SSLsplit alternatives

Looking for a better tool, or simply want to learn about alternatives? There is typically more than one option.

Alternatives (by tag)

63

Alternative: ArpON

ArpON is a host-based tool to improve the security of the Address Resolution Protocol (ARP).

ArpOn protects a system by running as a daemon and guard against a Man in the Middle (MitM) attack due to ARP spoofing, cache poisoning, or an ARP poison routing attack.

The tool works by using three types of inspection to detect a related attack.

  • SARPI (Static ARP Inspection), statically configured networks (without DHCP)
  • DARPI (Dynamic ARP Inspection), dynamically configured networks (with DHCP)
  • HARPI (Hybrid ARP Inspection), statically and dynamically configured networks (with DHCP)

Project details

ArpON is written in C.

Strengths

  • + The source code of this software is available

ArpON project page

100

Alternative: BetterCAP

BetterCAP is a complete, modular, portable and easily extensible MitM tool and framework. It is maintained well and appreciated by many.

Project details

BetterCAP is written in Ruby.

Strengths

  • + More than 25 contributors
  • + More than 2000 GitHub stars
  • + The source code of this software is available

Typical usage

  • bypassing security measures
  • penetration test
  • security assessment

BetterCAP project page

63

Alternative: DNSChef

DNSChef is a highly configurable DNS proxy for penetration testers and malware analysts

96

Alternative: mitmproxy (mitmproxy)

The mitmproxy tool allows to intercept, inspect, modify, and replay traffic flows. It may be used for pentesting, troubleshooting, or learning about SSL/TLS.

Project details

mitmproxy is written in Python.

Strengths

  • + More than 50 contributors
  • + More than 7000 GitHub stars
  • + The source code of this software is available

Typical usage

  • network analysis
  • penetration test
  • security assessment

mitmproxy project page

64

Alternative: Nili

Nili is a security tool with a wide range of goals, including network scanning, MitM attacks, protocol reverse engineering and application fuzzing.

Project details

Nili is written in Python.

Strengths

  • + The source code of this software is available

Typical usage

  • network scanning
  • penetration test
  • security assessment

Nili project page

64

Alternative: Seth

Seth is a security tool to perform a man-in-the-middle (MitM) attack and extract clear text credentials from RDP connections.

Project details

Seth is written in Python, shell script.

Strengths

  • + The source code of this software is available

Typical usage

  • penetration test
  • security assessment

Seth project page

60

Alternative: sslcaudit

The sslcaudit project helps with automated testing of SSL/TLS clients for resistance against MITM attacks.

This project focuses on the niche of testing SSL/TLS clients.

Project details

sslcaudit is written in Python.

Strengths

  • + The source code of this software is available

Typical usage

  • security assessment
  • software testing

sslcaudit project page

64

Alternative: A2SV

A2SV is short for Auto Scanning to SSL Vulnerability, a security tool to scan for SSL and TLS vulnerabilities. It can be used during security assessments.

Project details

A2SV is written in Python.

Strengths

  • + The source code of this software is available

Weaknesses

  • - Full name of author is unknown

Typical usage

  • vulnerability scanning
  • vulnerability testing

A2SV project page

74

Alternative: Certificate Transparency

Google's Certificate Transparency project audits the way SSL/TLS certificates are used and its underlying cryptographic system.

HTTPS connections use cryptographic functions to provide confidentiality and integrity. It can provide features like domain validation, end-to-end encryption, and a trust chain from certificate authorities down to the end-user. Any flaws can endanger these goals, like the impersonation of a system, man-in-the-middle (MitM) attacks, and website spoofing. This project helps to find flaws and improve the overall security of our internet.

64

Alternative: cipherscan

Cipherscan is a tool to test the ordering of SSL/TLS ciphers on a given target. It tests the major versions of SSL, TLS, and any extensions of these protocols.

Project details

cipherscan is written in Python, shell script.

Strengths

  • + Screen output is colored
  • + More than 1000 GitHub stars
  • + Very low number of dependencies
  • + Supported by a large company

Typical usage

  • information gathering
  • security assessment
  • system hardening
  • web application analysis

cipherscan project page

60

Alternative: clinker

Clinker is a tool to test SSL and TLS security for Firefox. It is an addon that shows the used cipher suites, certificates, and shows related security information of the connection itself.

Requirements: Firefox

80

Alternative: Lemur

Lemur manages TLS certificate creation and the underlying process that is required. It acts as a broker between a certificate authority (CA) and the environment

With Lemur you can provide a central portal for developers and administrators to issue TLS certificates with predefined defaults.

Lemur works on CPython 3.5 and uses the Flask framework. Another component it uses is cryptography to handle the creation of the certificates.

Netflix develops on macOS and deploys on Ubuntu servers.

Project details

Lemur is written in Python.

Strengths

  • + More than 500 GitHub stars
  • + The source code of this software is available
  • + Supported by a large company

Typical usage

  • certificate management

Lemur project page

56

Alternative: MassBleed

MassBleed is a SSL vulnerability scanner to check for several known vulnerabilities and attacks like DROWN, POODLE, and ShellShock.

Project details

MassBleed is written in Perl, Python, shell script.

Strengths

  • + The source code of this software is available

Weaknesses

  • - Full name of author is unknown
  • - Unknown project license

Typical usage

  • application security
  • web application analysis

MassBleed project page

78

Alternative: OpenSSL

OpenSSL is an open source project and provides a toolkit for Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.

Project details

OpenSSL is written in C.

Strengths

  • + The source code of this software is available
  • + Well-known library

Weaknesses

  • - Major vulnerabilities in the past

Typical usage

  • certificate management
  • data encryption

OpenSSL project page

97

Alternative: O-Saft

O-Saft is a security tool to show information about SSL certificates. It tests the SSL connection with the given list of ciphers and configuration.

O-Saft is the abbreviation for OWASP SSL advanced forensic tool.

Project details

O-Saft is written in Perl.

Strengths

  • + The source code of this software is available

Typical usage

  • information gathering
  • penetration test
  • security assessment
  • vulnerability scanning
  • web application analysis

O-Saft project page

84

Alternative: pshtt

pshtt is a security tool to scan domains for the usage of HTTPS and applying best practices in their web configuration.

pshtt was developed to push organizations, including government departments, to adopt HTTPS across the enterprise. pshtt is a collaboration between GSA's 18F and the DHS National Cybersecurity Assessments and Technical Services team.

Notes

  • pshtt is pronounced as "pushed"
  • Data can be stored as CSV or JSON

Project details

pshtt is written in Python.

Strengths

  • + The source code of this software is available

Typical usage

  • security assessment
  • web application analysis

pshtt project page

70

Alternative: SSLMap

SSLMap is a TLS/SSL cipher suite scanner. It provides a way to detect weak ciphers enabled on SSL endpoints and can be used during security assessments.

SSLMap uses its own SSL engine to avoid any dependencies or limitations with pre-installed libraries.

85

Alternative: SSLyze

SSLyze provides a library for scanning services that use SSL/TLS for encrypted communications. It can be used to test their implementation.

76

Alternative: testssl.sh

testssl.sh is a command line tool which checks a system on any port for the support of TLS/SSL ciphers, protocols, as well as some cryptographic flaws.

Key features of testssl.sh include:

  • Clear output: you can tell easily whether anything is good or bad
  • Ease of installation: It works for Linux, Darwin, FreeBSD, NetBSD and MSYS2/Cygwin out of the box: no need to install or configure something, no gems, CPAN, pip or the like.
  • Flexibility: You can test any SSL/TLS enabled and STARTTLS service, not only webservers at port 443
  • Toolbox: Several command line options help you to run YOUR test and configure YOUR output
  • Reliability: features are tested thoroughly
  • Verbosity: If a particular check cannot be performed because of a missing capability on your client side, you'll get a warning
  • Privacy: It's only you who sees the result, not a third party
  • Freedom: It's 100% open source. You can look at the code, see what's going on and you can change it.

Project details

testssl.sh is written in shell script.

Strengths

  • + Used language is shell script
  • + The source code of this software is available

Typical usage

  • application testing
  • configuration audit

testssl.sh project page

60

Alternative: tlsenum

The CLI tool tlsenum attempts to enumerate what TLS cipher suites a server supports and then list them in order of priority.

This tool works by sending out sending out TLS ClientHello messages. Any ServerHello responses from the server are parsed. It assumes that the server is the one which decides the preferred cipher suite, giving an idea on the available ciphers.

Project details

tlsenum is written in Python.

Strengths

  • + The source code of this software is available

Typical usage

  • information gathering
  • security assessment
  • system hardening

tlsenum project page

60

Alternative: ZGrap

ZGrap is a TLS banner grabber and written in Go. It works together with the ZMap utility.

ZGrab is a stateful application-layer scanner. It works together with ZMap and is also part of the ZMap project. ZGrab is written in Go and supports multiple protocols, including:

  • BACNET
  • HTTP
  • HTTPS
  • FTP
  • IMAP
  • POP3
  • Modbus
  • Siemens S7
  • SMTP
  • SSH
  • Telnet
  • Tridium Fox

Project details

ZGrap is written in Golang.

Strengths

  • + The source code of this software is available

Typical usage

  • penetration test
  • security assessment
  • vulnerability scanning

ZGrap project page