exploit the possibilities

Common Name Grabber Script

Common Name Grabber Script
Posted Mar 4, 2013
Authored by nitr0us

This is a simple perl script that will scan a given IP range and extract the Common Name from all SSL certificates. It is useful for discovery during penetration tests.

tags | tool, perl
systems | unix
SHA-256 | 8bee3b0c0b06ba802a3816adb1b076af310701d747f2d5b5a2c0056512339dd9

Common Name Grabber Script

Change Mirror Download
#!/usr/bin/perl
#
# ssl_hostname_resolver.pl
# CN (Common Name) grabber on X.509 Certificates over HTTPS
#
# Copyright (c) 2013 by Alejandro Hernandez, IOActive, Inc.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
#
# I had this simple idea in my previous pentest where, for
# some reason, I couldn't resolve some IP addresses to their
# corresponding hostnames, but their CN fields (SSL certs
# on HTTPS) had resolvable hostnames. So, I did this simple script !
#
# -----------------------------------------------------------------
#
# For some security scanners, such as Nessus and Nikto2,
# it's considered a security vulnerability:
#
# "Standard certificate validation procedures require the subject
# CN field of a certificate to match the actual name of the entity
# presenting the certificate. For example, in a certificate presented
# by https://www.example.com/, the CN should be www.example.com."
# Source: X.509 Certificate Subject CN Does Not Match the Entity Name
# http://www.rapid7.com/vulndb/lookup/certificate-common-name-mismatch
#
#
# Alejandro Hernandez < alejandro.hernandez [at] ioactive.co.uk >
# http://twitter.com/nitr0usmx
#
# IOActive Labs Research
# http://blog.ioactive.com
#

use Net::CIDR::Lite;
use NetAddr::IP;
use Net::SSL;

$connection_timeout = 3; # seconds
$SIG{ALRM} = sub { }; # Do nothing when the connection timeout is reached instead of die

print <<HDR;

-=[ ssl_hostname_resolver.pl
-=[ by \@nitr0usmx
-=[
-=[ CN (Common Name) grabber on X.509 Certificates over HTTPS

HDR

sub usage
{
print <<USG;
-=[ Usage: $0 <CIDR block | IP range | single IP> [port to connect (443 default)]
-=[ E.g. CIDR block : $0 192.168.1.0/24
-=[ IP Range : $0 192.168.1.1-192.168.13.37
-=[ Single IP : $0 192.168.1.254

USG
}

my $targets = shift or (usage and die "No targets given!\n");
my $port = shift || 443;

my $cidr_lite = Net::CIDR::Lite->new($targets);
@cidr_list = $cidr_lite->list;

print "-=[ Connecting every host on port: $port\n\n";

print "-------------------------------------------------\n";
print " IP => CN (Common Name)\n";
print "-------------------------------------------------\n";

for my $cidr( @cidr_list ){
my $n = NetAddr::IP->new($cidr);

for my $ip( @{ $n->splitref( $n->bits() ) } ){
printf("%-15s => %s\n", $ip->addr, getCNFromX509($ip->addr));
}
}

sub getCNFromX509
{
my $ip = shift;

eval{
alarm($connection_timeout); # No. of seconds of connection timeout

$ssl = Net::SSL->new(
PeerAddr => $ip,
PeerPort => $port,
Timeout => 5 # Never reached, alarm() will be triggered before
);
};

alarm(0);

if($@){ # some error occurred
return "(Couldn't connect to port $port)";
}

$ssl->get_peer_certificate->subject_name =~ /CN=(.*)/g;

return $1;
}
Login or Register to add favorites

File Archive:

May 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    0 Files
  • 2
    May 2nd
    15 Files
  • 3
    May 3rd
    19 Files
  • 4
    May 4th
    24 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    14 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    0 Files
  • 9
    May 9th
    13 Files
  • 10
    May 10th
    7 Files
  • 11
    May 11th
    99 Files
  • 12
    May 12th
    45 Files
  • 13
    May 13th
    7 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    26 Files
  • 18
    May 18th
    4 Files
  • 19
    May 19th
    17 Files
  • 20
    May 20th
    2 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close