ChrisTruncer
commented
6 years ago Yeah, this would be a good idea to add in. I'll need to look into parsing SSL certs, but I do like this.
Open digininja opened 6 years ago
ChrisTruncer
commented
6 years ago Yeah, this would be a good idea to add in. I'll need to look into parsing SSL certs, but I do like this.
dannutu
commented
5 years ago I was just about to suggest this feature (I find SSL/TLS certificates quite useful for identifying what a web site is, or to whom it belongs to), when I stopped to see if it was already requested. I'm glad I did :)
A very quick/lazy way of parsing SSL/TLS certificates to a summary format meaningful for human consumption would be to rely on nmap and it's ssl-cert.nse script, e.g.:
`[root@instance-1 EyeWitness]# nmap -Pn -sS -p443 --script /usr/share/nmap/scripts/ssl-cert.nse www.google.com
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-23 16:58 UTC Nmap scan report for www.google.com (216.58.204.4) Host is up (0.00085s latency). rDNS record for 216.58.204.4: lhr35s07-in-f4.1e100.net PORT STATE SERVICE 443/tcp open https | ssl-cert: Subject: commonName=www.google.com/organizationName=Google LLC/stateOrProvinceName=California/countryName=US | Issuer: commonName=Google Internet Authority G3/organizationName=Google Trust Services/countryName=US | Public Key type: ec | Public Key bits: 256 | Not valid before: 2019-03-01T09:46:35+00:00 | Not valid after: 2019-05-24T09:25:00+00:00 | MD5: ba97 1773 7c5b 1b1c 6097 e102 7beb 21ae |_SHA-1: df6b 9581 c603 ebed 48eb 6ccf eefe e61f ad01 7834
Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds`
Cheers!
dannutu
commented
5 years ago Or, more to the point for SANs:
[root@instance-1 EyeWitness]# openssl </dev/null 2>/dev/null s_client -showcerts -servername google.com -connect google.com:443 | openssl x509 -inform pem -noout -text | grep -A1 'X509v3 Subject Alternative Name' | grep -v 'X509v3 Subject Alternative Name' DNS:*.google.com, DNS:*.android.com, DNS:*.appengine.google.com, DNS:*.cloud.google.com, DNS:*.crowdsource.google.com, DNS:*.g.co, DNS:*.gcp.gvt2.com, DNS:*.ggpht.cn, DNS:*.google-analytics.com, DNS:*.google.ca, DNS:*.google.cl, DNS:*.google.co.in, DNS:*.google.co.jp, DNS:*.google.co.uk, DNS:*.google.com.ar, DNS:*.google.com.au, DNS:*.google.com.br, DNS:*.google.com.co, DNS:*.google.com.mx, DNS:*.google.com.tr, DNS:*.google.com.vn, DNS:*.google.de, DNS:*.google.es, DNS:*.google.fr, DNS:*.google.hu, DNS:*.google.it, DNS:*.google.nl, DNS:*.google.pl, DNS:*.google.pt, DNS:*.googleadapis.com, DNS:*.googleapis.cn, DNS:*.googlecnapps.cn, DNS:*.googlecommerce.com, DNS:*.googlevideo.com, DNS:*.gstatic.cn, DNS:*.gstatic.com, DNS:*.gstaticcnapps.cn, DNS:*.gvt1.com, DNS:*.gvt2.com, DNS:*.metric.gstatic.com, DNS:*.urchin.com, DNS:*.url.google.com, DNS:*.youtube-nocookie.com, DNS:*.youtube.com, DNS:*.youtubeeducation.com, DNS:*.youtubekids.com, DNS:*.yt.be, DNS:*.ytimg.com, DNS:android.clients.google.com, DNS:android.com, DNS:developer.android.google.cn, DNS:developers.android.google.cn, DNS:g.co, DNS:ggpht.cn, DNS:goo.gl, DNS:google-analytics.com, DNS:google.com, DNS:googlecnapps.cn, DNS:googlecommerce.com, DNS:source.android.google.cn, DNS:urchin.com, DNS:www.goo.gl, DNS:youtu.be, DNS:youtube.com, DNS:youtubeeducation.com, DNS:youtubekids.com, DNS:yt.be [root@instance-1 EyeWitness]#
A feature that would be nice to have would be to pull out the CN and any SANs from SSL certs and present them in the info box, possibly as links. This would help find sites where there is no default vhost set so EyeWitness shows splash pages or 404s.