Threat Level: green Handler on Duty: Tom Webb

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2015-12-01 InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Tracking SSL Certificates

Published: 2015-12-01
Last Updated: 2015-12-01 09:26:05 UTC
by Xavier Mertens (Version: 1)
3 comment(s)

More and more online services (not only websites) have switched to "SSL" for a while and, if it increases the end-user security, sometimes it's a pain for security peeps who have too perform investigations or control (yes, it may happen also). During the last edition of BruCON, I collected certificates over the wire. It's easy to do via a tool like Bro which has this feature built-in. To enable it, just change your local.bro configuration file:

# Log certs per Seth
@load protocols/ssl/extract-certs-pem
redef SSL::extract_certs_pem = ALL_HOSTS; 

And restart your Bro process:

# broctl

Welcome to BroControl 1.4

Type "help" for help.

[BroControl] > install
removing old policies in /nsm/bro/spool/installed-scripts-do-not-touch/site ... done.
removing old policies in /nsm/bro/spool/installed-scripts-do-not-touch/auto ... done.
creating policy directories ... done.
installing site policies ... done.
generating standalone-layout.bro ... done.
generating local-networks.bro ... done.
generating broctl-config.bro ... done.
updating nodes ... done.
[BroControl] > status
Name       Type       Host       Status        Pid    Peers  Started            
bro        standalone localhost  running       4544   0      30 Nov 13:34:01
[BroControl] > restart
stopping ...
stopping bro ...
starting ...
starting bro ...
[BroControl] > exit

The new interesting log is called certs-remote.pem and will quickly be populated. The problem is that all certificates are stored in one big file.  We can split them in <number>.pem files using the following awk command:

$ awk '
split_after == 1 {close(n".pem"); n++;split_after=0}
/-----END CERTIFICATE-----/ {split_after=1}
print > n".pem"}' <certs-remote.pem

From the traffic collected during BruCON, I extracted 3811 certificates. The next step is to extract the URLs related to them:

$ for i in *.pem
do openssl x509 -in $i -text -noout | 
    grep DNS:|
    awk '{ print $1}'|
    awk -F ':' '{ print $2 }'|
    sed 's/,$//'
done | sort -u >domains.tmp

The command above extracted 2139 unique URLs (FDQN or wildcards) visited by BruCON attendees. Keeping an eye on SSL certificates can be interesting to track suspicious activity and also to keep an eye on which websites were visited by your users in a passive way. They also contain a lot of interesting information that could be useful during future investigations. Have also a look to the Passive SSL project supported by (the Luxembourg CERT).

Xavier Mertens
ISC Handler - Freelance Security Consultant

3 comment(s)
Diary Archives