accept no compromises

Common Name Grabber Script

Common Name Grabber Script
Posted Mar 4, 2013
Authored by nitr0us

This is a simple perl script that will scan a given IP range and extract the Common Name from all SSL certificates. It is useful for discovery during penetration tests.

tags | tool, perl
systems | unix
MD5 | f2b32e2272f7bc44a7767e3c9a8a06d6

Common Name Grabber Script

Change Mirror Download
#!/usr/bin/perl
#
# ssl_hostname_resolver.pl
# CN (Common Name) grabber on X.509 Certificates over HTTPS
#
# Copyright (c) 2013 by Alejandro Hernandez, IOActive, Inc.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
#
# I had this simple idea in my previous pentest where, for
# some reason, I couldn't resolve some IP addresses to their
# corresponding hostnames, but their CN fields (SSL certs
# on HTTPS) had resolvable hostnames. So, I did this simple script !
#
# -----------------------------------------------------------------
#
# For some security scanners, such as Nessus and Nikto2,
# it's considered a security vulnerability:
#
# "Standard certificate validation procedures require the subject
# CN field of a certificate to match the actual name of the entity
# presenting the certificate. For example, in a certificate presented
# by https://www.example.com/, the CN should be www.example.com."
# Source: X.509 Certificate Subject CN Does Not Match the Entity Name
# http://www.rapid7.com/vulndb/lookup/certificate-common-name-mismatch
#
#
# Alejandro Hernandez < alejandro.hernandez [at] ioactive.co.uk >
# http://twitter.com/nitr0usmx
#
# IOActive Labs Research
# http://blog.ioactive.com
#

use Net::CIDR::Lite;
use NetAddr::IP;
use Net::SSL;

$connection_timeout = 3; # seconds
$SIG{ALRM} = sub { }; # Do nothing when the connection timeout is reached instead of die

print <<HDR;

-=[ ssl_hostname_resolver.pl
-=[ by \@nitr0usmx
-=[
-=[ CN (Common Name) grabber on X.509 Certificates over HTTPS

HDR

sub usage
{
print <<USG;
-=[ Usage: $0 <CIDR block | IP range | single IP> [port to connect (443 default)]
-=[ E.g. CIDR block : $0 192.168.1.0/24
-=[ IP Range : $0 192.168.1.1-192.168.13.37
-=[ Single IP : $0 192.168.1.254

USG
}

my $targets = shift or (usage and die "No targets given!\n");
my $port = shift || 443;

my $cidr_lite = Net::CIDR::Lite->new($targets);
@cidr_list = $cidr_lite->list;

print "-=[ Connecting every host on port: $port\n\n";

print "-------------------------------------------------\n";
print " IP => CN (Common Name)\n";
print "-------------------------------------------------\n";

for my $cidr( @cidr_list ){
my $n = NetAddr::IP->new($cidr);

for my $ip( @{ $n->splitref( $n->bits() ) } ){
printf("%-15s => %s\n", $ip->addr, getCNFromX509($ip->addr));
}
}

sub getCNFromX509
{
my $ip = shift;

eval{
alarm($connection_timeout); # No. of seconds of connection timeout

$ssl = Net::SSL->new(
PeerAddr => $ip,
PeerPort => $port,
Timeout => 5 # Never reached, alarm() will be triggered before
);
};

alarm(0);

if($@){ # some error occurred
return "(Couldn't connect to port $port)";
}

$ssl->get_peer_certificate->subject_name =~ /CN=(.*)/g;

return $1;
}

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    2 Files
  • 24
    Jul 24th
    19 Files
  • 25
    Jul 25th
    28 Files
  • 26
    Jul 26th
    2 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close