mali/ssl-checker
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Refactor and Update README.md

Browse Source
This commit is contained in:
Narbeh Arakil 2020-07-19 16:04:59 +04:30
parent 64db1fa73f
commit d5ea5cca89
2 changed files with 106 additions and 62 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

164
README.md
View File

@ -28,7 +28,7 @@ or
``` ```
./ssl_checker.py -h ./ssl_checker.py -h
usage: ssl_checker.py (-H [HOSTS [HOSTS ...]] | -f HOST_FILE) [-s HOST:PORT] usage: ssl_checker.py (-H [HOSTS [HOSTS ...]] | -f HOST_FILE) [-s HOST:PORT]
[-c FILENAME.CSV] [-j] [-J] [-a] [-v] [-h] [-c FILENAME.CSV] [-j] [-S] [-J] [-a] [-v] [-h]
Collects useful information about given host's SSL certificates. Collects useful information about given host's SSL certificates.
@ -42,6 +42,7 @@ optional arguments:
-c FILENAME.CSV, --csv FILENAME.CSV -c FILENAME.CSV, --csv FILENAME.CSV
Enable CSV file export Enable CSV file export
-j, --json Enable JSON in the output -j, --json Enable JSON in the output
-S, --summary Enable summary output only
-J, --json-save Enable JSON export individually per host -J, --json-save Enable JSON export individually per host
-a, --analyze Enable SSL security analysis on the host -a, --analyze Enable SSL security analysis on the host
-v, --verbose Enable verbose to see what is going on -v, --verbose Enable verbose to see what is going on
@ -62,6 +63,8 @@ Port is optional here. The script will use 443 if not specified.
`-j, --json ` Use this if you want to only have the result in JSON `-j, --json ` Use this if you want to only have the result in JSON
`-S, --summary ` This argument will show quick summary in the output
`-J, --json-save` Use this if you want to save as JSON file per host `-J, --json-save` Use this if you want to save as JSON file per host
`-a, --analyze` This argument will include security analyze on the certificate. Takes more time. No result means failed to analyze. `-a, --analyze` This argument will include security analyze on the certificate. Takes more time. No result means failed to analyze.
@ -72,47 +75,6 @@ Port is optional here. The script will use 443 if not specified.
## Censored?
No problem. Pass `-s/--socks` argument to the script with `HOST:PORT` format to connect through SOCKS proxy.
```
narbeh@narbeh-xps:~/ssl-checker$ ./ssl_checker.py -H facebook.com
+-------------------+
|Analyzing 1 host(s)|
+-------------------+
[-] facebook.com Failed: [Errno 111] Connection refused
+------------------------------------------------------+
| Successful: 0 | Failed: 1 | Duration: 0:00:00.710470 |
+------------------------------------------------------+
narbeh@narbeh-xps:~/ssl-checker$ ./ssl_checker.py -H facebook.com -s localhost:9050
+-------------------+
|Analyzing 1 host(s)|
+-------------------+
[+] facebook.com
Issued domain: *.facebook.com
Issued by: DigiCert Inc
Valid from: 2017-12-15
Valid to: 2019-03-22 (334 days left)
Validity days: 462
Certificate S/N: 14934250041293165463321169237204988608
Certificate version: 2
Certificate algorithm: sha256WithRSAEncryption
Expired: False
+------------------------------------------------------+
| Successful: 1 | Failed: 0 | Duration: 0:00:00.710470 |
+------------------------------------------------------+
```
## Example ## Example
``` ```
@ -125,11 +87,12 @@ narbeh@narbeh-laptop:~/ssl-checker$ ./ssl_checker.py -H time.com github.com:443
Issued domain: time.com Issued domain: time.com
Issued to: None Issued to: None
Issued by: Amazon (US) Issued by: Amazon (US)
Valid from: 2018-11-07 Valid from: 2019-09-06
Valid to: 2019-12-07 (159 days left) Valid to: 2020-10-06 (78 days left)
Validity days: 395 Validity days: 396
Certificate S/N: 10018094209647532371913518187860771165 Certificate valid: True
Certificate SHA1 FP: 64:C4:2E:AF:38:2A:28:64:A0:A8:B8:6B:02:05:86:1F:E7:F6:E5:FF Certificate S/N: 20641318859548253362475798736742284477
Certificate SHA1 FP: D5:CE:1B:77:AB:59:C9:BE:37:58:0F:5D:73:97:64:98:C4:3E:43:30
Certificate version: 2 Certificate version: 2
Certificate algorithm: sha256WithRSAEncryption Certificate algorithm: sha256WithRSAEncryption
Expired: False Expired: False
@ -143,11 +106,12 @@ narbeh@narbeh-laptop:~/ssl-checker$ ./ssl_checker.py -H time.com github.com:443
Issued domain: github.com Issued domain: github.com
Issued to: GitHub, Inc. Issued to: GitHub, Inc.
Issued by: DigiCert Inc (US) Issued by: DigiCert Inc (US)
Valid from: 2018-05-08 Valid from: 2020-05-05
Valid to: 2020-06-03 (338 days left) Valid to: 2022-05-10 (659 days left)
Validity days: 757 Validity days: 735
Certificate S/N: 13324412563135569597699362973539517727 Certificate valid: True
Certificate SHA1 FP: CA:06:F5:6B:25:8B:7A:0D:4F:2B:05:47:09:39:47:86:51:15:19:84 Certificate S/N: 7101927171473588541993819712332065657
Certificate SHA1 FP: 5F:3F:7A:C2:56:9F:50:A4:66:76:47:C6:A1:8C:A0:07:AA:ED:BB:8E
Certificate version: 2 Certificate version: 2
Certificate algorithm: sha256WithRSAEncryption Certificate algorithm: sha256WithRSAEncryption
Expired: False Expired: False
@ -155,9 +119,78 @@ narbeh@narbeh-laptop:~/ssl-checker$ ./ssl_checker.py -H time.com github.com:443
\_ DNS:github.com \_ DNS:github.com
\_ DNS:www.github.com \_ DNS:www.github.com
+------------------------------------------------------+
| Successful: 2 | Failed: 0 | Duration: 0:00:01.429145 | +-------------------------------------------------------------------------------------------+
+------------------------------------------------------+ | Successful: 2 | Failed: 0 | Valid: 2 | Warning: 0 | Expired: 0 | Duration: 0:00:07.694433 |
+-------------------------------------------------------------------------------------------+
```
## Censored?
No problem. Pass `-s/--socks` argument to the script with `HOST:PORT` format to connect through SOCKS proxy.
```
narbeh@narbeh-xps:~/ssl-checker$ ./ssl_checker.py -H facebook.com
+-------------------+
|Analyzing 1 host(s)|
+-------------------+
[-] facebook.com Failed: [Errno 111] Connection refused
+-------------------------------------------------------------------------------------------+
| Successful: 0 | Failed: 1 | Valid: 0 | Warning: 0 | Expired: 0 | Duration: 0:00:04.109058 |
+-------------------------------------------------------------------------------------------+
narbeh@narbeh-xps:~/ssl-checker$ ./ssl_checker.py -H facebook.com -s localhost:9050
+---------------------+
| Analyzing 1 host(s) |
+---------------------+
[+] facebook.com
-----------------
Issued domain: *.facebook.com
Issued to: Facebook, Inc.
Issued by: DigiCert Inc (US)
Valid from: 2020-05-14
Valid to: 2020-08-05 (16 days left)
Validity days: 83
Certificate valid: True
Certificate S/N: 19351530099991824979726880175805235719
Certificate SHA1 FP: 89:7F:54:63:61:34:2F:7E:B4:B5:68:E2:92:79:D2:98:B4:97:D8:EA
Certificate version: 2
Certificate algorithm: sha256WithRSAEncryption
Expired: False
Certificate SAN's:
\_ DNS:*.facebook.com
\_ DNS:*.facebook.net
\_ DNS:*.fbcdn.net
\_ DNS:*.fbsbx.com
\_ DNS:*.messenger.com
\_ DNS:facebook.com
\_ DNS:messenger.com
\_ DNS:*.m.facebook.com
\_ DNS:*.xx.fbcdn.net
\_ DNS:*.xy.fbcdn.net
\_ DNS:*.xz.fbcdn.net
+-------------------------------------------------------------------------------------------+
| Successful: 1 | Failed: 0 | Valid: 1 | Warning: 0 | Expired: 0 | Duration: 0:00:00.416188 |
+-------------------------------------------------------------------------------------------+
```
## Quick Summary
Sometimes you need to run the script and get the quick summary of the hosts. By passing `-S/--summary` you will get the quick overview of the result.
```
narbeh@narbeh-xps:~/ssl-checker$ ./ssl_checker.py -H narbeh.org:443 test.com twitter.com -S
+-------------------------------------------------------------------------------------------+
| Successful: 3 | Failed: 0 | Valid: 3 | Warning: 0 | Expired: 0 | Duration: 0:00:01.958670 |
+-------------------------------------------------------------------------------------------+
``` ```
@ -167,7 +200,7 @@ narbeh@narbeh-laptop:~/ssl-checker$ ./ssl_checker.py -H time.com github.com:443
By passing `-a/--analyze` to the script, it will scan the certificate for security issues and vulnerabilities. It will also mark a grade for the certificate. **This will take more time to finish.** By passing `-a/--analyze` to the script, it will scan the certificate for security issues and vulnerabilities. It will also mark a grade for the certificate. **This will take more time to finish.**
``` ```
narbeh@narbeh-xps:~/ssl-checker$ ./ssl_checker.py -H narbeh.org:443 -a narbeh@narbeh-xps:~/ssl-checker$ ./ssl_checker.py -H narbeh.org:443 -a
+---------------------+ +---------------------+
| Analyzing 1 host(s) | | Analyzing 1 host(s) |
+---------------------+ +---------------------+
@ -206,12 +239,10 @@ Warning: -a/--analyze is enabled. It takes more time...
Example only with the `-j/--json` argument which shows the JSON only. Perfect for piping to another tool. Example only with the `-j/--json` argument which shows the JSON only. Perfect for piping to another tool.
``` ```
narbeh@narbeh-xps:~/ssl-checker$ ./ssl_checker.py -j -H narbeh.org:443 test.com narbeh@narbeh-xps:~/ssl-checker$ ./ssl_checker.py -j -H narbeh.org:443
{"narbeh.org": {"issued_to": "narbeh.org", "cert_sans": "DNS:narbeh.org", "valid_till": "2019-12-26", "valid_from": "2019-09-27", "issuer_ou": null, "days_left": 25, "cert_ver": 2, "tcp_port": 443, "cert_alg": "sha256WithRSAEncryption", "issued_o": null, "cert_exp": false, "cert_sha1": "05:52:4E:89:1E:98:1D:40:C1:41:F4:DD:F7:51:86:20:27:CF:E7:7F", "issuer_c": "US", "issuer_cn": "Let's Encrypt Authority X3", "issuer_o": "Let's Encrypt", "validity_days": 90, "cert_sn": 293690843427182569577385918507679703674563}} {"narbeh.org": {"host": "narbeh.org", "issued_to": "sni.cloudflaressl.com", "issued_o": "Cloudflare, Inc.", "issuer_c": "US", "issuer_o": "CloudFlare, Inc.", "issuer_ou": null, "issuer_cn": "CloudFlare Inc ECC CA-2", "cert_sn": "20958932659753030511717961095784314907", "cert_sha1": "FC:2D:0E:FD:DE:C0:98:7D:23:D2:E7:14:4C:07:6A:3D:25:25:49:B6", "cert_alg": "ecdsa-with-SHA256", "cert_ver": 2, "cert_sans": "DNS:sni.cloudflaressl.com; DNS:narbeh.org; DNS:*.narbeh.org", "cert_exp": false, "cert_valid": true, "valid_from": "2020-04-02", "valid_till": "2020-10-09", "validity_days": 190, "days_left": 81, "valid_days_to_expire": 81, "tcp_port": 443}}
``` ```
CSV export is also easy. After running the script with `-c/--csv` argument and specifying `filename.csv` after it, you'll have something like this: CSV export is also easy. After running the script with `-c/--csv` argument and specifying `filename.csv` after it, you'll have something like this:
``` ```
@ -231,6 +262,19 @@ validity_days,90
cert_sn,338163108483756707389368573553026254634358 cert_sn,338163108483756707389368573553026254634358
``` ```
Finally, if you want to export JSON's output per host in a separated file, use `-J/--json-save`. This will export JSON's output per host.
# As a Python Module
Simply import the `ssl_checker.py` into your python script and use it as a module.
```
from ssl_checker import SSLChecker
SSLCheckerObject = SSLChecker()
```
# Docker # Docker

4
ssl_checker.py
View File

@ -1,4 +1,4 @@
#!/usr/bin/env python #!/usr/bin/env python3
import socket import socket
import sys import sys
@ -328,7 +328,7 @@ class SSLChecker:
help='Enable JSON in the output') help='Enable JSON in the output')
parser.add_argument('-S', '--summary', dest='summary_true', parser.add_argument('-S', '--summary', dest='summary_true',
action='store_true', default=False, action='store_true', default=False,
help='Enable only summery output') help='Enable summary output only')
parser.add_argument('-J', '--json-save', dest='json_save_true', parser.add_argument('-J', '--json-save', dest='json_save_true',
action='store_true', default=False, action='store_true', default=False,
help='Enable JSON export individually per host') help='Enable JSON export individually per host')