EyeWitness icon indicating copy to clipboard operation
EyeWitness copied to clipboard

Published 20 hours ago verified publisher icon FortyNorthSecurity

feature idea - Capture CN & SAN from SSL

Open digininja opened this issue 7 years ago • 3 comments

A feature that would be nice to have would be to pull out the CN and any SANs from SSL certs and present them in the info box, possibly as links. This would help find sites where there is no default vhost set so EyeWitness shows splash pages or 404s.

digininja avatar Feb 13 '18 10:02 digininja

Yeah, this would be a good idea to add in. I'll need to look into parsing SSL certs, but I do like this.

ChrisTruncer avatar Mar 07 '18 02:03 ChrisTruncer

I was just about to suggest this feature (I find SSL/TLS certificates quite useful for identifying what a web site is, or to whom it belongs to), when I stopped to see if it was already requested. I'm glad I did :)

A very quick/lazy way of parsing SSL/TLS certificates to a summary format meaningful for human consumption would be to rely on nmap and it's ssl-cert.nse script, e.g.:

`[root@instance-1 EyeWitness]# nmap -Pn -sS -p443 --script /usr/share/nmap/scripts/ssl-cert.nse www.google.com

Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-23 16:58 UTC Nmap scan report for www.google.com (216.58.204.4) Host is up (0.00085s latency). rDNS record for 216.58.204.4: lhr35s07-in-f4.1e100.net PORT STATE SERVICE 443/tcp open https | ssl-cert: Subject: commonName=www.google.com/organizationName=Google LLC/stateOrProvinceName=California/countryName=US | Issuer: commonName=Google Internet Authority G3/organizationName=Google Trust Services/countryName=US | Public Key type: ec | Public Key bits: 256 | Not valid before: 2019-03-01T09:46:35+00:00 | Not valid after: 2019-05-24T09:25:00+00:00 | MD5: ba97 1773 7c5b 1b1c 6097 e102 7beb 21ae |_SHA-1: df6b 9581 c603 ebed 48eb 6ccf eefe e61f ad01 7834

Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds`

Cheers!

dannutu avatar Mar 23 '19 17:03 dannutu

Or, more to the point for SANs:

[root@instance-1 EyeWitness]# openssl </dev/null 2>/dev/null s_client -showcerts -servername google.com -connect google.com:443 | openssl x509 -inform pem -noout -text | grep -A1 'X509v3 Subject Alternative Name' | grep -v 'X509v3 Subject Alternative Name' DNS:*.google.com, DNS:*.android.com, DNS:*.appengine.google.com, DNS:*.cloud.google.com, DNS:*.crowdsource.google.com, DNS:*.g.co, DNS:*.gcp.gvt2.com, DNS:*.ggpht.cn, DNS:*.google-analytics.com, DNS:*.google.ca, DNS:*.google.cl, DNS:*.google.co.in, DNS:*.google.co.jp, DNS:*.google.co.uk, DNS:*.google.com.ar, DNS:*.google.com.au, DNS:*.google.com.br, DNS:*.google.com.co, DNS:*.google.com.mx, DNS:*.google.com.tr, DNS:*.google.com.vn, DNS:*.google.de, DNS:*.google.es, DNS:*.google.fr, DNS:*.google.hu, DNS:*.google.it, DNS:*.google.nl, DNS:*.google.pl, DNS:*.google.pt, DNS:*.googleadapis.com, DNS:*.googleapis.cn, DNS:*.googlecnapps.cn, DNS:*.googlecommerce.com, DNS:*.googlevideo.com, DNS:*.gstatic.cn, DNS:*.gstatic.com, DNS:*.gstaticcnapps.cn, DNS:*.gvt1.com, DNS:*.gvt2.com, DNS:*.metric.gstatic.com, DNS:*.urchin.com, DNS:*.url.google.com, DNS:*.youtube-nocookie.com, DNS:*.youtube.com, DNS:*.youtubeeducation.com, DNS:*.youtubekids.com, DNS:*.yt.be, DNS:*.ytimg.com, DNS:android.clients.google.com, DNS:android.com, DNS:developer.android.google.cn, DNS:developers.android.google.cn, DNS:g.co, DNS:ggpht.cn, DNS:goo.gl, DNS:google-analytics.com, DNS:google.com, DNS:googlecnapps.cn, DNS:googlecommerce.com, DNS:source.android.google.cn, DNS:urchin.com, DNS:www.goo.gl, DNS:youtu.be, DNS:youtube.com, DNS:youtubeeducation.com, DNS:youtubekids.com, DNS:yt.be [root@instance-1 EyeWitness]#

dannutu avatar Mar 23 '19 17:03 dannutu