This is a simple perl script that will scan a given IP range and extract the Common Name from all SSL certificates. It is useful for discovery during penetration tests.
8bee3b0c0b06ba802a3816adb1b076af310701d747f2d5b5a2c0056512339dd9#!/usr/bin/perl
#
# ssl_hostname_resolver.pl
# CN (Common Name) grabber on X.509 Certificates over HTTPS
#
# Copyright (c) 2013 by Alejandro Hernandez, IOActive, Inc.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
#
# I had this simple idea in my previous pentest where, for
# some reason, I couldn't resolve some IP addresses to their
# corresponding hostnames, but their CN fields (SSL certs
# on HTTPS) had resolvable hostnames. So, I did this simple script !
#
# -----------------------------------------------------------------
#
# For some security scanners, such as Nessus and Nikto2,
# it's considered a security vulnerability:
#
# "Standard certificate validation procedures require the subject
# CN field of a certificate to match the actual name of the entity
# presenting the certificate. For example, in a certificate presented
# by https://www.example.com/, the CN should be www.example.com."
# Source: X.509 Certificate Subject CN Does Not Match the Entity Name
# http://www.rapid7.com/vulndb/lookup/certificate-common-name-mismatch
#
#
# Alejandro Hernandez < alejandro.hernandez [at] ioactive.co.uk >
# http://twitter.com/nitr0usmx
#
# IOActive Labs Research
# http://blog.ioactive.com
#
use Net::CIDR::Lite;
use NetAddr::IP;
use Net::SSL;
$connection_timeout = 3; # seconds
$SIG{ALRM} = sub { }; # Do nothing when the connection timeout is reached instead of die
print <<HDR;
-=[ ssl_hostname_resolver.pl
-=[ by \@nitr0usmx
-=[
-=[ CN (Common Name) grabber on X.509 Certificates over HTTPS
HDR
sub usage
{
print <<USG;
-=[ Usage: $0 <CIDR block | IP range | single IP> [port to connect (443 default)]
-=[ E.g. CIDR block : $0 192.168.1.0/24
-=[ IP Range : $0 192.168.1.1-192.168.13.37
-=[ Single IP : $0 192.168.1.254
USG
}
my $targets = shift or (usage and die "No targets given!\n");
my $port = shift || 443;
my $cidr_lite = Net::CIDR::Lite->new($targets);
@cidr_list = $cidr_lite->list;
print "-=[ Connecting every host on port: $port\n\n";
print "-------------------------------------------------\n";
print " IP => CN (Common Name)\n";
print "-------------------------------------------------\n";
for my $cidr( @cidr_list ){
my $n = NetAddr::IP->new($cidr);
for my $ip( @{ $n->splitref( $n->bits() ) } ){
printf("%-15s => %s\n", $ip->addr, getCNFromX509($ip->addr));
}
}
sub getCNFromX509
{
my $ip = shift;
eval{
alarm($connection_timeout); # No. of seconds of connection timeout
$ssl = Net::SSL->new(
PeerAddr => $ip,
PeerPort => $port,
Timeout => 5 # Never reached, alarm() will be triggered before
);
};
alarm(0);
if($@){ # some error occurred
return "(Couldn't connect to port $port)";
}
$ssl->get_peer_certificate->subject_name =~ /CN=(.*)/g;
return $1;
}
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed