cipherscan alternatives

Looking for a better tool, or simply want to learn about alternatives? There is typically more than one option.

Alternatives (by tag)

97

Alternative: O-Saft

O-Saft is a security tool to show information about SSL certificates. It tests the SSL connection with the given list of ciphers and configuration.

O-Saft is the abbreviation for OWASP SSL advanced forensic tool.

Project details

O-Saft is written in Perl.

Strengths

  • + The source code of this software is available

Typical usage

  • information gathering
  • penetration test
  • security assessment
  • vulnerability scanning
  • web application analysis

O-Saft project page

67

Alternative: SSLMap

SSLMap is a TLS/SSL cipher suite scanner. It provides a way to detect weak ciphers enabled on SSL endpoints and can be used during security assessments.

SSLMap uses its own SSL engine to avoid any dependencies or limitations with pre-installed libraries.

85

Alternative: SSLyze

SSLyze provides a library for scanning services that use SSL/TLS for encrypted communications. It can be used to test their implementation.

64

Alternative: A2SV

A2SV is short for Auto Scanning to SSL Vulnerability, a security tool to scan for SSL and TLS vulnerabilities. It can be used during security assessments.

Project details

A2SV is written in Python.

Strengths

  • + The source code of this software is available

Weaknesses

  • - Full name of author is unknown

Typical usage

  • vulnerability scanning
  • vulnerability testing

A2SV project page

74

Alternative: Certificate Transparency

Google's Certificate Transparency project audits the way SSL/TLS certificates are used and its underlying cryptographic system.

HTTPS connections use cryptographic functions to provide confidentiality and integrity. It can provide features like domain validation, end-to-end encryption, and a trust chain from certificate authorities down to the end-user. Any flaws can endanger these goals, like the impersonation of a system, man-in-the-middle (MitM) attacks, and website spoofing. This project helps to find flaws and improve the overall security of our internet.

60

Alternative: clinker

Clinker is a tool to test SSL and TLS security for Firefox. It is an addon that shows the used cipher suites, certificates, and shows related security information of the connection itself.

Requirements: Firefox

80

Alternative: Lemur

Lemur manages TLS certificate creation and the underlying process that is required. It acts as a broker between a certificate authority (CA) and the environment

With Lemur you can provide a central portal for developers and administrators to issue TLS certificates with predefined defaults.

Lemur works on CPython 3.5 and uses the Flask framework. Another component it uses is cryptography to handle the creation of the certificates.

Netflix develops on macOS and deploys on Ubuntu servers.

Project details

Lemur is written in Python.

Strengths

  • + More than 500 GitHub stars
  • + The source code of this software is available
  • + Supported by a large company

Typical usage

  • certificate management

Lemur project page

56

Alternative: MassBleed

MassBleed is a SSL vulnerability scanner to check for several known vulnerabilities and attacks like DROWN, POODLE, and ShellShock.

Project details

MassBleed is written in Perl, Python, shell script.

Strengths

  • + The source code of this software is available

Weaknesses

  • - Full name of author is unknown
  • - Unknown project license

Typical usage

  • application security
  • web application analysis

MassBleed project page

89

Alternative: mitmproxy (mitmproxy)

The mitmproxy tool allows to intercept, inspect, modify, and replay traffic flows. It may be used for pentesting, troubleshooting, or learning about SSL/TLS.

Project details

mitmproxy is written in Python.

Strengths

  • + More than 50 contributors
  • + More than 7000 GitHub stars
  • + The source code of this software is available

Typical usage

  • network analysis
  • penetration test
  • security assessment

mitmproxy project page

78

Alternative: OpenSSL

OpenSSL is an open source project and provides a toolkit for Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.

Project details

OpenSSL is written in C.

Strengths

  • + The source code of this software is available
  • + Well-known library

Weaknesses

  • - Major vulnerabilities in the past

Typical usage

  • certificate management
  • data encryption

OpenSSL project page

85

Alternative: pshtt

pshtt is a security tool to scan domains for the usage of HTTPS and applying best practices in their web configuration.

pshtt was developed to push organizations, including government departments, to adopt HTTPS across the enterprise. pshtt is a collaboration between GSA's 18F and the DHS National Cybersecurity Assessments and Technical Services team.

Notes

  • pshtt is pronounced as "pushed"
  • Data can be stored as CSV or JSON

Project details

pshtt is written in Python.

Strengths

  • + The source code of this software is available

Typical usage

  • security assessment
  • web application analysis

pshtt project page

60

Alternative: sslcaudit

The sslcaudit project helps with automated testing of SSL/TLS clients for resistance against MITM attacks.

This project focuses on the niche of testing SSL/TLS clients.

Project details

sslcaudit is written in Python.

Strengths

  • + The source code of this software is available

Typical usage

  • security assessment
  • software testing

sslcaudit project page

78

Alternative: SSLsplit

SSLsplit is a security tool to perform transparent SSL/TLS interception by using a so-called man-in-the-middle (MitM) attack.

SSLsplit is a tool for man-in-the-middle attacks against SSL/TLS encrypted network connections. Connections are transparently intercepted through a network address translation engine and redirected to SSLsplit. SSLsplit terminates SSL/TLS and initiates a new SSL/TLS connection to the original destination address, while logging all data transmitted. SSLsplit is intended to be useful for network forensics and penetration testing.

SSLsplit supports plain TCP, plain SSL, HTTP and HTTPS connections over both IPv4 and IPv6. For SSL and HTTPS connections, SSLsplit generates and signs forged X509v3 certificates on-the-fly, based on the original server certificate subject DN and subjectAltName extension. SSLsplit fully supports Server Name Indication (SNI) and is able to work with RSA, DSA and ECDSA keys and DHE and ECDHE cipher suites. Depending on the version of OpenSSL, SSLsplit supports SSL 3.0, TLS 1.0, TLS 1.1 and TLS 1.2, and optionally SSL 2.0 as well. SSLsplit can also use existing certificates of which the private key is available, instead of generating forged ones. SSLsplit supports NULL-prefix CN certificates and can deny OCSP requests in a generic way. For HTTP and HTTPS connections, SSLsplit removes response headers for HPKP in order to prevent public key pinning, for HSTS to allow the user to accept untrusted certificates, and Alternate Protocols to prevent switching to QUIC/SPDY. As an experimental feature, SSLsplit supports STARTTLS mechanisms in a generic manner.

Project details

SSLsplit is written in C.

Strengths

  • + The source code of this software is available

Typical usage

  • learning
  • network analysis
  • penetration test
  • security assessment

SSLsplit project page

97

Alternative: testssl.sh

testssl.sh is a command line tool which checks a system on any port for the support of TLS/SSL ciphers, protocols, as well as some cryptographic flaws.

Key features of testssl.sh include:

  • Clear output: you can tell easily whether anything is good or bad
  • Ease of installation: It works for Linux, Darwin, FreeBSD, NetBSD and MSYS2/Cygwin out of the box: no need to install or configure something, no gems, CPAN, pip or the like.
  • Flexibility: You can test any SSL/TLS enabled and STARTTLS service, not only webservers at port 443
  • Toolbox: Several command line options help you to run YOUR test and configure YOUR output
  • Reliability: features are tested thoroughly
  • Verbosity: If a particular check cannot be performed because of a missing capability on your client side, you'll get a warning
  • Privacy: It's only you who sees the result, not a third party
  • Freedom: It's 100% open source. You can look at the code, see what's going on and you can change it.

Project details

testssl.sh is written in shell script.

Strengths

  • + Used language is shell script
  • + The source code of this software is available

Typical usage

  • application testing
  • configuration audit

testssl.sh project page

60

Alternative: tlsenum

The CLI tool tlsenum attempts to enumerate what TLS cipher suites a server supports and then list them in order of priority.

This tool works by sending out sending out TLS ClientHello messages. Any ServerHello responses from the server are parsed. It assumes that the server is the one which decides the preferred cipher suite, giving an idea on the available ciphers.

Project details

tlsenum is written in Python.

Strengths

  • + The source code of this software is available

Typical usage

  • information gathering
  • security assessment
  • system hardening

tlsenum project page

60

Alternative: ZGrab

ZGrab is a TLS banner grabber and written in Go. It works together with the ZMap utility.

ZGrab is a stateful application-layer scanner. It works together with ZMap and is also part of the ZMap project. ZGrab is written in Go and supports multiple protocols, including:

  • BACNET
  • HTTP
  • HTTPS
  • FTP
  • IMAP
  • POP3
  • Modbus
  • Siemens S7
  • SMTP
  • SSH
  • Telnet
  • Tridium Fox

Project details

ZGrab is written in Golang.

Strengths

  • + The source code of this software is available

Typical usage

  • penetration test
  • security assessment
  • vulnerability scanning

ZGrab project page