fredag den 23. oktober 2015

Scanning for SSL certificates

I needed a way to quickly find out which SSL certificates we are using, so I cam up this this quick shell script to scan for SSL sites, and grab the certificates. It scans a class B net in around 10 minutes.

This small script scans for open port 443 using nmap, and uses openssl to connect to the server, extract the certificate, and parse it to human readable format. Then it prefixes all output lines with the IP address to make the output file grep-able.


#!/bin/bash
# shell script to find and extract certificates from web servers

# (c) Copyright 2015 by Povl H. Pedersen - This script can be modified and used
# as you wish. Do not use as is without attribution.

pid=$$
cd /tmp
nmap -p80,443 -oA /tmp/sslscan-$pid -PS443 -sT  $@ >/dev/null

# sed on the 2nd line is there to sanitize IP addresses to contain only digits + .
# This to avoid commands/garbage/race condition from the nmap output file to be executed.

cat /tmp/sslscan-$pid.gnmap | fgrep ' 443/open' | awk ' {print $2}' |
sed 's/[^0-9\.]*//g' |
awk ' {print "openssl s_client -connect "$1":443 </dev/null  |openssl x509 -noout -text | sed \"s/^/"$1"\t/\""}' |
sh

rm -f /tmp/sslscan-$pid.*nmap