-04-21 14:11:41 +04:30
Certificate version: 2
Certificate algorithm: sha256WithRSAEncryption
Expired: False
2019-06-30 17:28:25 +04:30
Certificate SAN's:
\_ DNS:github.com
\_ DNS:www.github.com
2018-04-19 11:28:07 +04:30
2020-07-19 16:04:59 +04:30
+-------------------------------------------------------------------------------------------+
| Successful: 2 | Failed: 0 | Valid: 2 | Warning: 0 | Expired: 0 | Duration: 0:00:07.694433 |
+-------------------------------------------------------------------------------------------+
```
2020-07-20 18:03:14 +04:30
NOTE: Keep in mind that if the certificate has less than 15 days validity, the script will consider it as a warning in the summary.
2020-07-19 16:04:59 +04:30
## Censored?
No problem. Pass `-s/--socks` argument to the script with `HOST:PORT` format to connect through SOCKS proxy.
```
narbeh@narbeh -xps:~/ssl-checker$ ./ssl_checker.py -H facebook.com
+-------------------+
|Analyzing 1 host(s)|
+-------------------+
[-] facebook.com Failed: [Errno 111] Connection refused
+-------------------------------------------------------------------------------------------+
| Successful: 0 | Failed: 1 | Valid: 0 | Warning: 0 | Expired: 0 | Duration: 0:00:04.109058 |
+-------------------------------------------------------------------------------------------+
narbeh@narbeh -xps:~/ssl-checker$ ./ssl_checker.py -H facebook.com -s localhost:9050
+---------------------+
| Analyzing 1 host(s) |
+---------------------+
[+] facebook.com
-----------------
Issued domain: *.facebook.com
Issued to: Facebook, Inc.
Issued by: DigiCert Inc (US)
Valid from: 2020-05-14
Valid to: 2020-08-05 (16 days left)
Validity days: 83
Certificate valid: True
Certificate S/N: 19351530099991824979726880175805235719
Certificate SHA1 FP: 89:7F:54:63:61:34:2F:7E:B4:B5:68:E2:92:79:D2:98:B4:97:D8:EA
Certificate version: 2
Certificate algorithm: sha256WithRSAEncryption
Expired: False
Certificate SAN's:
\_ DNS:*.facebook.com
\_ DNS:*.facebook.net
\_ DNS:*.fbcdn.net
\_ DNS:*.fbsbx.com
\_ DNS:*.messenger.com
\_ DNS:facebook.com
\_ DNS:messenger.com
\_ DNS:*.m.facebook.com
\_ DNS:*.xx.fbcdn.net
\_ DNS:*.xy.fbcdn.net
\_ DNS:*.xz.fbcdn.net
+-------------------------------------------------------------------------------------------+
| Successful: 1 | Failed: 0 | Valid: 1 | Warning: 0 | Expired: 0 | Duration: 0:00:00.416188 |
+-------------------------------------------------------------------------------------------+
```
## Quick Summary
Sometimes you need to run the script and get the quick summary of the hosts. By passing `-S/--summary` you will get the quick overview of the result.
```
narbeh@narbeh -xps:~/ssl-checker$ ./ssl_checker.py -H narbeh.org:443 test.com twitter.com -S
+-------------------------------------------------------------------------------------------+
| Successful: 3 | Failed: 0 | Valid: 3 | Warning: 0 | Expired: 0 | Duration: 0:00:01.958670 |
+-------------------------------------------------------------------------------------------+
2018-04-22 14:44:04 +04:30
```
## Security Analyze
By passing `-a/--analyze` to the script, it will scan the certificate for security issues and vulnerabilities. It will also mark a grade for the certificate. **This will take more time to finish.**
2018-04-19 14:35:50 +04:30
```
2020-07-19 16:04:59 +04:30
narbeh@narbeh -xps:~/ssl-checker$ ./ssl_checker.py -H narbeh.org:443 -a
2019-06-30 17:28:25 +04:30
+---------------------+
| Analyzing 1 host(s) |
+---------------------+
2018-04-22 14:44:04 +04:30
Warning: -a/--analyze is enabled. It takes more time...
2018-04-19 14:35:50 +04:30
2018-04-22 14:44:04 +04:30
[+] narbeh.org
Issued domain: narbeh.org
Issued to: None
Issued by: Let's Encrypt (US)
Valid from: 2018-04-21
Valid to: 2018-07-20 (88 days left)
Validity days: 90
Certificate S/N: 338163108483756707389368573553026254634358
Certificate version: 2
Certificate algorithm: sha256WithRSAEncryption
Certificate grade: A
Poodle vulnerability: False
Heartbleed vulnerability: False
Hearbeat vulnerability: True
Freak vulnerability: False
Logjam vulnerability: False
Drown vulnerability: False
Expired: False
2019-06-30 17:28:25 +04:30
+------------------------------------------------------+
| Successful: 1 | Failed: 0 | Duration: 0:00:01.429145 |
+------------------------------------------------------+
2018-04-22 14:44:04 +04:30
```
2018-04-23 09:52:33 +04:30
## JSON And CSV Output
2018-04-19 14:35:50 +04:30
2019-12-01 00:05:23 +04:00
Example only with the `-j/--json` argument which shows the JSON only. Perfect for piping to another tool.
2018-04-19 14:35:50 +04:30
2018-04-21 09:39:24 +04:30
```
2020-07-19 16:04:59 +04:30
narbeh@narbeh -xps:~/ssl-checker$ ./ssl_checker.py -j -H narbeh.org:443
{"narbeh.org": {"host": "narbeh.org", "issued_to": "sni.cloudflaressl.com", "issued_o": "Cloudflare, Inc.", "issuer_c": "US", "issuer_o": "CloudFlare, Inc.", "issuer_ou": null, "issuer_cn": "CloudFlare Inc ECC CA-2", "cert_sn": "20958932659753030511717961095784314907", "cert_sha1": "FC:2D:0E:FD:DE:C0:98:7D:23:D2:E7:14:4C:07:6A:3D:25:25:49:B6", "cert_alg": "ecdsa-with-SHA256", "cert_ver": 2, "cert_sans": "DNS:sni.cloudflaressl.com; DNS:narbeh.org; DNS:*.narbeh.org", "cert_exp": false, "cert_valid": true, "valid_from": "2020-04-02", "valid_till": "2020-10-09", "validity_days": 190, "days_left": 81, "valid_days_to_expire": 81, "tcp_port": 443}}
2018-04-19 21:11:32 +04:30
```
2018-04-21 17:29:52 +04:30
CSV export is also easy. After running the script with `-c/--csv` argument and specifying `filename.csv` after it, you'll have something like this:
```
narbeh@narbeh -xps:~/ssl-checker$ cat domain.csv
narbeh.org
issued_to,narbeh.org
valid_till,2018-07-20
valid_from,2018-04-21
issuer_ou,None
cert_ver,2
cert_alg,sha256WithRSAEncryption
cert_exp,False
issuer_c,US
issuer_cn,Let's Encrypt Authority X3
issuer_o,Let's Encrypt
validity_days,90
cert_sn,338163108483756707389368573553026254634358
2020-05-24 02:16:55 +04:00
```
2020-07-19 16:04:59 +04:30
Finally, if you want to export JSON's output per host in a separated file, use `-J/--json-save` . This will export JSON's output per host.
# As a Python Module
Simply import the `ssl_checker.py` into your python script and use it as a module.
```
from ssl_checker import SSLChecker
SSLCheckerObject = SSLChecker()
```
2020-05-24 02:16:55 +04:00
# Docker
If you want to run this script via docker, simply do create your image and run once:
2018-04-21 17:29:52 +04:30
```
2020-05-24 02:16:55 +04:00
$ docker build -t ssl-checker .
$ docker run -it --rm ssl-checker -H twitter.com
```
2018-04-21 17:29:52 +04:30
2018-04-23 10:39:03 +04:30
## Todo
- Enable timeout for connections and handshakes
- HTML export ability
2019-06-29 00:45:33 +04:30
- Make print_status cleaner and smarter
2018-04-23 10:39:03 +04:30
2020-05-24 02:16:55 +04:00
2018-04-22 14:44:04 +04:30
### Author
Narbeh Arakil
2020-06-23 19:17:11 +04:30
https://narbeh.org
