{"id":13796989,"url":"https://github.com/petermosmans/security-scripts","last_synced_at":"2025-04-07T05:13:11.764Z","repository":{"id":12696883,"uuid":"15369252","full_name":"PeterMosmans/security-scripts","owner":"PeterMosmans","description":"A collection of security related Python and Bash shell scripts. Analyze hosts on generic security vulnerabilities. Wrapper around popular tools like nmap (portscanner), nikto (webscanner) and testssl.sh (SSL/TLS scanner)","archived":false,"fork":false,"pushed_at":"2023-12-05T10:28:32.000Z","size":493,"stargazers_count":272,"open_issues_count":2,"forks_count":77,"subscribers_count":32,"default_branch":"master","last_synced_at":"2025-03-30T22:11:12.034Z","etag":null,"topics":["nikto","nmap","python","security","security-scanner","security-tools","ssl","testssl"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/PeterMosmans.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2013-12-22T02:40:01.000Z","updated_at":"2025-03-29T05:35:42.000Z","dependencies_parsed_at":"2023-01-16T19:46:37.413Z","dependency_job_id":"4430e863-c574-4ea9-ab7c-f607d06ff28d","html_url":"https://github.com/PeterMosmans/security-scripts","commit_stats":null,"previous_names":[],"tags_count":20,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PeterMosmans%2Fsecurity-scripts","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PeterMosmans%2Fsecurity-scripts/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PeterMosmans%2Fsecurity-scripts/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PeterMosmans%2Fsecurity-scripts/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/PeterMosmans","download_url":"https://codeload.github.com/PeterMosmans/security-scripts/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247595335,"owners_count":20963943,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["nikto","nmap","python","security","security-scanner","security-tools","ssl","testssl"],"created_at":"2024-08-03T23:01:19.341Z","updated_at":"2025-04-07T05:13:11.739Z","avatar_url":"https://github.com/PeterMosmans.png","language":"Shell","funding_links":[],"categories":["\u003ca id=\"8c5a692b5d26527ef346687e047c5c21\"\u003e\u003c/a\u003e收集"],"sub_categories":[],"readme":"# security-scripts\n\nA collection of security related Python and Bash shell scripts, mainly revolving\naround testing hosts for security vulnerabilities. For the shell scripts no\nfancy programming framework is required, all that is needed is a Bash shell.\n\nNote that it is highly recommended to use `analyze_hosts.py` as it is the most\nrecent version. No new features will be added to the Bash version\n`analyze_hosts.sh`.\n\n`analyze_hosts` is also available as Docker image, including the open source\nscanners `droopescan`, `nmap`, `Nikto` and `testssl.sh`. Build it yourself using\nthe supplied Dockerfile, or grab the image from Docker Hub\n\n```\ndocker run --rm gofwd/analyze_hosts\n```\n\nYou can also run the included tools that way; just override the entrypoint. As\nan example, run `testssl.sh`:\n\n```\ndocker run --rm --entrypoint 'testssl.sh' gofwd/analyze_hosts\n```\n\n## analyze_hosts.py\n\nA simple wrapper script around several open source security tools to simplify\nscanning of hosts for network vulnerabilities. The script lets you analyze one\nor several hosts for common misconfiguration vulnerabilities and weaknesses.\n\nThe main objectives for the script is to make it as easy as possible to perform\ngeneric security tests, without any heavy prerequisites, make the output as\ninformative as possible, and use open source tools. It can easily be used as\nscheduled task, or be implemented in Continuous Integration environments.\n\nThe only requirements are `nmap` and `Python3`.\n\nAs the scan output can be written to a JSON file it can be used to generate\ndeltas (differences) between scans, or to use the output for further inspection.\n\n### Installation\n\nNote that you can also run `analyze_hosts` straight from a Docker image:\n\n```\ndocker run --rm gofwd/analyze_hosts\n```\n\nOne-time installation steps without virtualenv (all required Python libraries\nare specified in the `requirements.txt` file):\n\n```\ngit clone https://github.com/PeterMosmans/security-scripts \u0026\u0026 \\\ncd security-script \u0026\u0026 \\\npip3 install -r requirements.txt\n```\n\n### Usage\n\n```\nusage: analyze_hosts.py [-h] [--version] [--dry-run] [-i INPUTFILE] [-o OUTPUT_FILE] [--compact] [--queuefile QUEUEFILE] [--resume] [--settings SETTINGS]\n [--exit-code] [--force] [--debug] [-v] [-q] [--allports] [-n] [-p PORT] [--up] [--udp] [--framework] [--http] [--compression]\n [--headers] [--trace] [--redirect] [--force-ssl] [--json JSON] [--ssl] [--nikto] [--sslcert] [-w] [--proxy PROXY]\n [--timeout TIMEOUT] [--threads THREADS] [--user-agent USER_AGENT] [--password PASSWORD] [--username USERNAME] [--maxtime MAXTIME]\n [target]\n\nanalyze_hosts - scans one or more hosts for security misconfigurations\n\nCopyright (C) 2015-2022 Peter Mosmans [Go Forward]\nThis program is free software: you can redistribute it and/or modify\nit under the terms of the GNU General Public License as published by\nthe Free Software Foundation, either version 3 of the License, or\n(at your option) any later version.\n\npositional arguments:\n target [TARGET] can be a single (IP) address, an IP range, or multiple comma-separated addressess\n\noptional arguments:\n -h, --help show this help message and exit\n --version Show version and exit\n --dry-run Only show commands, don't actually do anything\n -i INPUTFILE, --inputfile INPUTFILE\n A file containing targets, one per line\n -o OUTPUT_FILE, --output-file OUTPUT_FILE\n output file containing all scanresults (default analyze_hosts.output)\n --compact Only log raw logfiles and alerts to file\n --queuefile QUEUEFILE\n the queuefile\n --resume Resume working on the queue\n --settings SETTINGS Name of settings file to use (default analyze_hosts.yml)\n --exit-code When supplied, return exit code 1 when alerts are discovered\n --force Ignore / overwrite the queuefile\n --debug Show debug information\n -v, --verbose Be more verbose\n -q, --quiet Do not show scan outputs on the console\n --allports Run a full-blown nmap scan on all ports\n -n, --no-portscan Do NOT run a nmap portscan\n -p PORT, --port PORT Specific port(s) to scan\n --up Assume host is up (do not rely on ping probe)\n --udp Check for open UDP ports as well\n --framework Analyze the website and run webscans\n --http Check for various HTTP vulnerabilities (compression, headers, trace)\n --compression Check for webserver compression\n --headers Check for various HTTP headers\n --trace Check webserver for HTTP TRACE method\n --redirect Check for insecure redirect\n --force-ssl Enforce SSL/TLS check on all open ports\n --json JSON Save output in JSON file\n --ssl Check for various SSL/TLS vulnerabilities\n --nikto Run a nikto scan\n --sslcert Download SSL certificate\n -w, --whois Perform a whois lookup\n --proxy PROXY Use proxy server (host:port)\n --timeout TIMEOUT Timeout for requests in seconds (default 10)\n --threads THREADS Maximum number of threads (default 5)\n --user-agent USER_AGENT\n Custom User-Agent to use (default analyze_hosts)\n --password PASSWORD Password for HTTP basic host authentication\n --username USERNAME Username for HTTP basic host authentication\n --maxtime MAXTIME Timeout for scans in seconds (default 600)\n```\n\nThe script `analyze_hosts` automatically execute other scans (based on their\nfingerprint or open ports):\n\n```\ndroopescan\nnikto\ntestssl.sh\nWPscan\n```\n\nYou can use the following environment variables (all uppercase) to specify the\ntools if they cannot be found in the standard paths:\n\nCURL, DROOPESCAN, NIKTO, OPENSSL, TESTSSL, WPSCAN\n\n### Suppressing false positives\n\nA settings file can be used (`--settings`) to configure or tweak scan parameters\nper host / port combination. This allows you to suppress false positives in scan\nresults. Currently the Nikto `Plugins`, `Tuning` and `output` parameters are\nsupported, as well as a list of allowed / expected open ports, and testssl\nparameters:\n\nExample settings file:\n\n```\ntargets:\n 127.0.0.1:\n allowed_ports: [22, 80, 443]\n ports:\n - port: 80\n nikto_plugins: \"@@ALL\"\n nikto_tuning: \"x1\"\n nikto_output: \"report.html\"\n - port: 443\n testssl_untrusted: true\n testssl:\n - \"--ccs-injection\"\n - \"--ticketbleed\"\n - \"--robot\"\n\n```\n\nThis will supply the `-Plugins '@@ALL' -Tuning 'x1' -output 'report.html'\nparameters to Nikto, when port 80 is scanned.\n\nFurthermore, it will not generate an alert when an open port other than port 22,\n80 or 443 is found. By default, an alert will be generated if an open port other\nthan 80 or 443 is found.\n\nThere will no alert be generated if the SSL/TLS endpoint on port 443 contains an\nuntrusted (self-signed) certificate. And instead of all default tests, only\nthree SSL/TLS tests will be performed.\n\n### JSON format\n\n```\n{\n \"arguments\": {\n \"target\": \"1.2.3.1/30\",\n \"version\": false,\n \"dry_run\": false,\n \"inputfile\": \"0frnfb4e\",\n \"output_file\": \"output.txt,\n \"compact\": true,\n \"queuefile\": \"analyze_hosts.queue\",\n \"resume\": false,\n \"force\": false,\n \"debug\": false,\n \"verbose\": false,\n \"quiet\": false,\n \"allports\": false,\n \"no_portscan\": false,\n \"port\": null,\n \"up\": false,\n \"udp\": false,\n \"framework\": false,\n \"http\": true,\n \"json\": \"results.json\",\n \"ssl\": true,\n \"nikto\": true,\n \"sslcert\": false,\n \"trace\": false,\n \"whois\": false,\n \"proxy\": null,\n \"timeout\": true,\n \"threads\": 5,\n \"user_agent\": \"analyze_hosts\",\n \"password\": null,\n \"username\": null,\n \"maxtime\": 1200,\n \"testssl.sh\": true,\n \"curl\": false,\n \"wpscan\": true,\n \"droopescan\": true,\n \"nmap\": true,\n \"nmap_arguments\": \"-sV --open -sS --script=banner,dns-nsid,dns-recursion,http-cisco-anyconnect,http-php-version,http-title,http-trace,ntp-info,ntp-monlist,nbstat,rdp-enum-encryption,rpcinfo,sip-methods,smb-os-discovery,smb-security-mode,smtp-open-relay,ssh2-enum-algos,vnc-info,xmlrpc-methods,xmpp-info\"\n },\n \"date_start\": \"2020-05-26 31:33:06\"\n \"results\": {\n \"1.2.3.1\": {\n \"ports\": [\n 53\n ]\n },\n \"1.2.3.2\": {\n \"ports\": []\n },\n \"1.2.3.3\": {\n \"ports\": [\n 80,\n 443\n ],\n \"alerts\": [\n \":443 LUCKY13 (CVE-2013-0169), experimental potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches\"\n ]\n },\n \"1.2.3.4\": {\n \"ports\": [\n 80,\n 443\n ],\n \"alerts\": [\n \":443 + OSVDB-3092: /download/: This might be interesting...\",\n \":443 + OSVDB-3092: /status/: This might be interesting...\",\n \":443 + OSVDB-4231: /DHrPp.xml: Coccoon from Apache-XML project reveals file system path in error messages.\",\n \":443 + OSVDB-3092: /upgrade.php: upgrade.php was found.\"\n ]\n }\n },\n \"date_finish\": \"2020-05-26 31:33:07\"\n}\n```\n\n## display_results.py\n\nA little helper script that formats the scan results nicely, so that scan\nresults can easily be reviewed.\n\n```\nusage: display_results.py [-h] [--info] [--version] [inputfile]\n\ndisplay_results version 0.0.1 - displays scan results nicely\n\npositional arguments:\n inputfile A JSON file containing scan results\n\noptional arguments:\n -h, --help show this help message and exit\n --info Show also informational items\n --version Show version and exit\n\n```\n\n## analyze-hosts.sh\n\nA simple wrapper script around several open source security tools to simplify\nscanning of hosts for network vulnerabilities. The script lets you analyze one\nor several hosts for common misconfiguration vulnerabilities and weaknesses. The\nmain objectives for the script is to make it as easy as possible to perform\ngeneric security tests, without any heavy prerequisites, make the output as\ninformative as possible, and use open source tools....\n\n- [cipherscan](https://github.com/jvehent/cipherscan)\n- curl\n- nmap\n- [openssl-1.0.2-chacha](https://github.com/PeterMosmans/openssl/tree/1.0.2-chacha/)\n- [whatweb](https://github.com/urbanadventurer/WhatWeb)\n\n* whois\n\n### Examples\n\n#### SSL certificates\n\n```\n./analyze_hosts.sh --sslcert www.google.com\n```\n\nShows details of a certificate, like the issuer and subject. It warns when\ncertificate is expired or when the certificate is a certificate authority.\n\nExample output:\n\n```\ntrying to retrieve SSL x.509 certificate on www.google.com:443... received\nissuer=\n countryName = US\n organizationName = Google Inc\n commonName = Google Internet Authority G2\nsubject=\n countryName = US\n stateOrProvinceName = California\n localityName = Mountain View\n organizationName = Google Inc\n commonName = www.google.com\nOK: certificate is valid between 16-07-2014 and 14-10-2014\n```\n\n#### SSL/TLS ciphers\n\n```\n./analyze_hosts.sh --ssl --sslports 443 -v www.microsoft.com\n```\n\nChecks which ciphers are allowed. It warns when insecure ciphers are being used.\nBy default the ports 443, 465, 993, 995 and 3389 and are checked. You can\nspecify the ports by using --sslports The -v flag outputs all results, regardles\nof the message type.\n\nExample output:\n\n```\nprio ciphersuite protocols pfs_keysize\n1 RC4-MD5 SSLv3,TLSv1\n2 RC4-SHA SSLv3,TLSv1\n3 DES-CBC3-SHA SSLv3,TLSv1\n4 AES256-SHA TLSv1\n5 AES128-SHA TLSv1\n\nCertificate: UNTRUSTED, 2048 bit, sha1WithRSAEncryption signature\ntrying to retrieve SSL x.509 certificate on www.microsoft.com:443... received\nissuer=\n domainComponent = com\n domainComponent = microsoft\n domainComponent = corp\n domainComponent = redmond\n commonName = MSIT Machine Auth CA 2\nsubject=\n countryName = US\n stateOrProvinceName = WA\n localityName = Redmond\n organizationName = Microsoft Corporation\n organizationalUnitName = MSCOM\n commonName = www.microsoft.com\nOK: certificate is valid between 12-01-2013 and 12-01-2015\n\nperforming nmap sslscan on www.microsoft.com ports 443...\nNmap scan report for www.microsoft.com (134.170.184.133)\nHost is up (0.15s latency).\nPORT STATE SERVICE\n443/tcp open https\n| ssl-enum-ciphers:\n| SSLv3:\n| ciphers:\n| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong\n| TLS_RSA_WITH_RC4_128_MD5 - strong\n| TLS_RSA_WITH_RC4_128_SHA - strong\n| compressors:\n| NULL\n| TLSv1.0:\n| ciphers:\n| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong\n| TLS_RSA_WITH_AES_128_CBC_SHA - strong\n| TLS_RSA_WITH_AES_256_CBC_SHA - strong\n| TLS_RSA_WITH_RC4_128_MD5 - strong\n| TLS_RSA_WITH_RC4_128_SHA - strong\n| compressors:\n| NULL\n|_ least strength: strong\n```\n\n### usage\n\n```\n./analyze_hosts.sh [OPTION]... [HOST]\n\nScanning options:\n -a, --all perform all basic scans\n --max perform all advanced scans (more thorough)\n -b, --basic perform basic scans (fingerprint, ssl, trace)\n results of HOST matches regexp FILTER\n --dns test for recursive query and version string\n -f perform web fingerprinting (all webports)\n --fingerprint perform all web fingerprinting methods\n -h, --header show webserver headers (all webports)\n -n, --nikto nikto webscan (all webports)\n -p nmap portscan (top 1000 TCP ports)\n --ports nmap portscan (all ports, TCP and UDP)\n --redirect test for open secure redirect\n -s check SSL configuration\n --ssl perform all SSL configuration checks\n --sslcert show details of SSL certificate\n --timeout=SECONDS change timeout for tools (default 60)\n --ssh perform SSH configuration checks\n -t check webserver for HTTP TRACE method\n --trace perform all HTTP TRACE method checks\n -w, --whois perform WHOIS lookup for (hostname and) IP address\n -W confirm WHOIS results before continuing scan\n --filter=FILTER only proceed with scan of HOST if WHOIS\n --wordlist=filename scan webserver for existence of files in filename\n\nPort selection (comma separated list):\n --webports=PORTS use PORTS for web scans (default 80,443,8080)\n --sslports=PORTS use PORTS for ssl scans (default 443,465,993,995,3389)\n\nLogging and input file:\n -d, --directory=DIR location of temporary files (default /tmp)\n -i, --inputfile=FILE use a file containing hostnames\n -l, --log log each scan in a separate logfile\n --nocolor don't use fancy colors in screen output\n -o, --output=FILE concatenate all OK and WARNING messages into FILE\n -q, --quiet quiet\n -v, --verbose show server responses\n\nDefault programs:\n --cipherscan=FILE location of cipherscan (default cipherscan)\n --openssl=FILE location of openssl (default openssl)\n\n -u update this script (if it's a cloned repository)\n --update force update (overwrite all local modifications)\n --version print version information and exit\n\n BLUE: INFO, status messages\n GREEN: OK, secure settings\n RED: WARNING, possible vulnerabilities\n\n [HOST] can be a single (IP) address, an IP range, eg. 127.0.0.1-255\n or multiple comma-separated addressess\n```\n\n### history\n\n- since 0.88: preliminary support for starttls xmpp\n\n## test_ssl_handhake.sh\n\nA script to test TLS/SSL handshakes with. Several bugtests are included:\n\n- 128 cipherlimit when using tls1_2 protocol\n- aRSA cipher order\n- version intolerant server\n\n\\$ ./test_ssl_handshake.sh\n\n```\n (c) 2014 Peter Mosmans [Go Forward]\n Licensed under the GPL 3.0\n\ntests SSL/TLS handshakes (for known bugs)\n\nusage: ./test_ssl_handshake.sh target[:port] [start]\n\n [start] number of ciphers to start with (default 125)\n --ciphers=FILE a file containing a list which ciphers to use\n --cipherstring=CIPHERSTRING\n cipherstring (default )\n -f | --force continue even though the error has been detected\n --iterate iterate through all the ciphers instead of adding\n --openssl=FILE location of openssl (default )\n -v | --verbose be more verbose, please\n\n tests:\n --128 test for 128 cipherlimit\n --intolerant test for version intolerant server\n --rsa test for RSA order sensitivity\n\n by default, all tests will be performed\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpetermosmans%2Fsecurity-scripts","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpetermosmans%2Fsecurity-scripts","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpetermosmans%2Fsecurity-scripts/lists"}