Posted in Digital Certificate, Nmap and some useful usages, OpenSSL use cases

Nmap and OpenSSL for getting digital certificates information

   Published Date: June 2, 2017

Description

You have a relatively big infrastructure and you want to make an inventory of your used digital certificates.

You need to find out relevant information about your used certificates like: issuer, subject and expiration dates.

Explanation

- If you are using a Unix like environment you already have necessary tools like nmap (https://nmap.org/) and OpenSSL (https://www.openssl.org/) to accomplish the task.

- It is assumed that your ssl services are running on standard ssl port 443.

- If your services are using other ports, like 8443 or 18443, when you are scanning your infrastructure to determine if the tcp port 443 is open, you have to add the new ports 8443 and 18443  to the mmap command too.

Implementation

It is assumed that OpenSSL and nmap are already installed.

Step one

Make a list of IP's with open port 443 (8443, or other ssl used port).

### scan for port TCP 443
nmap -PN -p443 --open -oG - 10.1.0.0/24 | grep "Status: Up" | cut -d " "  -f 2 > IP_LIST
nmap -PN -p443 --open -oG - 10.1.1.0/24 | grep "Status: Up" | cut -d  " "  -f 2 >> IP_LIST
nmap -PN -p443,8443 --open -oG - 10.1.2.0/24 | grep "Status: Up" | cut -d  " "  -f 2 >> IP_LIST

If you use multiple ports like 443, 8443, 18443 than your nmap command became:

nmap -PN -p443,8443,18443 --open -oG - 10.1.2.0/24 | grep "Status: Up" | cut -d  " "  -f 2 >> IP_LIST

Note: Another tool than can be used for scanning your infrastructure is zmap (proves to be faster than nmap). https://zmap.io/

Step two

After we have a complete list of IPs with port 443 open, we are ready to extract relevant information from the sites.

Content of the inventory.sh script
 ### check the issuer, subject and expiration date
 ### print in the file: Ip address, issuer, subject, expiration date
 #!/bin/bash
 for i in `cat IP_LIST`; do
      issuer=`echo  | timeout 3  openssl s_client -crlf -connect $i:443 -showcerts 2>/dev/null | openssl x509 -noout -issuer`
      subject=`echo  | timeout 3  openssl s_client -crlf -connect $i:443 -showcerts 2>/dev/null | openssl x509 -noout -subject`
  expdate=`echo  | timeout 3  openssl s_client -crlf -connect $i:443 -showcerts 2>/dev/null | openssl x509 -noout -enddate`
  echo -e "`host $i` \t$i \t$issuer \t$subject \t$expdate" >> CERTIFICATES_INFO
     echo "--------------------------------------------------"  >> CERTIFICATES_INFO
 done
echo "This is DONE"

Step 3

After you get all relevant information, just sort the content of the  CERTIFICATES_INFO file based on issuer or expiration date.

Author: techwritter