changedetection.io-osint-processor 0.0.1__py3-none-any.whl

changedetectionio_osint/steps/ssh_fingerprint.py

@@ -0,0 +1,310 @@
+"""
+SSH Fingerprinting Step
+Connects to SSH service to extract server banner, version, and host key fingerprints
+"""
+
+import asyncio
+# SOCKS5 proxy support: SSH fingerprinting supports SOCKS5 via python-socks
+supports_socks5 = True
+import socket
+import hashlib
+import base64
+from loguru import logger
+
+
+async def scan_ssh(hostname, port=22, timeout=5, proxy_url=None, watch_uuid=None, update_signal=None):
+    """
+    Perform SSH server fingerprinting
+
+    Args:
+        hostname: Target hostname or IP address
+        port: SSH port (default 22)
+        timeout: Connection timeout in seconds
+        proxy_url: Optional SOCKS5 proxy URL (socks5://user:pass@host:port)
+        watch_uuid: Optional watch UUID for status updates
+        update_signal: Optional blinker signal for status updates
+
+    Returns:
+        dict: SSH fingerprint data
+    """
+    if update_signal and watch_uuid:
+        update_signal.send(watch_uuid=watch_uuid, status="SSH")
+
+    async def ssh_fingerprint():
+        results = {
+            'port_open': False,
+            'banner': None,
+            'version': None,
+            'software': None,
+            'host_keys': [],
+            'key_exchange_algorithms': [],
+            'encryption_algorithms': [],
+            'mac_algorithms': [],
+            'compression_algorithms': [],
+            'error': None
+        }
+
+        try:
+            # Connect to SSH port (with optional SOCKS5 proxy support)
+            if proxy_url and proxy_url.strip():
+                # Use SOCKS5 proxy for connection
+                try:
+                    from python_socks.async_.asyncio import Proxy
+                    from urllib.parse import urlparse
+
+                    # Parse SOCKS5 proxy URL
+                    parsed = urlparse(proxy_url)
+                    proxy = Proxy.from_url(proxy_url)
+
+                    # Connect through SOCKS5 proxy
+                    sock = await asyncio.wait_for(
+                        proxy.connect(dest_host=hostname, dest_port=port, timeout=timeout),
+                        timeout=timeout
+                    )
+
+                    # Create reader/writer from the socket
+                    reader, writer = await asyncio.open_connection(sock=sock)
+
+                except ImportError:
+                    logger.error("SOCKS5 proxy requested but 'python-socks[asyncio]' is not installed")
+                    results['error'] = "SOCKS5 proxy support requires 'python-socks[asyncio]' package"
+                    return results
+            else:
+                # Direct connection (no proxy)
+                reader, writer = await asyncio.wait_for(
+                    asyncio.open_connection(hostname, port),
+                    timeout=timeout
+                )
+
+            results['port_open'] = True
+
+            try:
+                # Read SSH banner (SSH-2.0-...)
+                banner_line = await asyncio.wait_for(reader.readline(), timeout=timeout)
+                banner = banner_line.decode('utf-8', errors='ignore').strip()
+                results['banner'] = banner
+
+                # Parse SSH version and software
+                # Format: SSH-protoversion-softwareversion [SP comments]
+                if banner.startswith('SSH-'):
+                    parts = banner.split('-', 2)
+                    if len(parts) >= 3:
+                        results['version'] = parts[1]  # e.g., "2.0"
+                        software_parts = parts[2].split(' ', 1)
+                        results['software'] = software_parts[0]  # e.g., "OpenSSH_8.2p1"
+
+                logger.debug(f"SSH banner: {banner}")
+
+                # Send our banner (minimal SSH client identification)
+                writer.write(b'SSH-2.0-ChangeDetectionIO_OSINT_Scanner\r\n')
+                await writer.drain()
+
+                # Try to read key exchange init (this contains algorithm lists)
+                # SSH packet format: packet_length (4 bytes) + padding_length (1 byte) + payload + padding + MAC
+                try:
+                    # Read packet length (first 4 bytes after banner exchange)
+                    packet_length_bytes = await asyncio.wait_for(reader.readexactly(4), timeout=timeout)
+                    packet_length = int.from_bytes(packet_length_bytes, byteorder='big')
+
+                    # SSH packets are typically < 35000 bytes for key exchange
+                    if 0 < packet_length < 35000:
+                        # Read the rest of the packet
+                        packet_data = await asyncio.wait_for(reader.readexactly(packet_length), timeout=timeout)
+
+                        # Parse SSH_MSG_KEXINIT (message type 20)
+                        if len(packet_data) > 1 and packet_data[0] == 20:
+                            # Skip: padding_length(1) + message_type(1) + cookie(16)
+                            offset = 1 + 16
+
+                            # Helper to read name-list (4-byte length + comma-separated names)
+                            def read_name_list(data, start_offset):
+                                if start_offset + 4 > len(data):
+                                    return [], start_offset
+                                list_len = int.from_bytes(data[start_offset:start_offset+4], byteorder='big')
+                                start_offset += 4
+                                if start_offset + list_len > len(data):
+                                    return [], start_offset
+                                names_bytes = data[start_offset:start_offset+list_len]
+                                names = names_bytes.decode('utf-8', errors='ignore').split(',')
+                                return names, start_offset + list_len
+
+                            # Read algorithm name-lists in order
+                            results['key_exchange_algorithms'], offset = read_name_list(packet_data, offset)
+                            server_host_key_algorithms, offset = read_name_list(packet_data, offset)
+                            results['encryption_algorithms'], offset = read_name_list(packet_data, offset)
+                            offset = read_name_list(packet_data, offset)[1]  # Skip encryption_algorithms_server_to_client
+                            results['mac_algorithms'], offset = read_name_list(packet_data, offset)
+                            offset = read_name_list(packet_data, offset)[1]  # Skip mac_algorithms_server_to_client
+                            results['compression_algorithms'], offset = read_name_list(packet_data, offset)
+
+                            # Store host key algorithms
+                            if server_host_key_algorithms:
+                                for alg in server_host_key_algorithms:
+                                    results['host_keys'].append({
+                                        'algorithm': alg,
+                                        'fingerprint': None  # Would need full key exchange to get actual keys
+                                    })
+
+                            logger.debug(f"SSH algorithms parsed successfully")
+
+                except asyncio.TimeoutError:
+                    logger.debug("Timeout reading SSH key exchange packet")
+                except Exception as e:
+                    logger.debug(f"Could not parse SSH key exchange: {e}")
+
+            finally:
+                writer.close()
+                await writer.wait_closed()
+
+        except asyncio.TimeoutError:
+            results['error'] = f"Connection timeout (port {port})"
+            logger.debug(f"SSH connection timeout: {hostname}:{port}")
+        except ConnectionRefusedError:
+            results['error'] = f"Connection refused (port {port} closed or filtered)"
+        except socket.gaierror as e:
+            results['error'] = f"DNS resolution failed: {e}"
+        except Exception as e:
+            results['error'] = f"Connection error: {str(e)}"
+            logger.debug(f"SSH fingerprint error: {e}")
+
+        return results
+
+    return await ssh_fingerprint()
+
+
+def format_ssh_results(ssh_results, port=22):
+    """Format SSH fingerprint results for output"""
+    lines = []
+    lines.append(f"=== SSH Server Fingerprint (Port {port}) ===")
+
+    if not ssh_results:
+        lines.append("No SSH scan results")
+        lines.append("")
+        return '\n'.join(lines)
+
+    if ssh_results.get('error') and not ssh_results.get('port_open'):
+        lines.append(f"Status: ✗ {ssh_results['error']}")
+        lines.append("")
+        return '\n'.join(lines)
+
+    if not ssh_results.get('port_open'):
+        lines.append(f"Status: ✗ Port {port} closed or filtered")
+        lines.append("")
+        return '\n'.join(lines)
+
+    # Port is open
+    lines.append(f"Status: ✓ SSH service detected on port {port}")
+    lines.append("")
+
+    # Banner and version
+    if ssh_results.get('banner'):
+        lines.append(f"Banner: {ssh_results['banner']}")
+    if ssh_results.get('version'):
+        lines.append(f"Protocol Version: SSH-{ssh_results['version']}")
+    if ssh_results.get('software'):
+        lines.append(f"Server Software: {ssh_results['software']}")
+
+        # Identify SSH server type
+        software = ssh_results['software'].lower()
+        if 'openssh' in software:
+            lines.append("  Server Type: OpenSSH (most common, widely audited)")
+        elif 'dropbear' in software:
+            lines.append("  Server Type: Dropbear (lightweight SSH server)")
+        elif 'libssh' in software:
+            lines.append("  Server Type: libssh (SSH library implementation)")
+        elif 'cisco' in software:
+            lines.append("  Server Type: Cisco SSH (network device)")
+        elif 'rosssh' in software:
+            lines.append("  Server Type: ROS SSH (MikroTik RouterOS)")
+        else:
+            lines.append("  Server Type: Unknown or custom implementation")
+
+    # Host key algorithms
+    if ssh_results.get('host_keys'):
+        lines.append("")
+        lines.append("Supported Host Key Algorithms:")
+        for key in ssh_results['host_keys']:
+            alg = key['algorithm']
+            lines.append(f"  • {alg}")
+
+            # Security assessment of algorithm
+            if 'ed25519' in alg:
+                lines.append("    Security: ✓ Excellent (Ed25519 - modern, fast, secure)")
+            elif 'ecdsa' in alg:
+                lines.append("    Security: ✓ Good (ECDSA - modern elliptic curve)")
+            elif 'rsa' in alg and 'sha256' in alg:
+                lines.append("    Security: ✓ Good (RSA with SHA-256)")
+            elif 'rsa' in alg and 'sha512' in alg:
+                lines.append("    Security: ✓ Good (RSA with SHA-512)")
+            elif 'rsa' in alg:
+                lines.append("    Security: ⚠ Acceptable (RSA - ensure >= 2048 bits)")
+            elif 'dsa' in alg or 'dss' in alg:
+                lines.append("    Security: ✗ Weak (DSA - deprecated, insecure)")
+            elif 'ssh-rsa' == alg:
+                lines.append("    Security: ⚠ Legacy (ssh-rsa - being phased out)")
+
+    # Key exchange algorithms
+    if ssh_results.get('key_exchange_algorithms'):
+        lines.append("")
+        lines.append("Key Exchange Algorithms:")
+        # Show only first 5 to avoid clutter
+        for alg in ssh_results['key_exchange_algorithms'][:5]:
+            lines.append(f"  • {alg}")
+        if len(ssh_results['key_exchange_algorithms']) > 5:
+            lines.append(f"  ... and {len(ssh_results['key_exchange_algorithms']) - 5} more")
+
+    # Encryption algorithms
+    if ssh_results.get('encryption_algorithms'):
+        lines.append("")
+        lines.append("Encryption Algorithms (Ciphers):")
+        for alg in ssh_results['encryption_algorithms'][:5]:
+            lines.append(f"  • {alg}")
+            # Flag weak ciphers
+            if 'cbc' in alg.lower():
+                lines.append("    ⚠ CBC mode (vulnerable to certain attacks)")
+            elif 'arcfour' in alg.lower() or 'rc4' in alg.lower():
+                lines.append("    ✗ RC4 (broken, should be disabled)")
+            elif '3des' in alg.lower():
+                lines.append("    ⚠ 3DES (outdated, slow)")
+            elif 'chacha20' in alg.lower() or 'aes.*gcm' in alg.lower():
+                lines.append("    ✓ Modern authenticated encryption")
+        if len(ssh_results['encryption_algorithms']) > 5:
+            lines.append(f"  ... and {len(ssh_results['encryption_algorithms']) - 5} more")
+
+    # MAC algorithms
+    if ssh_results.get('mac_algorithms'):
+        lines.append("")
+        lines.append("MAC (Message Authentication) Algorithms:")
+        for alg in ssh_results['mac_algorithms'][:5]:
+            lines.append(f"  • {alg}")
+        if len(ssh_results['mac_algorithms']) > 5:
+            lines.append(f"  ... and {len(ssh_results['mac_algorithms']) - 5} more")
+
+    # Compression
+    if ssh_results.get('compression_algorithms'):
+        lines.append("")
+        compression = ', '.join(ssh_results['compression_algorithms'])
+        lines.append(f"Compression: {compression}")
+
+    # Security recommendations
+    lines.append("")
+    lines.append("Security Recommendations:")
+    has_issues = False
+
+    if ssh_results.get('host_keys'):
+        weak_keys = [k for k in ssh_results['host_keys'] if 'dsa' in k['algorithm'].lower() or 'dss' in k['algorithm'].lower()]
+        if weak_keys:
+            lines.append("  ⚠ Disable weak DSA host keys")
+            has_issues = True
+
+    if ssh_results.get('encryption_algorithms'):
+        weak_ciphers = [c for c in ssh_results['encryption_algorithms'] if 'cbc' in c.lower() or 'arcfour' in c.lower() or '3des' in c.lower()]
+        if weak_ciphers:
+            lines.append("  ⚠ Disable weak/legacy ciphers (CBC mode, 3DES, RC4)")
+            has_issues = True
+
+    if not has_issues:
+        lines.append("  ✓ No obvious security issues detected")
+
+    lines.append("")
+    return '\n'.join(lines)

changedetectionio_osint/steps/tls_analysis.py

@@ -0,0 +1,332 @@
+"""
+TLS/SSL Analysis Step
+Deep SSL/TLS certificate and cipher analysis using SSLyze
+"""
+
+import asyncio
+# SOCKS5 proxy support: SSLyze library doesn't support SOCKS5 proxies (TODO: implement custom socket wrapper)
+supports_socks5 = False
+from loguru import logger
+
+
+async def scan_tls(hostname, port=443, watch_uuid=None, update_signal=None, vulnerability_scan=False):
+    """
+    Perform comprehensive TLS/SSL analysis
+
+    Args:
+        hostname: Target hostname
+        port: Port number (default 443)
+        watch_uuid: Optional watch UUID for status updates
+        update_signal: Optional blinker signal for status updates
+        vulnerability_scan: Enable vulnerability scanning (Heartbleed, ROBOT, etc.)
+
+    Returns:
+        list: SSL scan results from SSLyze
+    """
+    if update_signal and watch_uuid:
+        update_signal.send(watch_uuid=watch_uuid, status="TLS")
+
+    def run_sslyze_scan():
+        from sslyze import (
+            Scanner,
+            ServerNetworkLocation,
+            ServerScanRequest,
+            ScanCommand
+        )
+
+        # Create server location
+        server_location = ServerNetworkLocation(hostname=hostname, port=port)
+
+        # Define scan commands - always include certificate and cipher suites
+        scan_commands = {
+            ScanCommand.CERTIFICATE_INFO,
+            ScanCommand.SSL_2_0_CIPHER_SUITES,
+            ScanCommand.SSL_3_0_CIPHER_SUITES,
+            ScanCommand.TLS_1_0_CIPHER_SUITES,
+            ScanCommand.TLS_1_1_CIPHER_SUITES,
+            ScanCommand.TLS_1_2_CIPHER_SUITES,
+            ScanCommand.TLS_1_3_CIPHER_SUITES,
+        }
+
+        # Add vulnerability scans if enabled - AUTOMATICALLY discover all security checks
+        if vulnerability_scan:
+            # Get all available scan commands from sslyze
+            all_commands = [cmd for cmd in dir(ScanCommand) if not cmd.startswith('_') and cmd.isupper()]
+
+            # Filter out cipher suites and certificate commands we already have
+            cipher_protocol_commands = {
+                'SSL_2_0_CIPHER_SUITES', 'SSL_3_0_CIPHER_SUITES',
+                'TLS_1_0_CIPHER_SUITES', 'TLS_1_1_CIPHER_SUITES',
+                'TLS_1_2_CIPHER_SUITES', 'TLS_1_3_CIPHER_SUITES',
+                'CERTIFICATE_INFO'
+            }
+
+            # Add all other security/vulnerability check commands
+            security_commands = [
+                getattr(ScanCommand, cmd)
+                for cmd in all_commands
+                if cmd not in cipher_protocol_commands
+            ]
+            scan_commands.update(security_commands)
+
+            logger.debug(f"TLS vulnerability scanning enabled for {hostname}:{port} - {len(security_commands)} additional checks")
+
+        scan_request = ServerScanRequest(
+            server_location=server_location,
+            scan_commands=scan_commands
+        )
+
+        # Run scan
+        scanner = Scanner()
+        scanner.queue_scans([scan_request])
+
+        # Get results
+        ssl_results = []
+        for result in scanner.get_results():
+            ssl_results.append(result)
+
+        return ssl_results
+
+    try:
+        return await asyncio.to_thread(run_sslyze_scan)
+    except Exception as e:
+        logger.error(f"TLS analysis failed: {e}")
+        return []
+
+
+def format_tls_results(ssl_results, expire_warning_days=3, watch_uuid=None, update_signal=None):
+    """Format TLS/SSL results for output
+
+    Args:
+        ssl_results: SSL scan results from SSLyze
+        expire_warning_days: Number of days before expiration to show warning (default: 3)
+        watch_uuid: Optional watch UUID for status updates
+        update_signal: Optional blinker signal for status updates
+    """
+    lines = []
+    lines.append("=== SSL/TLS Analysis (SSLyze) ===")
+    lines.append("SERVER TLS Fingerprint - Full capabilities for JA3S analysis")
+    lines.append("")
+
+    if ssl_results:
+        scan_result = ssl_results[0]
+
+        # Check if scan was successful
+        if not scan_result.scan_result:
+            lines.append("TLS scan failed - target may not support TLS/SSL on this port")
+            lines.append("")
+            return '\n'.join(lines)
+
+        # Certificate info
+        if scan_result.scan_result.certificate_info and scan_result.scan_result.certificate_info.result:
+            cert_scan_result = scan_result.scan_result.certificate_info.result
+            lines.append("Certificate Information:")
+
+            for cert_deployment in cert_scan_result.certificate_deployments:
+                cert = cert_deployment.received_certificate_chain[0]
+                lines.append(f"  Subject: {cert.subject.rfc4514_string()}")
+                lines.append(f"  Issuer: {cert.issuer.rfc4514_string()}")
+
+                # Certificate validity dates
+                valid_from = cert.not_valid_before_utc
+                valid_until = cert.not_valid_after_utc
+
+                # Get current time in UTC (timezone-aware)
+                from datetime import datetime, timezone
+                now_utc = datetime.now(timezone.utc)
+
+                # Check if certificate is currently valid
+                is_valid = valid_from <= now_utc <= valid_until
+
+                # Calculate days until expiry
+                days_until_expiry = (valid_until - now_utc).days
+
+                lines.append(f"  Valid From: {valid_from}")
+                lines.append(f"  Valid Until: {valid_until}")
+
+                # Add validity status
+                if is_valid:
+                    if days_until_expiry < 0:
+                        lines.append(f"  Status: ✗ EXPIRED")
+                    elif days_until_expiry <= 7:
+                        lines.append(f"  Status: ⚠ EXPIRING SOON")
+                    elif days_until_expiry <= 30:
+                        lines.append(f"  Status: ✓ Valid")
+                    else:
+                        lines.append(f"  Status: ✓ Valid")
+                elif now_utc < valid_from:
+                    lines.append(f"  Status: ✗ NOT YET VALID")
+                else:
+                    lines.append(f"  Status: ✗ EXPIRED")
+
+                # Add expiration countdown if within configured warning days
+                if expire_warning_days > 0:
+                    try:
+                        # Ensure timezone-aware comparison
+                        cert_valid_until = valid_until
+                        cert_valid_from = valid_from
+
+                        # Make timezone-aware if needed (though should already be UTC)
+                        if cert_valid_until.tzinfo is None:
+                            cert_valid_until = cert_valid_until.replace(tzinfo=timezone.utc)
+                        if cert_valid_from.tzinfo is None:
+                            cert_valid_from = cert_valid_from.replace(tzinfo=timezone.utc)
+
+                        # Recalculate for safety
+                        days_left = (cert_valid_until - now_utc).days
+
+                        if days_left <= expire_warning_days and days_left >= 0:
+                            if days_left == 0:
+                                lines.append("  ⚠️  WARNING: Certificate expires TODAY!")
+                            elif days_left == 1:
+                                lines.append("  ⚠️  WARNING: Certificate expires in 1 day")
+                            else:
+                                lines.append(f"  ⚠️  WARNING: Certificate expires in {days_left} days")
+                        elif days_left < 0:
+                            lines.append("  ⚠️  WARNING: Certificate has EXPIRED!")
+                        elif now_utc < cert_valid_from:
+                            lines.append("  ⚠️  WARNING: Certificate is not yet valid!")
+                    except Exception as e:
+                        logger.error(f"Could not calculate certificate expiration countdown: {e}")
+                        lines.append(f"  ⚠️  ERROR: Could not calculate certificate expiration: {e}")
+
+                lines.append(f"  Serial Number: {cert.serial_number}")
+
+                # Subject Alternative Names
+                try:
+                    from cryptography.x509.oid import ExtensionOID
+                    san_ext = cert.extensions.get_extension_for_oid(ExtensionOID.SUBJECT_ALTERNATIVE_NAME)
+                    san_names = [name.value for name in san_ext.value]
+                    lines.append(f"  SANs: {', '.join(san_names)}")
+                except:
+                    pass
+
+        # Cipher suites
+        lines.append("")
+        lines.append("Supported TLS Versions & Cipher Suites:")
+
+        for tls_version in ['TLS_1_3', 'TLS_1_2', 'TLS_1_1', 'TLS_1_0', 'SSL_3_0', 'SSL_2_0']:
+            cipher_attr = tls_version.lower() + '_cipher_suites'
+            cipher_scan_attempt = getattr(scan_result.scan_result, cipher_attr, None)
+
+            if cipher_scan_attempt and cipher_scan_attempt.result:
+                cipher_result = cipher_scan_attempt.result
+                if cipher_result.accepted_cipher_suites:
+                    lines.append(f"  {tls_version.replace('_', ' ')}:")
+                    for cipher in cipher_result.accepted_cipher_suites:
+                        lines.append(f"    - {cipher.cipher_suite.name}")
+
+        # Vulnerability Scan Results (if enabled) - GENERIC PARSER
+        vulnerabilities = []
+
+        # Map of known vulnerability names to display strings (for prettier output)
+        vuln_display_names = {
+            'heartbleed': 'Heartbleed (CVE-2014-0160)',
+            'robot': 'ROBOT Attack',
+            'openssl_ccs_injection': 'OpenSSL CCS Injection (CVE-2014-0224)',
+            'tls_compression': 'TLS Compression (CRIME)',
+            'session_renegotiation': 'Insecure Renegotiation',
+            'tls_fallback_scsv': 'TLS Downgrade Protection',
+            'tls_1_3_early_data': 'TLS 1.3 0-RTT',
+            'elliptic_curves': 'Elliptic Curves Support',
+            'session_resumption': 'Session Resumption',
+            'tls_extended_master_secret': 'Extended Master Secret',
+        }
+
+        # Generic vulnerability checker - works for ANY sslyze vulnerability scan
+        for attr_name in dir(scan_result.scan_result):
+            if attr_name.startswith('_'):
+                continue
+
+            # Skip cipher suite and certificate scans
+            if 'cipher' in attr_name.lower() or attr_name == 'certificate_info':
+                continue
+
+            scan_attempt = getattr(scan_result.scan_result, attr_name, None)
+            if not scan_attempt or not hasattr(scan_attempt, 'result'):
+                continue
+
+            result_obj = scan_attempt.result
+            if not result_obj:
+                continue
+
+            # Send status update for this vulnerability check
+            if update_signal and watch_uuid:
+                check_name = vuln_display_names.get(attr_name, attr_name.replace('_', ' ').title())
+                update_signal.send(watch_uuid=watch_uuid, status=f"TLS: {check_name}")
+
+            try:
+                # Try to determine if this is a vulnerability
+                is_vulnerable = False
+                vuln_detected = False
+
+                # Common vulnerability indicator patterns
+                result_dict = vars(result_obj) if hasattr(result_obj, '__dict__') else {}
+
+                # Check for "is_vulnerable_to_*" patterns
+                for key, value in result_dict.items():
+                    if 'vulnerable' in key.lower() and value is True:
+                        is_vulnerable = True
+                        vuln_detected = True
+                        break
+                    # Check for "supports_" patterns where support might be bad
+                    if attr_name == 'tls_compression' and key == 'supports_compression' and value:
+                        is_vulnerable = True
+                        vuln_detected = True
+                    # Check for ROBOT result enum
+                    if 'robot' in key.lower() and 'VULNERABLE' in str(value).upper():
+                        is_vulnerable = True
+                        vuln_detected = True
+                    # Check for insecure renegotiation
+                    if attr_name == 'session_renegotiation':
+                        is_secure = getattr(result_obj, 'is_secure_renegotiation_supported', True)
+                        accepts_client = getattr(result_obj, 'accepts_client_renegotiation', False)
+                        if not is_secure or accepts_client:
+                            is_vulnerable = True
+                            vuln_detected = True
+                    # Check for missing downgrade protection
+                    if attr_name == 'tls_fallback_scsv':
+                        supports = getattr(result_obj, 'supports_fallback_scsv', True)
+                        if not supports:
+                            is_vulnerable = True
+                            vuln_detected = True
+
+                # If we detected this vulnerability check, add it to results
+                if vuln_detected or attr_name in vuln_display_names:
+                    display_name = vuln_display_names.get(attr_name, attr_name.replace('_', ' ').title())
+                    vulnerabilities.append((display_name, is_vulnerable))
+
+            except Exception as e:
+                logger.debug(f"Could not parse {attr_name} result: {e}")
+
+        # Display vulnerability scan report - show all checks
+        if vulnerabilities:
+            lines.append("")
+            lines.append("=== TLS Security Vulnerability Report ===")
+
+            # Count vulnerable issues
+            vulnerable_count = sum(1 for _, is_vuln in vulnerabilities if is_vuln)
+
+            if vulnerable_count > 0:
+                lines.append(f"Status: ⚠️  {vulnerable_count} issue(s) found")
+            else:
+                lines.append("Status: ✓ All checks passed")
+
+            lines.append("")
+            for vuln_name, is_vulnerable in vulnerabilities:
+                status = "✗ VULNERABLE" if is_vulnerable else "✓ Secure"
+                lines.append(f"  {status}: {vuln_name}")
+
+        # HTTP Security Headers (if scanned)
+        if hasattr(scan_result.scan_result, 'http_headers') and scan_result.scan_result.http_headers:
+            if scan_result.scan_result.http_headers.result:
+                lines.append("")
+                lines.append("HTTP Security Headers:")
+                headers = scan_result.scan_result.http_headers.result
+                if hasattr(headers, 'strict_transport_security_header') and headers.strict_transport_security_header:
+                    lines.append(f"  ✓ HSTS: {headers.strict_transport_security_header.max_age} seconds")
+                else:
+                    lines.append("  ✗ HSTS: Not set")
+
+    lines.append("")
+    return '\n'.join(lines)