ssl-range-scan.py

#!/usr/bin/env python
import nmap
import os
import datetime
import smtplib
from email.mime.text import MIMEText

# Email Settings
sender = 'sender@email.biz'
recipients = 'recipient@email.biz'
range_to_scan = '10.0.0.0/24'

# fire up nmap and run the SSL script over the hosts that match
nm = nmap.PortScanner()
print "[*] Starting NMAP Scan of %s" % range_to_scan
scan = nm.scan(range_to_scan, '443', arguments='--script=ssl-cert')
# if you want, you can use include and/or exclude files. this is just a line separated list of IPs, and you can # comment if you like...
#scan = nm.scan(range_to_scan, '443', arguments='--script=ssl-cert -iL includelist.txt --excludefile=excludehosts.txt')

# define our time settings for the date ranges
today = datetime.datetime.now()
todayplus7d = today + datetime.timedelta(days=7)
todayminus3d = today - datetime.timedelta(days=3)
df = "%Y-%m-%dT%H:%M:%S"

# keep us updated on progress after the scan
print "[*] %s hosts found listening on SSL port tcp/443 in %s" % (nm.scanstats()['uphosts'], nm.scanstats()['elapsed'])
print "[*] Looking for certs that expire before %s" % todayplus7d

expiringCerts = []
expiredCerts = []

# iterate through all the hosts that served up an SSL cert.
#
# Check the date it goes pop and add anything gone or going to the list
for host in nm.all_hosts():
    if nm[host].has_tcp(443):
        if 'script' in nm[host]['tcp'][443].keys():
            ip = nm[host]['addresses']['ipv4']
            commonName = nm[host]['tcp'][443]['script']['ssl-cert'].split('\n')[0].split(':')[1].split('/')[0].split('=')[1].lstrip()
            expiryDate = nm[host]['tcp'][443]['script']['ssl-cert'].split('\n')[5].split('after:')[1].lstrip()[:-6]
            if (datetime.datetime.strptime(expiryDate, df) > today) & (datetime.datetime.strptime(expiryDate, df) < todayplus7d):
                expiringCerts.append(ip + ',' + commonName + ',' + expiryDate)
            if datetime.datetime.strptime(expiryDate, df) < today:
                expiredCerts.append(ip + ',' + commonName + ',' + expiryDate)

emailbody = ''

# if we have stuff here we are in trouble...
if expiredCerts:
    print "[*] %s certs expired already!!!" % len(expiredCerts)
    emailbody += "Certs ALREADY EXPIRED!!!\n\n"
    for cert in expiredCerts:
        emailbody += "IP: %s\t|\tCommon Name: %s\t|\tExpiry Date: %s\n" % (cert.split(',')[0], cert.split(',')[1], cert.split(',')[2])

# if we have certs that are expiring, then deal with them...
if expiringCerts:
    print "[*] %s certs expiring this week" % len(expiringCerts)
    emailbody += '\nCerts expiring in the next 7 days:\n\n'
    for cert in expiringCerts:
        emailbody += "IP: %s\t|\tCommon Name: %s\t|\tExpiry Date: %s\n" % (cert.split(',')[0], cert.split(',')[1], cert.split(',')[2])

# if nothing is expiring and its a monday, tell us we are good for the week. otherwise dont sent mail.
elif not expiringCerts:
    print "[*] Nothing expiring this week"
    if today.weekday == 1:
        emailbody += '\nNo Certs expiring this week!'
        pass
    else:
        if not expiredCerts:
            # nothing expiring this week, and nothing gone already either...
            os._exit(0)
        else:
            # we may not have things expiring, but we have stuff that has EXPIRED. MUST SEND EMAIL!!!
            pass


# build an email
msg = MIMEText(emailbody)
msg['Subject'] = 'SSL Cert scan on %s' % range_to_scan
msg['From'] = sender
msg['To'] = recipients

print "[*] Sending email to the team..."

# send the email...
smtp_session = smtplib.SMTP('smtp-server.fqdn.biz')
smtp_session.sendmail(sender, [recipients], msg.as_string())
smtp_session.quit()

Traceback (most recent call last):
File "ssl-range-scan.py", line 41, in
expiryDate = nm[host]['tcp'][443]['script']['ssl-cert'].split('\n')[5].split('after:')[1].lstrip()[:-6]
IndexError: list index out of range