{"id":17031172,"url":"https://github.com/wirzka/cipherhound","last_synced_at":"2025-09-07T01:04:21.234Z","repository":{"id":193590342,"uuid":"351083921","full_name":"wirzka/cipherhound","owner":"wirzka","description":"Cipherhound is an automated tool to check if SSL/TLS certificates are compliant with AgID last guidelines.","archived":false,"fork":false,"pushed_at":"2022-02-16T10:02:56.000Z","size":130,"stargazers_count":3,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-09-07T01:03:28.302Z","etag":null,"topics":["agid","blueteam","cybersecurity","python","ssl-certificates","tls-certificate","websecurity"],"latest_commit_sha":null,"homepage":"https://github.com/wirzka/cipherhound","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/wirzka.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null},"funding":{"custom":["https://www.buymeacoffee.com/agrigoletto"]}},"created_at":"2021-03-24T13:09:39.000Z","updated_at":"2023-03-20T13:27:28.000Z","dependencies_parsed_at":"2023-09-08T23:03:12.453Z","dependency_job_id":"bb8fc5d0-5e5c-4090-9e79-5da19d78cdd9","html_url":"https://github.com/wirzka/cipherhound","commit_stats":null,"previous_names":["wirzka/cipherhound"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/wirzka/cipherhound","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wirzka%2Fcipherhound","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wirzka%2Fcipherhound/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wirzka%2Fcipherhound/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wirzka%2Fcipherhound/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/wirzka","download_url":"https://codeload.github.com/wirzka/cipherhound/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wirzka%2Fcipherhound/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":273983110,"owners_count":25202095,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-06T02:00:13.247Z","response_time":2576,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["agid","blueteam","cybersecurity","python","ssl-certificates","tls-certificate","websecurity"],"created_at":"2024-10-14T08:10:15.651Z","updated_at":"2025-09-07T01:04:21.185Z","avatar_url":"https://github.com/wirzka.png","language":"Python","readme":"![Cipherhound](/img/cipherhound.png)\n\n## Update 16/02/22\n***N.B. I'm currently working on a new version of this tool to overcome some challenges and issues, the new version is going to have a few more feautures as well.***\n\n# Cipherhound\nCipherhound is a tool to automate and speed up the information gathering of SSL/TLS certificates’ details to compare them with the latest [AgID guidelines](https://www.agid.gov.it/it/sicurezza/tls-e-cipher-suite). For those who are not familiar with AgID, as you can find on its website, it is the technical agency for the Presidency of the Council of Ministers (Italy).\n\nI know there is a plethora of well-written and stable applications that could do it, but I like to struggle a bit and I created mine.\n\nThat’s why Cipherhound’s been born.\n## TOC\n- [Prerequisites \u0026 dependecies](#prerequisites--dependecies)\n- [Installation](#installation)\n- [Usage](#usage)\n- [Cipherhound's logic](#cipherhounds-logic)\n- [Limits](#limits)\n- [Meta](#meta)\n- [Disclaimer](#disclaimer)\n\n## Prerequisites \u0026 dependecies\n\n* Written in Python 3.8.6\n* [Nmap](https://nmap.org/)\n* For python modules check `requirements.txt`\n* Tested on:\n   * Windows 10\n   * Ubuntu on WSL 2\n\n## Installation\n\n1. git clone [https://github.com/wirzka/cipherhound](https://github.com/wirzka/cipherhound/)\n2. cd cipherhound\n3. activate your virtual environment (_optional_)\n4. `pip3 install -r requirements.txt`\n5. `python3 cipherhound.py -h`\n\n## Usage\n### Helper message\n`python3 cipherhound.py -h`\n\n![Usage](/img/usage.PNG)\n\n`python3 cipherhound.py -np acme.com.txt`\n\n![Scan](/img/scan.png)\n## Cipherhound's logic\n\nI've tried to make it simple af. I didn't want to reinvent the whole wheel so that's why I've used nmap's scripts and Python.\n\nThe logic is quite straightforward:\n\n1. Grab the subdomains from the given file;\n2. For each subdomain add to it the root domain\n3. Save all the crafted subdomains into the file *root_domain_ValidHostnames.txt* (root_domain is automatically captured from the input txt file);\n4. Run ssl-enum-ciphers by giving in input the valid hostnames file and output to an XML file automatically named *root_domain_Cipher.xml*;\n5. Run ssl-cert by giving in input the valid hostnames file and output to an XML file automatically named *root_domain_Validity.xml*;\n6. Parse both XML files:\n   1. Check output from ssl-enum-ciphers, compare it against the AgID's guidelines, and populate dictionary with the resulting values:\n      ```bash\n      * name: acme.com\n      * 80: YES/NO\n      * 443: YES/NO\n      * SSLv3: YES/NO\n      * TLSv1.0: YES/NO\n      * TLSv1.1: YES/NO\n      * TLSv1.2: YES/NO\n      * TLSv1.3: YES/NO\n      * SECURE: YES/NO\n      ```\n   2. Check certificate's validity date and populate dictionary with the resulting values:\n      ```bash\n      * name: acme.com\n      * valid: YES/NO\n      ```\n7. Merge the two lists of dictionaries on equal host names;\n8. Write the resulting list of dictionaries to an excel file named (guess what?) *root_domain.xlsx*.\n\n## Limits\n\nCipherhound is based upon the following Nmap's scripts:\n\n* [ssl-enum-ciphers](https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html)\n* [ssl-cert](https://nmap.org/nsedoc/scripts/ssl-cert.html)\n\n### ssl-enum-ciphers\n\nThis script, written by Mak Kolybabi and Gabriel Lawrence, retrieves a lot of interesting information from the SSL/TLS certificate as shown on Nmap's website:\n\n```bash\nPORT    STATE SERVICE REASON\n443/tcp open  https   syn-ack\n| ssl-enum-ciphers:\n|   TLSv1.0:\n|     ciphers:\n|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (secp256r1) - A\n|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (secp256r1) - A\n|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A\n|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A\n|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A\n|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A\n|       TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C\n|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C\n|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C\n|       TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (secp256r1) - C\n|       TLS_ECDHE_RSA_WITH_RC4_128_SHA (secp256r1) - C\n|       TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C\n|       TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - C\n|     compressors:\n|       NULL\n|     cipher preference: server\n|     warnings:\n|       64-bit block cipher 3DES vulnerable to SWEET32 attack\n|       Broken cipher RC4 is deprecated by RFC 7465\n|       Ciphersuite uses MD5 for message integrity\n|       Weak certificate signature: SHA1\n|   TLSv1.2:\n|     ciphers:\n|       TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A\n|       TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A\n|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (secp256r1) - A\n|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (secp256r1) - A\n|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A\n|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A\n|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A\n|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A\n|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A\n|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A\n|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A\n|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A\n|       TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C\n|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C\n|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C\n|       TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (secp256r1) - C\n|       TLS_ECDHE_RSA_WITH_RC4_128_SHA (secp256r1) - C\n|       TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C\n|       TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - C\n|     compressors:\n|       NULL\n|     cipher preference: server\n|     warnings:\n|       64-bit block cipher 3DES vulnerable to SWEET32 attack\n|       Broken cipher RC4 is deprecated by RFC 7465\n|       Ciphersuite uses MD5 for message integrity\n|_  least strength: C\n```\n\nFrom this juicy data, Cipherhound grabs only:\n\n* Hostname;\n* Ports' state (open/filtered/close);\n* Protocols used (SSLv3/TLSv1.0-1.1-1.2);\n* Ciphersuites used;\n\n*The actual version does not support TLSv1.3.*\n\n### ssl-cert\n\nWith this script, written by David Fifield, we can retrieve the \"usual\" certificate information:\n\n```bash\n443/tcp open  https\n| ssl-cert: Subject: commonName=www.paypal.com/organizationName=PayPal, Inc.\\\n/stateOrProvinceName=California/countryName=US/1.3.6.1.4.1.311.60.2.1.2=Delaware\\\n/postalCode=95131-2021/localityName=San Jose/serialNumber=3014267\\\n/streetAddress=2211 N 1st St/1.3.6.1.4.1.311.60.2.1.3=US\\\n/organizationalUnitName=PayPal Production/businessCategory=Private Organization\n| Issuer: commonName=VeriSign Class 3 Extended Validation SSL CA\\\n/organizationName=VeriSign, Inc./countryName=US\\\n/organizationalUnitName=Terms of use at https://www.verisign.com/rpa (c)06\n| Public Key type: rsa\n| Public Key bits: 2048\n| Signature Algorithm: sha1WithRSAEncryption\n| Not valid before: 2011-03-23 00:00:00\n| Not valid after:  2013-04-01 23:59:59\n| MD5:   bf47 ceca d861 efa7 7d14 88ad 4a73 cb5b\n| SHA-1: d846 5221 467a 0d15 3df0 9f2e af6d 4390 0213 9a68\n| -----BEGIN CERTIFICATE-----\n| MIIGSzCCBTOgAwIBAgIQLjOHT2/i1B7T//819qTJGDANBgkqhkiG9w0BAQUFADCB\n...\n| 9YDR12XLZeQjO1uiunCsJkDIf9/5Mqpu57pw8v1QNA==\n|_-----END CERTIFICATE-----\n```\n\nCipherhound is interested only on:\n\n* Hostname;\n* Not valid before date;\n* Not valid after date;\n\n## Future enhancement\n\n* Add validity date to the final excel file\n\n## Meta\n\nWirzka – wiirzka@gmail.com\n\nDistributed under the MIT license. See ``LICENSE`` for more information.\n\n[https://github.com/wirzka/cipherhound](https://github.com/wirzka/cipherhound/)\n\n## Disclaimer\nI am not responsible for any damages (tangible or intangible) you could make because of using cipherhound.\nYou should have the permissions to use it in any kind of environment.\n\nStay safe.\n","funding_links":["https://www.buymeacoffee.com/agrigoletto"],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwirzka%2Fcipherhound","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fwirzka%2Fcipherhound","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwirzka%2Fcipherhound/lists"}