SANS ISC: Where have all my Certificates gone? (And when do they expire?)

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

Recently I had a client that was trying to "rein in" their wildcard certificate usage.  They had given the same wildcard to their developers, their infrastructure team, security team, everyone really.
The *business* problem was that it's due to expire in a few weeks, and nobody had a complete list of the public sites that were using it.  Plus nobody knew if there were other hosts out there, using individually purchased certificates.

Easy to solve you say?  Sure, if you had a list of all of the public subnets they use - I could easily figure out what they own from arin.net, but not all the subnet address space they were "borrowing" from their various ISPs.  Let alone what all they had running in Azure, AWS and a few other clouds.

So, after the obvious list (which they already had), I started the fun part.

First, I went to arin.net and got their actual subnets.  
Then I ran theharvester (it's part of Kali) to find the *other* bits and pieces of infrastructure that might be in play.
Theharvester is a nice open source intelligence tool starts with various search

First, let's run the tool - command line options are:

root@kali:~# theharvester

*******************************************************************
*                                                                 *
* | |_| |__   ___    /\  /\__ _ _ ____   _____  ___| |_ ___ _ __  *
* | __| '_ \ / _ \  / /_/ / _` | '__\ \ / / _ \/ __| __/ _ \ '__| *
* | |_| | | |  __/ / __  / (_| | |   \ V /  __/\__ \ ||  __/ |    *
*  \__|_| |_|\___| \/ /_/ \__,_|_|    \_/ \___||___/\__\___|_|    *
*                                                                 *
* TheHarvester Ver. 2.2a                                          *
* Coded by Christian Martorella                                   *
* Edge-Security Research                                          *
* cmartorella@edge-security.com                                   *
*******************************************************************

Usage: theharvester options

       -d: Domain to search or company name
       -b: Data source (google,bing,bingapi,pgp,linkedin,google-profiles,people123,jigsaw,all)
       -s: Start in result number X (default 0)
       -v: Verify host name via dns resolution and search for virtual hosts
       -f: Save the results into an HTML and XML file
       -n: Perform a DNS reverse query on all ranges discovered
       -c: Perform a DNS brute force for the domain name
       -t: Perform a DNS TLD expansion discovery
       -e: Use this DNS server
       -l: Limit the number of results to work with(bing goes from 50 to 50 results,
       -h: use SHODAN database to query discovered hosts
            google 100 to 100, and pgp doesn't use this option)

Examples: theharvester -d microsoft.com -l 500 -b google
            theharvester -d microsoft.com -b pgp
            theharvester -d microsoft -l 200 -b linkedin

Narrowing it down, let's pull just the hostnames, and dump them to a file.

theharvester -d customerdomain.com -l 500 -b bing -v -n | grep -v \@ | sed s"\t"/":"/g | cut -d ":" -f 2 | sort | uniq > domainhosts.in

Disecting the line above:

we're using bing, mostly because google is being picky about me having an API key today :-)
"grep -v \@" filters out all the email addresses we found
"sed s"\t"/":"/g"  replaces all the tab characters with colons (we need this for the next filter)
"cut -d ":" -f 2" says "give me just column two, using colons as a separator
The "sort" and "uniq" of course in combination filters out duplicate entries

Now we can assess the certicate in use on each host - the goal here is to collect the certificate in use on each site and the expiry date.

NMAP does a decent job on this:

nmap -p443 --open -iL domainhosts.in --script ssl-cert.nse | findstr "report after"

This assesses the certificates on each host, then reports back with the hostname being assessed and the expiry date of it's certificate.  I'm only checking port 443, but you can easily expand that of course - running it for the default port list or even all ports can often yield good results in a pentest of security assessment for instance.

If for instance the domainhosts.in file looks like this:

isc.sans.org
www.giac.org
www.sans.org

The output will be just the data we're looking for:

Nmap scan report for isc.sans.org (204.51.94.153)
| Not valid after:  2018-11-07T22:22:01
Nmap scan report for www.giac.org (204.51.94.204)
| Not valid after:  2019-10-25T23:59:59
Nmap scan report for www.sans.org (45.60.103.34)
| Not valid after:  2019-05-31T12:28:05

What other uses does theharvester have?  If you are pentesting a client, it makes a nice collection engine to "find" internet-facing customer assets that maybe they didn't know they have, or maybe aren't protecting as well as they should (dev servers, every time).  It also makes a nice "quick and dirty" tool to collect a baseline of email addresses for things like password spray attacks.

===============
Rob VandenBrink
Compugen