A comprehensive Python tool for checking firewall ports, detecting L7 protection services (WAF, CDN, etc.), and testing mTLS authentication. Available as both a Python package and Docker container.
- β Port Scanning: Check well-known firewall ports and services
- π‘οΈ L7 Protection Detection: Identify WAF/CDN services (F5, AWS WAF, Azure, Cloudflare, Microsoft HTTPAPI, etc.)
- π mTLS Authentication: Check mutual TLS support and certificate requirements
- π SSL/TLS Certificate Analysis: Comprehensive certificate chain analysis and validation
- ποΈ Certificate Authority Identification: "Who signed my cert?" functionality with trust chain visualization
β οΈ Missing Intermediate Detection: Identify incomplete certificate chains affecting browser compatibility- π Hybrid Identity Detection: Check for Azure AD/ADFS integration and federation endpoints (NEW!)
- π DNS Trace: Advanced DNS CNAME chain analysis and IP protection detection
- π Async Support: High-performance concurrent scanning
- π Rich Output: Beautiful terminal output with progress bars and certificate analysis tables
- π§ Unified CLI: All functionality accessible through a single command interface
- π¦ Pip Installable: Available on PyPI
- π³ Docker Ready: Pre-built Docker images on Docker Hub
- π Type Hints: Full type hint support for better IDE integration
- ποΈ Production Ready: Follows Python packaging best practices
pip install simple-port-checkerDocker images are available on Docker Hub with automated builds from this repository.
# Quick start - run directly without installation
docker run --rm htunnthuthu/simple-port-checker:latest google.com 443
# Use specific version
docker run --rm htunnthuthu/simple-port-checker:v0.5.3 example.com --ports 80,443
# Run L7 protection check
docker run --rm htunnthuthu/simple-port-checker:latest l7-check example.com
# Run SSL/TLS certificate analysis
docker run --rm htunnthuthu/simple-port-checker:latest cert-check example.com
# Run full scan with all features
docker run --rm htunnthuthu/simple-port-checker:latest full-scan example.com
# Use latest tag for most recent features
docker pull htunnthuthu/simple-port-checker:latest
# Available tags: latest, v0.5.1, v0.5.0, v0.4.2, v0.4.1, v0.4.0, v0.3.0, and other version tagsDocker Image Features:
- β Lightweight: Based on Alpine Linux for minimal size
- π Secure: Non-root user, minimal dependencies
- π·οΈ Multi-arch: Supports AMD64 and ARM64 architectures
- π Auto-updated: Images built automatically from main branch
- π Comprehensive: All CLI features available in container
git clone https://github.com/htunnthuthu/simple-port-checker.git
cd simple-port-checker
pip install -e .# Basic port scan
port-checker scan example.com
# Scan specific ports
port-checker scan example.com --ports 80,443,8080
# Check L7 protection
port-checker l7-check example.com
# SSL/TLS Certificate Analysis (NEW!)
port-checker cert-check example.com
port-checker cert-chain github.com
port-checker cert-info google.com
# DNS trace analysis
port-checker dns-trace example.com
# L7 check with DNS tracing
port-checker l7-check example.com --trace-dns
# Full scan with L7 detection
port-checker full-scan example.com
# Check for hybrid identity and ADFS (NEW!)
port-checker hybrid-identity example.com
# Scan multiple targets
port-checker scan example.com google.com --output results.json
# Run as Python module
python -m simple_port_checker scan example.com
# Check mTLS support
port-checker mtls-check example.com
# Check mTLS with client certificates
port-checker mtls-check example.com --client-cert client.crt --client-key client.key
# Generate test certificates for mTLS testing
port-checker mtls-gen-cert test-client.example.com
# Validate certificate files
port-checker mtls-validate-cert client.crt client.key
# Check multiple targets for mTLS support
port-checker mtls-check example.com test.example.com --concurrent 5# Basic port scan
docker run --rm htunnthuthu/simple-port-checker:latest scan example.com
# Scan with specific ports
docker run --rm htunnthuthu/simple-port-checker:latest scan example.com --ports 80,443,8080
# L7 protection detection
docker run --rm htunnthuthu/simple-port-checker:latest l7-check example.com --trace-dns
# SSL/TLS Certificate Analysis
docker run --rm htunnthuthu/simple-port-checker:latest cert-check github.com
docker run --rm htunnthuthu/simple-port-checker:latest cert-chain google.com
docker run --rm htunnthuthu/simple-port-checker:latest cert-info example.com
# Full comprehensive scan
docker run --rm htunnthuthu/simple-port-checker:latest full-scan example.com
# mTLS testing
docker run --rm htunnthuthu/simple-port-checker:latest mtls-check example.com
# Save results to host (mount volume)
docker run --rm -v $(pwd):/app/output htunnthuthu/simple-port-checker:latest scan example.com --output /app/output/results.json
# Use specific version
docker run --rm htunnthuthu/simple-port-checker:v0.5.1 scan example.comimport asyncio
from simple_port_checker import PortChecker, L7Detector, CertificateAnalyzer
# Initialize scanner
scanner = PortChecker()
async def main():
# Scan ports
results = await scanner.scan_host("blog.htunnthuthu.tech", ports=[80, 443, 8080])
print(f"Open ports: {len([p for p in results.ports if p.is_open])}")
# Detect L7 protection
detector = L7Detector()
protection = await detector.detect("blog.htunnthuthu.tech")
if protection.primary_protection:
service = protection.primary_protection.service.value
confidence = protection.primary_protection.confidence
print(f"L7 Protection: {service} ({confidence:.0%})")
else:
print("No L7 protection detected")
# Analyze SSL/TLS certificate
cert_analyzer = CertificateAnalyzer()
cert_chain = await cert_analyzer.analyze_certificate_chain("blog.htunnthuthu.tech", 443)
print(f"Certificate Subject: {cert_chain.server_cert.subject}")
print(f"Issuer: {cert_chain.server_cert.issuer}")
print(f"Valid: {cert_chain.server_cert.is_valid_now}")
print(f"Chain Complete: {cert_chain.chain_complete}")
# Run the async function
asyncio.run(main())import asyncio
from simple_port_checker import MTLSChecker
async def check_mtls():
checker = MTLSChecker()
# Basic mTLS support check
result = await checker.check_mtls("example.com")
print(f"Supports mTLS: {result.supports_mtls}")
print(f"Requires client cert: {result.requires_client_cert}")
# Check with client certificates
result = await checker.check_mtls(
"example.com",
client_cert_path="client.crt",
client_key_path="client.key"
)
print(f"Handshake successful: {result.handshake_successful}")
# Batch check multiple targets
targets = [("example.com", 443), ("test.com", 8443)]
results = await checker.batch_check_mtls(targets)
for result in results:
print(f"{result.target}: mTLS={result.supports_mtls}")
asyncio.run(check_mtls())The Hybrid Identity feature detects Azure AD/ADFS integration and federation endpoints for domains. It uses the same method as Azure Portal to discover ADFS endpoints by querying the Azure AD realm API, making it highly reliable for identifying hybrid identity configurations.
This is essential for:
- π Security Audits: Identify federation services and authentication mechanisms
- π Migration Planning: Assess current identity setup before cloud migrations
- π οΈ Troubleshooting: Verify ADFS accessibility and configuration
- π― Identity Discovery: Discover authentication mechanisms for domains
- βοΈ Cloud Integration: Understand Azure AD and on-premises integration
| Check | Description |
|---|---|
| π― Azure AD Flow | Queries Azure AD realm API (most reliable method - same as Azure Portal) |
| π ADFS Endpoints | Checks /adfs/ls and related paths |
| π Federation Metadata | WS-Federation metadata endpoints |
| βοΈ Azure AD Integration | Redirects to Microsoft login |
| π OpenID Config | .well-known/openid-configuration |
| π DNS Records | Microsoft verification, MX records, ADFS subdomains |
# Check single domain for hybrid identity
port-checker hybrid-identity example.com
# Check multiple domains
port-checker hybrid-identity company1.com company2.com company3.com
# From file
port-checker hybrid-identity $(cat domains.txt)
# With verbose output for detailed analysis
port-checker hybrid-identity example.com --verbose
# Save results to JSON
port-checker hybrid-identity example.com --output hybrid-results.json# Custom timeout (useful for slow networks)
port-checker hybrid-identity example.com --timeout 15
# Control concurrency for batch checks
port-checker hybrid-identity domain1.com domain2.com --concurrent 5
# Comprehensive check with all options
port-checker hybrid-identity example.com \
--verbose \
--timeout 15 \
--output results.json# Basic hybrid identity check
docker run --rm htunnthuthu/simple-port-checker:latest hybrid-identity example.com
# Multiple domains with output
docker run --rm -v $(pwd):/app/output \
htunnthuthu/simple-port-checker:latest \
hybrid-identity company1.com company2.com \
--output /app/output/hybrid-results.json \
--verboseimport asyncio
from simple_port_checker import HybridIdentityChecker
async def check_hybrid_identity():
"""Basic hybrid identity check."""
checker = HybridIdentityChecker(timeout=15.0)
# Check single domain
result = await checker.check("example.com")
print(f"Domain: {result.fqdn}")
print(f"Hybrid Identity: {'β
Detected' if result.has_hybrid_identity else 'β Not Found'}")
if result.has_adfs:
print(f"\nADFS Configuration:")
print(f" Endpoint: {result.adfs_endpoint}")
print(f" Status: {result.adfs_status_code}")
if result.federation_metadata_found:
print(" Federation Metadata: β
Found")
if result.azure_ad_detected:
print(" Azure AD Integration: β
Detected")
if result.openid_config_found:
print(" OpenID Configuration: β
Found")
# DNS indicators
if result.dns_records:
print(f"\nDNS Records:")
if 'microsoft_verification' in result.dns_records:
print(" Microsoft Verification: β
Found")
if 'microsoft_mail' in result.dns_records:
print(" Microsoft 365 Mail: β
Detected")
if 'adfs_subdomains' in result.dns_records:
print(f" ADFS Subdomains: {', '.join(result.dns_records['adfs_subdomains'])}")
print(f"\nResponse Time: {result.response_time:.2f}s")
# Error handling
if result.error:
print(f"Error: {result.error}")
async def batch_hybrid_identity_check():
"""Check multiple domains for hybrid identity."""
checker = HybridIdentityChecker()
domains = [
"company1.com",
"company2.com",
"company3.com",
]
print("Checking hybrid identity for multiple domains...\n")
results = await checker.batch_check(domains, max_concurrent=5)
# Summary statistics
hybrid_count = sum(1 for r in results if r.has_hybrid_identity)
adfs_count = sum(1 for r in results if r.has_adfs)
print(f"\nSummary:")
print(f" Total Domains: {len(results)}")
print(f" Hybrid Identity Found: {hybrid_count}")
print(f" ADFS Endpoints Found: {adfs_count}")
# Detailed results
print(f"\nDetailed Results:")
for result in results:
status = "β
" if result.has_hybrid_identity else "β"
adfs = f" (ADFS: {result.adfs_endpoint})" if result.adfs_endpoint else ""
print(f" {status} {result.fqdn}{adfs}")
async def production_hybrid_identity_check():
"""Production-ready hybrid identity checking with error handling."""
checker = HybridIdentityChecker(timeout=10.0)
domains = ["example.com", "test.com", "company.com"]
results = []
for domain in domains:
try:
result = await checker.check(domain)
results.append(result)
if result.error:
print(f"β {domain}: {result.error}")
continue
if result.has_hybrid_identity:
print(f"β
{domain}: Hybrid Identity Detected")
if result.adfs_endpoint:
print(f" ADFS: {result.adfs_endpoint}")
else:
print(f"βΉοΈ {domain}: Cloud-only (no hybrid identity)")
except Exception as e:
print(f"β {domain}: Exception - {e}")
return results
# Run examples
asyncio.run(check_hybrid_identity())
asyncio.run(batch_hybrid_identity_check())
asyncio.run(production_hybrid_identity_check())Uses the same method as Azure Portal to discover ADFS endpoints!
When you login to Azure Portal with user@domain.com:
- Portal checks:
login.microsoftonline.com/common/userrealm/user@domain.com - Gets ADFS endpoint from Azure AD configuration
- Redirects to that ADFS endpoint
This tool does the exact same thing β¨, making it the most reliable method for ADFS discovery.
Status: β
Hybrid Identity Detected
ADFS Endpoint: β
Found
Endpoint URL: https://adfs.company.com/adfs/ls
Status Code: 200
Azure AD Integration: β
Detected
Federation Metadata: β
Found
Status: β οΈ No Hybrid Identity Found
ADFS Endpoint: β Not Found
Federation Metadata: β Not Found
Azure AD Integration: β Not Detected
- Security Audits: Identify all domains with federation services
- Migration Planning: Assess current identity infrastructure before migrations
- Troubleshooting: Verify ADFS endpoints are accessible
- Compliance: Ensure identity configurations meet requirements
- Discovery: Map out authentication mechanisms across multiple domains
- Quick Reference:
HYBRID_IDENTITY_QUICKREF.md - Implementation Details:
IMPLEMENTATION_HYBRID_IDENTITY.md - Full API Docs:
docs/hybrid-identity.md - API Reference:
docs/api.md
The mTLS (Mutual TLS) feature provides comprehensive testing and validation of mutual TLS authentication configurations. This is essential for:
- π Zero Trust Security: Verify mutual authentication in zero-trust architectures
- π Compliance Audits: Ensure mTLS requirements are properly implemented
- π‘οΈ API Security: Test client certificate authentication for APIs
- π Security Assessments: Identify services requiring mutual authentication
- π Certificate Management: Analyze and validate certificate configurations
# Check if a service supports mTLS
port-checker mtls-check api.example.com
# Check mTLS on custom port
port-checker mtls-check api.example.com --port 8443
# Check with verbose output for detailed information
port-checker mtls-check api.example.com --verbose
# Check multiple targets concurrently
port-checker mtls-check api1.example.com api2.example.com --concurrent 10
# Save results to JSON
port-checker mtls-check api.example.com --output mtls-results.json# Generate test certificates for mTLS testing
port-checker mtls-gen-cert client.example.com
# Creates: client.crt and client.key
# Validate certificate and key files
port-checker mtls-validate-cert client.crt client.key
# Test mTLS with client certificates
port-checker mtls-check api.example.com \
--client-cert client.crt \
--client-key client.key
# Test with custom CA bundle
port-checker mtls-check api.example.com \
--client-cert client.crt \
--client-key client.key \
--ca-bundle /path/to/ca-bundle.pem# Disable SSL verification (for testing)
port-checker mtls-check internal-api.company.com --no-verify
# Custom timeout and concurrency
port-checker mtls-check api.example.com \
--timeout 30 \
--concurrent 5
# Batch check with different configurations
port-checker mtls-check \
api1.example.com:443 \
api2.example.com:8443 \
internal.example.com:9443 \
--client-cert client.crt \
--client-key client.key \
--verbose \
--output comprehensive-mtls-audit.jsonimport asyncio
from simple_port_checker import MTLSChecker
async def basic_mtls_check():
"""Basic mTLS support checking."""
checker = MTLSChecker(timeout=10)
# Check single target
result = await checker.check_mtls("api.example.com")
print(f"Target: {result.target}:{result.port}")
print(f"Supports mTLS: {result.supports_mtls}")
print(f"Requires client cert: {result.requires_client_cert}")
print(f"Handshake successful: {result.handshake_successful}")
if result.server_cert_info:
cert = result.server_cert_info
print(f"Server cert: {cert.subject}")
print(f"Valid until: {cert.not_valid_after}")
async def mtls_with_client_certs():
"""mTLS testing with client certificates."""
checker = MTLSChecker()
# Test with client certificates
result = await checker.check_mtls(
"api.example.com",
client_cert_path="client.crt",
client_key_path="client.key"
)
print(f"mTLS handshake: {'β' if result.handshake_successful else 'β'}")
print(f"TLS version: {result.tls_version}")
print(f"Cipher suite: {result.cipher_suite}")
async def batch_mtls_check():
"""Batch mTLS checking with progress tracking."""
checker = MTLSChecker()
targets = [
"api1.example.com",
"api2.example.com",
("internal-api.company.com", 8443)
]
def progress_callback(completed, total, result):
print(f"Progress: {completed}/{total} - {result.target}: {result.supports_mtls}")
results = await checker.batch_check_mtls(
targets,
max_concurrent=5,
progress_callback=progress_callback
)
# Analyze results
mtls_supported = sum(1 for r in results if r.supports_mtls)
print(f"mTLS supported: {mtls_supported}/{len(results)} targets")
async def production_mtls_audit():
"""Production-ready mTLS audit with comprehensive error handling."""
checker = MTLSChecker(
timeout=15,
max_retries=2,
retry_delay=1.0,
enable_logging=True
)
targets = [
"api.example.com",
"secure-api.example.com",
"internal-api.company.com"
]
results = []
for target in targets:
try:
result = await checker.check_mtls(target)
results.append(result)
# Log important findings
if result.requires_client_cert:
print(f"β οΈ {target} REQUIRES client certificates")
elif result.supports_mtls:
print(f"βΉοΈ {target} supports mTLS (optional)")
else:
print(f"βΉοΈ {target} no mTLS support")
except Exception as e:
print(f"β Error checking {target}: {e}")
# Get performance metrics
metrics = checker.get_metrics()
print(f"\nMetrics: {metrics['successful_connections']}/{metrics['total_requests']} successful")
print(f"Average time: {metrics['total_time']/metrics['total_requests']:.3f}s")
# Run examples
asyncio.run(basic_mtls_check())
asyncio.run(mtls_with_client_certs())
asyncio.run(batch_mtls_check())
asyncio.run(production_mtls_audit())The following sequence diagram illustrates the end-to-end flow of Simple Port Checker:
sequenceDiagram
participant User
participant CLI
participant PortChecker
participant L7Detector
participant Target as Target Host
participant DNS
participant HTTP as HTTP/HTTPS
%% Port Scanning Flow
rect rgb(200, 255, 200)
Note over User, HTTP: Port Scanning Phase
User->>+CLI: port-checker scan target.com
CLI->>+PortChecker: scan_host(target.com, ports)
PortChecker->>+DNS: Resolve hostname
DNS-->>-PortChecker: IP address
par Port 80
PortChecker->>+Target: TCP Connect :80
Target-->>-PortChecker: Connection response
and Port 443
PortChecker->>+Target: TCP Connect :443
Target-->>-PortChecker: Connection response
and Port 22
PortChecker->>+Target: TCP Connect :22
Target-->>-PortChecker: Connection response
end
PortChecker->>+Target: Banner grabbing
Target-->>-PortChecker: Service banners
PortChecker-->>-CLI: ScanResult
CLI-->>-User: Rich formatted output
end
%% L7 Protection Detection Flow
rect rgb(200, 200, 255)
Note over User, HTTP: L7 Protection Detection Phase
User->>+CLI: port-checker l7-check target.com
CLI->>+L7Detector: detect(target.com)
L7Detector->>+HTTP: HTTPS Request
HTTP-->>-L7Detector: Response + Headers
L7Detector->>L7Detector: Analyze Headers<br/>(CF-Ray, X-Amzn-RequestId, etc.)
L7Detector->>L7Detector: Check Response Body<br/>(WAF signatures)
L7Detector->>+DNS: CNAME Lookup
DNS-->>-L7Detector: DNS Records
L7Detector->>L7Detector: Match Signatures<br/>(Cloudflare, AWS WAF, etc.)
alt WAF/CDN Detected
L7Detector-->>CLI: L7Result (Protected)
CLI-->>User: "β Protection: Cloudflare (95%)"
else No Protection
L7Detector-->>CLI: L7Result (Unprotected)
CLI-->>User: "β No L7 Protection Detected"
end
L7Detector-->>-CLI: L7Result
CLI-->>-User: Rich formatted output
end
%% Full Scan Flow
rect rgb(255, 255, 200)
Note over User, HTTP: Full Scan (Combined)
User->>+CLI: port-checker full-scan target.com
CLI->>CLI: Execute Port Scan
CLI->>CLI: Execute L7 Detection
CLI-->>-User: Complete security assessment
end
The following sequence diagram illustrates the complete mTLS authentication checking process:
sequenceDiagram
participant Client as Simple Port Checker
participant Target as Target Server
participant CA as Certificate Authority
participant Logger as Metrics & Logging
%% Initial Setup
rect rgb(200, 220, 255)
Note over Client: mTLS Check Initialization
Client->>Logger: Start mTLS check session
Client->>Client: Validate target hostname/IP
Client->>Client: Validate port range (1-65535)
alt Client certificates provided
Client->>Client: Validate cert/key files exist
Client->>Client: Verify cert/key pair match
end
end
%% Phase 1: Server Certificate Discovery
rect rgb(200, 255, 200)
Note over Client,Target: Phase 1: Server Certificate Analysis
Client->>Target: TCP Connect (port 443/custom)
Target-->>Client: Connection established
Client->>Target: TLS Handshake (no client cert)
Target->>Target: Present server certificate
Target-->>Client: Server certificate + chain
Client->>Client: Parse X.509 certificate
Client->>Client: Extract subject, issuer, SAN, algorithms
Client->>Client: Verify certificate validity dates
Client->>Logger: Log certificate details
end
%% Phase 2: Client Certificate Requirement Detection
rect rgb(255, 220, 200)
Note over Client,Target: Phase 2: Client Certificate Requirement Detection
Client->>Target: TLS Handshake (without client cert)
alt Server requires client certificate
Target-->>Client: SSL Error: certificate required
Client->>Client: Set requires_client_cert = true
Client->>Client: Set client_cert_requested = true
else Server supports optional client certificate
Target-->>Client: SSL Error: handshake failure
Client->>Client: Set requires_client_cert = false
Client->>Client: Set client_cert_requested = true
else Server does not support mTLS
Target-->>Client: TLS Handshake successful
Client->>Client: Set supports_mtls = false
Client->>Client: Set client_cert_requested = false
end
end
%% Phase 3: mTLS Authentication Testing (if certificates provided)
rect rgb(255, 200, 255)
Note over Client,Target: Phase 3: mTLS Authentication Testing
alt Client certificates provided
Client->>Client: Load client certificate chain
Client->>Client: Load private key
Client->>Target: mTLS Handshake with client cert
Target->>Target: Verify client certificate
alt Certificate validation successful
Target->>CA: Verify certificate chain (optional)
CA-->>Target: Certificate chain valid
Target-->>Client: mTLS Handshake successful
Target-->>Client: Cipher suite + TLS version
Client->>Client: Set handshake_successful = true
Client->>Client: Extract cipher suite info
Client->>Client: Extract TLS version
else Certificate validation failed
Target-->>Client: SSL Error: certificate verification failed
Client->>Client: Set handshake_successful = false
Client->>Client: Log authentication failure
end
else
Note over Client: Skip mTLS test (no client certificates)
end
end
%% Phase 4: Results Compilation and Metrics
rect rgb(220, 220, 255)
Note over Client,Logger: Phase 4: Results & Metrics
Client->>Client: Compile MTLSResult object
Client->>Client: Update performance metrics
Client->>Logger: Log final results
alt Batch operation
Client->>Client: Aggregate batch statistics
Client->>Client: Calculate success rates
Client->>Logger: Log batch completion metrics
end
Client->>Logger: Record timing metrics
Client->>Logger: Update error counters
end
%% Return Results
Note over Client: Return comprehensive mTLS analysis
- Initialization Phase (Blue): Validates inputs, checks certificate files, and prepares for the mTLS check
- Server Certificate Analysis (Green): Establishes connection and analyzes the server's X.509 certificate
- Client Certificate Detection (Orange): Determines if the server supports/requires client certificates
- mTLS Authentication Testing (Purple): Tests actual mutual authentication if client certificates are provided
- Results & Metrics (Light Blue): Compiles results and updates performance metrics
- Certificate Requirement Detection: Uses SSL error analysis to determine mTLS support level
- Authentication Testing: Only performed when client certificates are available
- Error Handling: Comprehensive error categorization for different failure modes
- Metrics Collection: Tracks performance and reliability statistics throughout the process
- Port Scanning: TCP connection attempts with banner grabbing
- HTTP Header Analysis: Identifying protection service signatures
- DNS Analysis: CNAME records pointing to CDN/WAF providers
- Response Pattern Matching: Service-specific response signatures
- IP Range Detection: Known IP ranges for major providers
- AWS WAF - Amazon Web Application Firewall
- Azure WAF - Microsoft Azure Web Application Firewall
- Azure Front Door - Microsoft Azure Front Door
- Microsoft HTTPAPI - Microsoft Web Application Proxy (WAP) or F5-protected ADFS Server
- F5 BIG-IP - F5 Application Security Manager
- Cloudflare - Cloudflare WAF and DDoS Protection
- Akamai - Akamai Web Application Protector
- Imperva - Imperva SecureSphere WAF
- Sucuri - Sucuri Website Firewall
- Fastly - Fastly Edge Security
- KeyCDN - KeyCDN Security
- MaxCDN - MaxCDN Security
| Port | Service | Description |
|---|---|---|
| 80 | HTTP | Web traffic |
| 443 | HTTPS | Secure web traffic |
| 8080 | HTTP-ALT | Alternative HTTP |
| 8443 | HTTPS-ALT | Alternative HTTPS |
| 3389 | RDP | Remote Desktop Protocol |
| 22 | SSH | Secure Shell |
| 21 | FTP | File Transfer Protocol |
| 25 | SMTP | Simple Mail Transfer Protocol |
| 53 | DNS | Domain Name System |
| 110 | POP3 | Post Office Protocol |
| 143 | IMAP | Internet Message Access Protocol |
| 993 | IMAPS | IMAP over SSL |
| 995 | POP3S | POP3 over SSL |
| 587 | SMTP-MSA | SMTP Message Submission |
Simple Port Checker now includes comprehensive SSL/TLS certificate chain analysis capabilities, following best practices from DigiCert and Red Hat security guidelines. The certificate analysis features help you understand "Who signed my cert?" and identify potential trust issues.
- π Certificate Chain Analysis: Complete validation of server, intermediate, and root certificates
- ποΈ Certificate Authority Identification: Shows who signed each certificate in the chain
β οΈ Missing Intermediate Detection: Identifies incomplete certificate chains that could cause browser compatibility issues- π Chain of Trust Validation: Verifies signature validity throughout the certificate chain
- π‘οΈ Security Analysis: Hostname verification, expiration checking, and key algorithm analysis
- π Certificate Information: Detailed certificate metadata, fingerprints, and extensions
- π Revocation Infrastructure: OCSP and CRL URL extraction for validation
sequenceDiagram
participant User
participant CLI as Simple Port Checker
participant OpenSSL as OpenSSL Client
participant Server as Target Server
participant CA as Certificate Authority
User->>CLI: cert-check example.com
CLI->>OpenSSL: Extract certificate chain
OpenSSL->>Server: TLS handshake
Server-->>OpenSSL: Certificate chain
OpenSSL-->>CLI: Raw certificates
CLI->>CLI: Parse server certificate
CLI->>CLI: Parse intermediate certificates
CLI->>CLI: Validate chain of trust
alt Missing Intermediates
CLI->>CA: Fetch missing certificates
CA-->>CLI: Intermediate certificates
end
CLI->>CLI: Hostname validation
CLI->>CLI: Expiration checking
CLI->>CLI: Extract OCSP/CRL URLs
CLI-->>User: Rich certificate analysis
Note over User,CLI: Shows: Chain validity, Trust issues,<br/>Missing intermediates, CA hierarchy
Analyze SSL/TLS certificate chain for a target host.
# Basic certificate analysis
port-checker cert-check github.com
# Disable hostname verification
port-checker cert-check example.com --no-verify-hostname
# Save results to JSON
port-checker cert-check google.com --output cert_analysis.jsonAnalyze complete certificate chain and trust path.
# Full chain analysis
port-checker cert-chain github.com
# Enable revocation checking
port-checker cert-chain example.com --check-revocation
# Verbose output with detailed chain information
port-checker cert-chain google.com --verboseShow detailed certificate information and signing hierarchy.
# Certificate signing information
port-checker cert-info github.com
# Show certificate in PEM format
port-checker cert-info example.com --show-pem
# Export certificate details to JSON
port-checker cert-info google.com --output cert_details.jsonπ SSL/TLS Certificate Analysis - github.com
βββββββββββββββββββββββ³βββββββββββββββββββββββββββββββββββββββββββββββββ
β Property β Value β
β‘βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ©
β Certificate Status β Valid β
β Hostname Match β β
Valid β
β Subject β CN=github.com β
β Issuer β C=GB, ST=Greater Manchester, L=Salford, β
β β O=Sectigo Limited, CN=Sectigo ECC Domain β
β β Validation Secure Server CA β
β Valid From β 2025-02-05 00:00:00 UTC β
β Valid Until β 2026-02-05 23:59:59 UTC β
βββββββββββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββ
ποΈ Certificate Hierarchy (Chain of Trust)
βββββββββββββββββββββ³ββββββββββββββββ³βββββββββββββββ
β Level β Certificate β Signed By β
β‘βββββββββββββββββββββββββββββββββββββββββββββββββββ©
β π₯οΈ Server β CN=github.com β C=GB β
β π’ Intermediate 1 β C=GB β C=US β
β π’ Intermediate 2 β C=US β Unknown Root β
βββββββββββββββββββββ΄ββββββββββββββββ΄βββββββββββββββ
β οΈ Missing Intermediate Certificates:
β’ Missing root certificate or additional intermediates after C=US
Scan target hosts for open ports.
port-checker scan TARGET [OPTIONS]
Options:
--ports TEXT Comma-separated list of ports (default: common ports)
--timeout INTEGER Connection timeout in seconds (default: 3)
--concurrent INTEGER Maximum concurrent connections (default: 100)
--output TEXT Output file (JSON format)
--verbose Enable verbose outputCheck for L7 protection services.
port-checker l7-check TARGET [OPTIONS]
Options:
--timeout INTEGER Request timeout in seconds (default: 10)
--user-agent TEXT Custom User-Agent string
--output TEXT Output file (JSON format)
--verbose Enable verbose outputPerform both port scanning and L7 protection detection.
port-checker full-scan TARGET [OPTIONS]
Options:
--ports TEXT Comma-separated list of ports
--timeout INTEGER Connection timeout in seconds
--concurrent INTEGER Maximum concurrent connections
--output TEXT Output file (JSON format)
--verbose Enable verbose outputCheck for mTLS support on target hosts.
port-checker mtls-check TARGET [OPTIONS]
Options:
--client-cert TEXT Path to client certificate file
--client-key TEXT Path to client private key file
--timeout INTEGER Request timeout in seconds (default: 10)
--output TEXT Output file (JSON format)
--verbose Enable verbose outputGenerate test certificates for mTLS testing.
port-checker mtls-gen-cert COMMON_NAME [OPTIONS]
Options:
--days INTEGER Number of days the certificate is valid (default: 365)
--output-dir TEXT Directory to save the generated certificate and key
--verbose Enable verbose outputValidate client certificate and key files.
port-checker mtls-validate-cert CERT_FILE KEY_FILE [OPTIONS]
Options:
--verbose Enable verbose outputAnalyze SSL/TLS certificate chain for a target host.
port-checker cert-check TARGET [OPTIONS]
Options:
-p, --port INTEGER Target port (default: 443)
-t, --timeout INTEGER Connection timeout in seconds
-o, --output TEXT Output file for results (JSON)
--verify-hostname / --no-verify-hostname
Verify hostname against certificate
-v, --verbose Enable verbose outputAnalyze complete certificate chain and trust path.
port-checker cert-chain TARGET [OPTIONS]
Options:
-p, --port INTEGER Target port (default: 443)
-t, --timeout INTEGER Connection timeout in seconds
-o, --output TEXT Output file for results (JSON)
--check-revocation / --no-check-revocation
Check certificate revocation status
-v, --verbose Enable verbose outputShow detailed certificate information and who signed it.
port-checker cert-info TARGET [OPTIONS]
Options:
-p, --port INTEGER Target port (default: 443)
-t, --timeout INTEGER Connection timeout in seconds
-o, --output TEXT Output file for results (JSON)
--show-pem / --no-show-pem Show certificate in PEM format
-v, --verbose Enable verbose outputCheck for hybrid identity setup (Azure AD/ADFS integration).
This command discovers ADFS endpoints using the same method as Azure Portal - by querying Azure AD's user realm API. This is much more reliable than guessing ADFS URLs!
port-checker hybrid-identity TARGET [TARGET...] [OPTIONS]
Options:
-t, --timeout INTEGER Request timeout in seconds (default: 10)
-o, --output TEXT Output file (JSON format)
-v, --verbose Enable verbose output with DNS details
-c, --concurrent INTEGER Maximum concurrent checks (default: 10)
Examples:
# Check single domain
port-checker hybrid-identity example.com
# Check multiple domains with verbose output
port-checker hybrid-identity domain1.com domain2.com --verbose
# Batch check with output
port-checker hybrid-identity $(cat domains.txt) --output results.jsonWhat it checks:
- β ADFS endpoints via Azure AD login flow (most reliable - same as portal.azure.com)
- β Federation metadata endpoints
- β Azure AD integration and redirects
- β OpenID Connect configuration
- β DNS records for Microsoft services
See docs/hybrid-identity.md for detailed documentation.
Create a configuration file at ~/.port-checker.yaml:
default_ports: [80, 443, 8080, 8443, 22, 21, 25, 53]
timeout: 5
concurrent_limit: 50
user_agent: "SimplePortChecker/1.0"git clone https://github.com/htunnthuthu/simple-port-checker.git
cd simple-port-checker
python -m venv venv
source venv/bin/activate # On Windows: venv\Scripts\activate
pip install -e ".[dev]"pytest
pytest --cov=simple_port_checker # With coverageblack src/ tests/
isort src/ tests/
flake8 src/ tests/
mypy src/pre-commit install
pre-commit run --all-files#!/bin/bash
# enterprise-mtls-audit.sh
# Production-ready mTLS security audit script
set -euo pipefail
# Configuration
TARGETS_FILE="production-apis.txt"
CLIENT_CERT="/secure/certs/audit-client.crt"
CLIENT_KEY="/secure/keys/audit-client.key"
CA_BUNDLE="/etc/ssl/certs/enterprise-ca-bundle.pem"
OUTPUT_DIR="/var/log/security-audits"
TIMESTAMP=$(date +%Y%m%d_%H%M%S)
# Create output directory
mkdir -p "$OUTPUT_DIR"
echo "π Starting Enterprise mTLS Security Audit - $TIMESTAMP"
# Validate certificate files
if ! port-checker mtls-validate-cert "$CLIENT_CERT" "$CLIENT_KEY"; then
echo "β Certificate validation failed"
exit 1
fi
# Run comprehensive audit
port-checker mtls-check \
--client-cert "$CLIENT_CERT" \
--client-key "$CLIENT_KEY" \
--ca-bundle "$CA_BUNDLE" \
--timeout 30 \
--concurrent 10 \
--verbose \
--output "$OUTPUT_DIR/mtls-audit-$TIMESTAMP.json" \
$(cat "$TARGETS_FILE")
echo "β
Audit completed. Results saved to $OUTPUT_DIR/mtls-audit-$TIMESTAMP.json"
# Generate summary report
python3 -c "
import json
import sys
with open('$OUTPUT_DIR/mtls-audit-$TIMESTAMP.json') as f:
data = json.load(f)
total = data['total_targets']
mtls_required = data['mtls_required_count']
mtls_supported = data['mtls_supported_count']
print(f'π Audit Summary:')
print(f' Total APIs: {total}')
print(f' mTLS Required: {mtls_required} ({mtls_required/total*100:.1f}%)')
print(f' mTLS Supported: {mtls_supported} ({mtls_supported/total*100:.1f}%)')
if mtls_required < total * 0.8:
print('β οΈ WARNING: Less than 80% of APIs require mTLS')
sys.exit(1)
else:
print('β
Good: Majority of APIs properly secured with mTLS')
"# k8s-mtls-healthcheck.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: mtls-health-check
data:
check-mtls.sh: |
#!/bin/bash
set -e
# Check service mesh mTLS configuration
port-checker mtls-check \
service-a.production.svc.cluster.local:8443 \
service-b.production.svc.cluster.local:8443 \
--client-cert /etc/certs/tls.crt \
--client-key /etc/certs/tls.key \
--ca-bundle /etc/ca-certs/ca.crt \
--timeout 10 \
--output /tmp/mtls-health.json
# Validate all services require mTLS
if ! grep -q '"requires_client_cert": true' /tmp/mtls-health.json; then
echo "β mTLS not properly configured"
exit 1
fi
echo "β
mTLS health check passed"
---
apiVersion: batch/v1
kind: CronJob
metadata:
name: mtls-health-check
spec:
schedule: "*/15 * * * *" # Every 15 minutes
jobTemplate:
spec:
template:
spec:
containers:
- name: mtls-checker
image: python:3.12-slim
command:
- /bin/bash
- /scripts/check-mtls.sh
volumeMounts:
- name: scripts
mountPath: /scripts
- name: certs
mountPath: /etc/certs
- name: ca-certs
mountPath: /etc/ca-certs
volumes:
- name: scripts
configMap:
name: mtls-health-check
defaultMode: 0755
- name: certs
secret:
secretName: service-mesh-certs
- name: ca-certs
secret:
secretName: ca-certificates
restartPolicy: OnFailure# .github/workflows/mtls-security-scan.yml
name: mTLS Security Scan
on:
push:
branches: [ main, develop ]
pull_request:
branches: [ main ]
schedule:
- cron: '0 2 * * *' # Daily at 2 AM
jobs:
mtls-security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: '3.12'
- name: Install Simple Port Checker
run: |
pip install simple-port-checker cryptography
- name: Setup test certificates
run: |
# Generate test certificates for scanning
port-checker mtls-gen-cert ci-test-client
- name: Run mTLS Security Scan
env:
API_ENDPOINTS: ${{ secrets.API_ENDPOINTS }}
run: |
echo "$API_ENDPOINTS" > endpoints.txt
port-checker mtls-check \
--client-cert ci-test-client.crt \
--client-key ci-test-client.key \
--timeout 30 \
--concurrent 5 \
--output mtls-scan-results.json \
$(cat endpoints.txt)
- name: Analyze Results
run: |
python3 -c "
import json
import os
with open('mtls-scan-results.json') as f:
data = json.load(f)
failed = data['failed_checks']
total = data['total_targets']
if failed > 0:
print(f'β {failed}/{total} endpoints failed mTLS check')
exit(1)
else:
print(f'β
All {total} endpoints passed mTLS check')
"
- name: Upload Results
uses: actions/upload-artifact@v3
if: always()
with:
name: mtls-scan-results
path: mtls-scan-results.json
retention-days: 30# Dockerfile.mtls-scanner
FROM python:3.12-slim
# Install security scanning tools
RUN apt-get update && apt-get install -y \
openssl \
curl \
&& rm -rf /var/lib/apt/lists/*
# Install Simple Port Checker
RUN pip install simple-port-checker cryptography
# Create scanner script
COPY mtls-scan.py /app/
COPY entrypoint.sh /app/
WORKDIR /app
ENTRYPOINT ["./entrypoint.sh"]# entrypoint.sh
#!/bin/bash
set -euo pipefail
echo "π Starting Container mTLS Security Scan"
# Default configuration
TARGETS=${TARGETS:-""}
TIMEOUT=${TIMEOUT:-"30"}
CONCURRENT=${CONCURRENT:-"10"}
OUTPUT=${OUTPUT:-"/tmp/mtls-results.json"}
if [ -z "$TARGETS" ]; then
echo "β No targets specified. Set TARGETS environment variable."
exit 1
fi
# Run the scan
python3 /app/mtls-scan.py \
--targets "$TARGETS" \
--timeout "$TIMEOUT" \
--concurrent "$CONCURRENT" \
--output "$OUTPUT"
echo "β
Scan completed. Results in $OUTPUT"# mtls-scan.py
#!/usr/bin/env python3
import asyncio
import argparse
import json
import logging
import sys
from simple_port_checker import MTLSChecker
async def main():
parser = argparse.ArgumentParser(description='Container mTLS Security Scanner')
parser.add_argument('--targets', required=True, help='Comma-separated list of targets')
parser.add_argument('--timeout', type=int, default=30, help='Connection timeout')
parser.add_argument('--concurrent', type=int, default=10, help='Max concurrent checks')
parser.add_argument('--output', default='/tmp/results.json', help='Output file')
parser.add_argument('--verbose', action='store_true', help='Verbose logging')
args = parser.parse_args()
if args.verbose:
logging.basicConfig(level=logging.DEBUG)
# Parse targets
targets = [t.strip() for t in args.targets.split(',') if t.strip()]
# Initialize checker
checker = MTLSChecker(timeout=args.timeout, enable_logging=args.verbose)
print(f"π Scanning {len(targets)} targets...")
# Run scan
results = await checker.batch_check_mtls(targets, max_concurrent=args.concurrent)
# Generate summary
successful = sum(1 for r in results if r.error_message is None)
mtls_supported = sum(1 for r in results if r.supports_mtls)
mtls_required = sum(1 for r in results if r.requires_client_cert)
summary = {
'total_targets': len(targets),
'successful_checks': successful,
'failed_checks': len(targets) - successful,
'mtls_supported': mtls_supported,
'mtls_required': mtls_required,
'results': [r.dict() for r in results]
}
# Save results
with open(args.output, 'w') as f:
json.dump(summary, f, indent=2)
print(f"π Results: {successful}/{len(targets)} successful")
print(f"π mTLS: {mtls_supported} supported, {mtls_required} required")
# Exit with error if any checks failed
if successful < len(targets):
sys.exit(1)
if __name__ == '__main__':
asyncio.run(main())# Run the container scanner
docker run --rm \
-e TARGETS="api1.example.com,api2.example.com:8443" \
-e TIMEOUT=30 \
-e CONCURRENT=5 \
-v $(pwd)/results:/tmp \
mtls-scanner:latest
# Enterprise audit
./enterprise-mtls-audit.sh
# Quick security check
port-checker mtls-check \
api.example.com \
secure-api.example.com:8443 \
--verbose \
--output security-assessment.jsonSimple Port Checker is available as a Docker image for easy deployment and isolation.
# Basic port check
docker run --rm htunnthuthu/simple-port-checker:latest google.com 443
# mTLS check
docker run --rm htunnthuthu/simple-port-checker:latest google.com 443 --mtls
# Port range scan
docker run --rm htunnthuthu/simple-port-checker:latest --scan-range 192.168.1.1-254 --ports 22,80,443
# L7 protection check
docker run --rm htunnthuthu/simple-port-checker:latest l7-check example.com
# Interactive shell
docker run -it --rm htunnthuthu/simple-port-checker:latest bashlatest- Latest stable releasevX.Y.Z- Specific version tagsmain- Latest development build
Images are built for multiple architectures:
linux/amd64- Intel/AMD 64-bitlinux/arm64- ARM 64-bit (Apple Silicon, ARM servers)
For detailed Docker usage instructions, see Docker Documentation.
The Simple Port Checker with mTLS authentication support provides a comprehensive, production-ready solution for:
- π Security Assessment: Complete mTLS configuration analysis
- π Compliance Auditing: Automated compliance checking for enterprise environments
- π‘οΈ API Security: Client certificate authentication testing
- π Certificate Management: Validation and generation of certificates
- π Performance Monitoring: Detailed metrics and reliability tracking
- π Production Integration: CI/CD pipeline and enterprise deployment support
- Production-Ready: Built with enterprise security and reliability requirements
- Comprehensive Analysis: Complete mTLS authentication flow validation
- Flexible Integration: Support for various deployment scenarios (CLI, API, containers)
- Detailed Reporting: Rich output formats with actionable insights
- Performance Optimized: Concurrent processing with configurable retry logic
- Security Focused: Best practices for certificate handling and validation
# Install with mTLS support
pip install simple-port-checker cryptography
# Quick mTLS check
port-checker mtls-check api.example.com --verbose
# Generate test certificates
port-checker mtls-gen-cert test-client.example.com
# Enterprise security audit
port-checker mtls-check $(cat production-apis.txt) \
--client-cert audit-client.crt \
--client-key audit-client.key \
--output security-audit.json \
--verboseThe mTLS functionality seamlessly integrates with existing port scanning and L7 protection detection features, providing a complete security assessment toolkit for modern infrastructure.
This major release brings significant improvements to project structure and functionality:
- Unified CLI: All functionality now accessible through main
port-checkercommand - Clean Architecture: Proper Python package structure following best practices
- Type Safety: Full type hint support with
py.typedfile
- DNS Trace Command: New
dns-tracecommand for detailed CNAME chain analysis - Integrated Tracing: Use
--trace-dnsflag with L7 checks for comprehensive analysis - Better Detection: Improved protection detection through DNS-based analysis
- Security Policy: Added comprehensive security guidelines
- Better Testing: Reorganized test suite following Python standards
- Documentation: Updated and improved documentation
- CI/CD Ready: Optimized for automated builds and publishing
- Removed standalone scripts (use unified CLI instead)
- Moved tests to top-level directory
- Removed
run.py(usepython -m simple_port_checkeror installed commands)
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
This project is licensed under the MIT License - see the LICENSE file for details.
See CHANGELOG.md for detailed version history.
- Enhanced F5 Big-IP Detection: Comprehensive F5 Big-IP detection improvements
- Advanced cookie pattern recognition (BIGipServer*, f5avr*session, TS* cookies)
- Improved banking domain support with intelligent fallback methods
- Enhanced detection for enterprise F5 deployments with custom configurations
- Certificate Chain Analysis Improvements: Major SSL/TLS certificate analysis enhancements
- Fixed certificate chain completeness logic for trusted intermediate CAs
- Comprehensive trusted root CA database (Amazon, Google, GlobalSign, Let's Encrypt, etc.)
- Support for Let's Encrypt E1-E9 intermediate certificates
- Resolved cryptography library deprecation warnings
- Smart recognition of trusted intermediates leading to known roots
- Accuracy Improvements: Refined L7 detection patterns to eliminate false positives
- Code Quality: Updated deprecated datetime properties for modern cryptography library
- Documentation Enhancement: Added PyPI statistics and download badges to README
- Privacy Improvements: Removed specific site references from documentation
- Professional Standards: Enhanced documentation quality and consistency
- Version Management: Improved version consistency across all files
- L7 Detection Fix: Fixed critical false positive where CloudFront sites were misidentified as F5 Big-IP
- Enhanced AWS WAF Detection: Now distinguishes between "CloudFront - AWS WAF" and pure "AWS WAF"
- Improved Accuracy: Better detection logic for AWS CloudFront vs F5 Big-IP services
- Bug Fixes: Corrected via header analysis and fallback detection logic
- Docker Support: Official Docker images now available on Docker Hub
- Enhanced README.md with comprehensive Docker usage examples
- Docker workflow configured for manual deployment to PyPI environment
- Multi-architecture Docker image support (AMD64, ARM64)
- Automated Docker builds with GitHub Actions
- Updated project documentation to highlight Docker availability
- Major project refactoring and cleanup
- Unified CLI interface with DNS trace functionality
- Production-ready structure with type hints
- Enhanced security and documentation
- Basic port scanning functionality
- L7 protection detection
- CLI interface
- Async support
- Rich terminal output
This tool is intended for legitimate security testing and network diagnostics only. Users are responsible for ensuring they have proper authorization before scanning any networks or systems they do not own.
For security vulnerabilities, please see our Security Policy.
- π Documentation
- π Issue Tracker
- Thanks to the Python community for excellent libraries
- Inspired by nmap and other network scanning tools
- Built with β€οΈ for the security community