From a Linux system, for a given IP range I need to check each open port to see if an SSL certificate is in use. For example, I would like to check ports 1 - 9999 on the address range 192.168.22.0/24. If an open port is using an SSL certificate I'd like to retrieve the CN name, expiration date, etc... I've found lots of tools that will check common ports like 443 or 8443 but I need to find SSL certs in use on non standard ports. Any tool suggestions or advice is appreciated. Thanks.
Asked
Active
Viewed 6,426 times
2 Answers
1
Technically, if the server is using SNI, you won't be able to extract all the certificates, as you need to specify each hostname during SSL negotiation (on client hello).
Not specifying the hostname would send you the default site, but you won't have any means to know what other sites it's hosting, as reverse DNS is not very trustworthy.
This script will take some time, as it is going for the default openssl timeout, but will get the dates, issuer and subject (and lastly the port where it found it) of every "default" certificate of a server. Enclose it with another loop to do the IP range, but will take forever to finish.
for (( i=1; i<10000; i++ )) ; do openssl s_client -connect SITENAME:$i </dev/null 2>/dev/null | awk 'BEGIN {a=0} /BEGIN CERT/ {a=1} (a>0) {print} /END CERT/ {a=0}' | openssl x509 -noout -subject -issuer -dates 2>/dev/null && echo On port $i; done
NuTTyX
- 1,128
- 5
- 10
0
By convention, applications use specific ports when they are encrypted (for example http is 80 and https is 443). So you wouldn't scan all ports you'd just check to see if the app is using the encrypted ports. Like so:
nmap -sT -p 443 -oG – 192.168.1.0/24 | grep open
Replace 443 with the port your application uses for encrypted communication. Also, replace 192.168.1.0/24 with the target specification you'd like to use.
To get the certificate you'd use a command like this:
openssl s_client -showcerts -connect host.host:9999 </dev/null
Replacing host.host:9999 with the specific host and port you want.
If you like you may use that on any combination of host and port but be prepared to wait a long time per machine if you really intend to scan all ports on a PC. More if you want to do that for many computers on a network. 65k is a big number and network operations are slow to begin with but I suspect that this will need to timeout for each port so a shotgun approach really isn't even feasible at all; you'll need to significantly narrow down your pool of ports to check.
-
1You can define a range with '192.168.1.1-254' or '-sn 192.168.1.0/8' – deagh Aug 11 '14 at 20:02