From d5ea5cca89151f4ae9040b4079a61480a767217d Mon Sep 17 00:00:00 2001 From: Narbeh Arakil Date: Sun, 19 Jul 2020 16:04:59 +0430 Subject: [PATCH] Refactor and Update README.md --- README.md | 164 +++++++++++++++++++++++++++++++------------------ ssl_checker.py | 4 +- 2 files changed, 106 insertions(+), 62 deletions(-) diff --git a/README.md b/README.md index aa1ad2f..546a162 100644 --- a/README.md +++ b/README.md @@ -28,7 +28,7 @@ or ``` ./ssl_checker.py -h usage: ssl_checker.py (-H [HOSTS [HOSTS ...]] | -f HOST_FILE) [-s HOST:PORT] - [-c FILENAME.CSV] [-j] [-J] [-a] [-v] [-h] + [-c FILENAME.CSV] [-j] [-S] [-J] [-a] [-v] [-h] Collects useful information about given host's SSL certificates. @@ -42,6 +42,7 @@ optional arguments: -c FILENAME.CSV, --csv FILENAME.CSV Enable CSV file export -j, --json Enable JSON in the output + -S, --summary Enable summary output only -J, --json-save Enable JSON export individually per host -a, --analyze Enable SSL security analysis on the host -v, --verbose Enable verbose to see what is going on @@ -62,6 +63,8 @@ Port is optional here. The script will use 443 if not specified. `-j, --json ` Use this if you want to only have the result in JSON +`-S, --summary ` This argument will show quick summary in the output + `-J, --json-save` Use this if you want to save as JSON file per host `-a, --analyze` This argument will include security analyze on the certificate. Takes more time. No result means failed to analyze. @@ -72,47 +75,6 @@ Port is optional here. The script will use 443 if not specified. -## Censored? - -No problem. Pass `-s/--socks` argument to the script with `HOST:PORT` format to connect through SOCKS proxy. - -``` -narbeh@narbeh-xps:~/ssl-checker$ ./ssl_checker.py -H facebook.com -+-------------------+ -|Analyzing 1 host(s)| -+-------------------+ - - [-] facebook.com Failed: [Errno 111] Connection refused - -+------------------------------------------------------+ -| Successful: 0 | Failed: 1 | Duration: 0:00:00.710470 | -+------------------------------------------------------+ - -narbeh@narbeh-xps:~/ssl-checker$ ./ssl_checker.py -H facebook.com -s localhost:9050 -+-------------------+ -|Analyzing 1 host(s)| -+-------------------+ - - [+] facebook.com - - Issued domain: *.facebook.com - Issued by: DigiCert Inc - Valid from: 2017-12-15 - Valid to: 2019-03-22 (334 days left) - Validity days: 462 - Certificate S/N: 14934250041293165463321169237204988608 - Certificate version: 2 - Certificate algorithm: sha256WithRSAEncryption - Expired: False - -+------------------------------------------------------+ -| Successful: 1 | Failed: 0 | Duration: 0:00:00.710470 | -+------------------------------------------------------+ -``` - - - - ## Example ``` @@ -125,11 +87,12 @@ narbeh@narbeh-laptop:~/ssl-checker$ ./ssl_checker.py -H time.com github.com:443 Issued domain: time.com Issued to: None Issued by: Amazon (US) - Valid from: 2018-11-07 - Valid to: 2019-12-07 (159 days left) - Validity days: 395 - Certificate S/N: 10018094209647532371913518187860771165 - Certificate SHA1 FP: 64:C4:2E:AF:38:2A:28:64:A0:A8:B8:6B:02:05:86:1F:E7:F6:E5:FF + Valid from: 2019-09-06 + Valid to: 2020-10-06 (78 days left) + Validity days: 396 + Certificate valid: True + Certificate S/N: 20641318859548253362475798736742284477 + Certificate SHA1 FP: D5:CE:1B:77:AB:59:C9:BE:37:58:0F:5D:73:97:64:98:C4:3E:43:30 Certificate version: 2 Certificate algorithm: sha256WithRSAEncryption Expired: False @@ -143,11 +106,12 @@ narbeh@narbeh-laptop:~/ssl-checker$ ./ssl_checker.py -H time.com github.com:443 Issued domain: github.com Issued to: GitHub, Inc. Issued by: DigiCert Inc (US) - Valid from: 2018-05-08 - Valid to: 2020-06-03 (338 days left) - Validity days: 757 - Certificate S/N: 13324412563135569597699362973539517727 - Certificate SHA1 FP: CA:06:F5:6B:25:8B:7A:0D:4F:2B:05:47:09:39:47:86:51:15:19:84 + Valid from: 2020-05-05 + Valid to: 2022-05-10 (659 days left) + Validity days: 735 + Certificate valid: True + Certificate S/N: 7101927171473588541993819712332065657 + Certificate SHA1 FP: 5F:3F:7A:C2:56:9F:50:A4:66:76:47:C6:A1:8C:A0:07:AA:ED:BB:8E Certificate version: 2 Certificate algorithm: sha256WithRSAEncryption Expired: False @@ -155,9 +119,78 @@ narbeh@narbeh-laptop:~/ssl-checker$ ./ssl_checker.py -H time.com github.com:443 \_ DNS:github.com \_ DNS:www.github.com -+------------------------------------------------------+ -| Successful: 2 | Failed: 0 | Duration: 0:00:01.429145 | -+------------------------------------------------------+ + ++-------------------------------------------------------------------------------------------+ +| Successful: 2 | Failed: 0 | Valid: 2 | Warning: 0 | Expired: 0 | Duration: 0:00:07.694433 | ++-------------------------------------------------------------------------------------------+ +``` + + + +## Censored? + +No problem. Pass `-s/--socks` argument to the script with `HOST:PORT` format to connect through SOCKS proxy. + +``` +narbeh@narbeh-xps:~/ssl-checker$ ./ssl_checker.py -H facebook.com ++-------------------+ +|Analyzing 1 host(s)| ++-------------------+ + + [-] facebook.com Failed: [Errno 111] Connection refused + ++-------------------------------------------------------------------------------------------+ +| Successful: 0 | Failed: 1 | Valid: 0 | Warning: 0 | Expired: 0 | Duration: 0:00:04.109058 | ++-------------------------------------------------------------------------------------------+ + +narbeh@narbeh-xps:~/ssl-checker$ ./ssl_checker.py -H facebook.com -s localhost:9050 ++---------------------+ +| Analyzing 1 host(s) | ++---------------------+ + [+] facebook.com + ----------------- + Issued domain: *.facebook.com + Issued to: Facebook, Inc. + Issued by: DigiCert Inc (US) + Valid from: 2020-05-14 + Valid to: 2020-08-05 (16 days left) + Validity days: 83 + Certificate valid: True + Certificate S/N: 19351530099991824979726880175805235719 + Certificate SHA1 FP: 89:7F:54:63:61:34:2F:7E:B4:B5:68:E2:92:79:D2:98:B4:97:D8:EA + Certificate version: 2 + Certificate algorithm: sha256WithRSAEncryption + Expired: False + Certificate SAN's: + \_ DNS:*.facebook.com + \_ DNS:*.facebook.net + \_ DNS:*.fbcdn.net + \_ DNS:*.fbsbx.com + \_ DNS:*.messenger.com + \_ DNS:facebook.com + \_ DNS:messenger.com + \_ DNS:*.m.facebook.com + \_ DNS:*.xx.fbcdn.net + \_ DNS:*.xy.fbcdn.net + \_ DNS:*.xz.fbcdn.net + + ++-------------------------------------------------------------------------------------------+ +| Successful: 1 | Failed: 0 | Valid: 1 | Warning: 0 | Expired: 0 | Duration: 0:00:00.416188 | ++-------------------------------------------------------------------------------------------+ +``` + + + +## Quick Summary + +Sometimes you need to run the script and get the quick summary of the hosts. By passing `-S/--summary` you will get the quick overview of the result. + +``` +narbeh@narbeh-xps:~/ssl-checker$ ./ssl_checker.py -H narbeh.org:443 test.com twitter.com -S ++-------------------------------------------------------------------------------------------+ +| Successful: 3 | Failed: 0 | Valid: 3 | Warning: 0 | Expired: 0 | Duration: 0:00:01.958670 | ++-------------------------------------------------------------------------------------------+ ``` @@ -167,7 +200,7 @@ narbeh@narbeh-laptop:~/ssl-checker$ ./ssl_checker.py -H time.com github.com:443 By passing `-a/--analyze` to the script, it will scan the certificate for security issues and vulnerabilities. It will also mark a grade for the certificate. **This will take more time to finish.** ``` -narbeh@narbeh-xps:~/ssl-checker$ ./ssl_checker.py -H narbeh.org:443 -a +narbeh@narbeh-xps:~/ssl-checker$ ./ssl_checker.py -H narbeh.org:443 -a +---------------------+ | Analyzing 1 host(s) | +---------------------+ @@ -206,12 +239,10 @@ Warning: -a/--analyze is enabled. It takes more time... Example only with the `-j/--json` argument which shows the JSON only. Perfect for piping to another tool. ``` -narbeh@narbeh-xps:~/ssl-checker$ ./ssl_checker.py -j -H narbeh.org:443 test.com -{"narbeh.org": {"issued_to": "narbeh.org", "cert_sans": "DNS:narbeh.org", "valid_till": "2019-12-26", "valid_from": "2019-09-27", "issuer_ou": null, "days_left": 25, "cert_ver": 2, "tcp_port": 443, "cert_alg": "sha256WithRSAEncryption", "issued_o": null, "cert_exp": false, "cert_sha1": "05:52:4E:89:1E:98:1D:40:C1:41:F4:DD:F7:51:86:20:27:CF:E7:7F", "issuer_c": "US", "issuer_cn": "Let's Encrypt Authority X3", "issuer_o": "Let's Encrypt", "validity_days": 90, "cert_sn": 293690843427182569577385918507679703674563}} +narbeh@narbeh-xps:~/ssl-checker$ ./ssl_checker.py -j -H narbeh.org:443 +{"narbeh.org": {"host": "narbeh.org", "issued_to": "sni.cloudflaressl.com", "issued_o": "Cloudflare, Inc.", "issuer_c": "US", "issuer_o": "CloudFlare, Inc.", "issuer_ou": null, "issuer_cn": "CloudFlare Inc ECC CA-2", "cert_sn": "20958932659753030511717961095784314907", "cert_sha1": "FC:2D:0E:FD:DE:C0:98:7D:23:D2:E7:14:4C:07:6A:3D:25:25:49:B6", "cert_alg": "ecdsa-with-SHA256", "cert_ver": 2, "cert_sans": "DNS:sni.cloudflaressl.com; DNS:narbeh.org; DNS:*.narbeh.org", "cert_exp": false, "cert_valid": true, "valid_from": "2020-04-02", "valid_till": "2020-10-09", "validity_days": 190, "days_left": 81, "valid_days_to_expire": 81, "tcp_port": 443}} ``` - - CSV export is also easy. After running the script with `-c/--csv` argument and specifying `filename.csv` after it, you'll have something like this: ``` @@ -231,6 +262,19 @@ validity_days,90 cert_sn,338163108483756707389368573553026254634358 ``` +Finally, if you want to export JSON's output per host in a separated file, use `-J/--json-save`. This will export JSON's output per host. + + + +# As a Python Module + +Simply import the `ssl_checker.py` into your python script and use it as a module. + +``` +from ssl_checker import SSLChecker +SSLCheckerObject = SSLChecker() +``` + # Docker diff --git a/ssl_checker.py b/ssl_checker.py index 117dd3a..ba5f35b 100755 --- a/ssl_checker.py +++ b/ssl_checker.py @@ -1,4 +1,4 @@ -#!/usr/bin/env python +#!/usr/bin/env python3 import socket import sys @@ -328,7 +328,7 @@ class SSLChecker: help='Enable JSON in the output') parser.add_argument('-S', '--summary', dest='summary_true', action='store_true', default=False, - help='Enable only summery output') + help='Enable summary output only') parser.add_argument('-J', '--json-save', dest='json_save_true', action='store_true', default=False, help='Enable JSON export individually per host')