Lucene search
This script is Copyright (C) 2013-2020 Tenable Network Security, Inc.SSL_APT1.NASLHistoryFeb 19, 2013 - 12:00 a.m.
APT1-Related SSL Certificate Detected
2013-02-1900:00:00
This script is Copyright (C) 2013-2020 Tenable Network Security, Inc.
www.tenable.com
85
An SSL certificate associated with the group known as APT1 was detected on the remote host. APT1’s command and control infrastructure uses several self-signed certificates to encrypt communications in their command and control infrastructure. The remote host appears to be using one of these certificates, which indicates it may have been compromised.
#TRUSTED 84df567ae113b4b9236890c485494b074667dc996200b7a7097856086f17c4f94231129dde537794172c5b2f86f7e37d369abe88a6027fa9bf93d629cac20096c9851bfda237457bcdbf20ee1d426add7d2511464f9bb9c696b8d7c3c75f06b87a54603b3d378a1d813ef4decb2b3319c9ecb7a005cc4b302e7e818db9a4d33449d2639f6b5d57085e4a5a2d331b4d98084e624e5db98eba6c474c57de5bc567f56268d4d416ab6307cfa75ae998d2413aea937f89fa583404c66d9948f9160dae8aa5e28d06c9767c8599b4b1158d9d9c24f14c240579ebdaabac9a0d69e4d99d7d5f62e4315220f9c6aca3ff78199821dc5bfd7aa69c0d24fd506d0a1465acc13621d498aecd5ed4111e4e1719d157e2a6560624240c98986ca638a892619fd2ebf9b7559fbd88cf3e4bb8e0c455cd0d4ff3305630660474f7a6ac851169ddfb99ddf295292fc790056c68d0b77c8fc17182d90189a0563fd8ca071ad0c5fda68abbec9920988f461b951a7c016cc6c1eade157ddb9546bdf660fe416cb0619e657f37a23daecdabc2bfd3657b4a0e6089b1e11f5b7fc674f5e5228e8566647b4ad354094e584afd83c980abd3e06a3f852c013e4b8c1aa89114e65d06419dc45c9ddd82c95fc289340a9c8cd86d5d9f7b6d6aee2b38ef1697c1adcc62b00f5d8a8cd717eb38061e273b7991abb17b6afabd8401d00bb2d52445ebe8435dcc
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(64688);
script_version("1.8");
script_set_attribute(attribute:"plugin_modification_date", value:"2020/10/26");
script_name(english:"APT1-Related SSL Certificate Detected");
script_summary(english:"Checks for known bad certs");
script_set_attribute(
attribute:"synopsis",
value:
"An SSL certificate used in a malware-based command and control
infrastructure was detected on the remote host."
);
script_set_attribute(
attribute:"description",
value:
"An SSL certificate associated with the group known as APT1 was
detected on the remote host. APT1's command and control
infrastructure uses several self-signed certificates to encrypt
communications in their command and control infrastructure. The
remote host appears to be using one of these certificates, which
indicates it may have been compromised."
);
# https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
script_set_attribute(attribute:"see_also",value:"http://www.nessus.org/u?229f64ed");
# https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report-appendix.zip
script_set_attribute(attribute:"see_also",value:"http://www.nessus.org/u?e1be6908");
script_set_attribute(
attribute:"solution",
value:
"Determine if the system has been compromised, restore from a set of
known good backups if necessary, and investigate your network for further
signs of a breach."
);
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_attribute(attribute:"plugin_publication_date",value:"2013/02/19");
script_set_attribute(attribute:"plugin_type",value:"remote");
script_set_attribute(attribute:"malware", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"General");
script_copyright(english:"This script is Copyright (C) 2013-2020 Tenable Network Security, Inc.");
script_dependencies("ssl_supported_versions.nasl");
script_require_keys("SSL/Supported");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("x509_func.inc");
get_kb_item_or_exit("SSL/Supported");
# subject DN
apt1_certs['VIRTUALLYTHERE']['subject'] = make_nested_list(
make_list('2.5.4.6','US'), # Country
make_list('2.5.4.8','Some-State'), # State
make_list('2.5.4.10','www.virtuallythere.com'), # Organization
make_list('2.5.4.11','new'), # Organization Unit
make_list('2.5.4.3','new') # Common name
);
apt1_certs['IBM']['subject'] = make_nested_list(
make_list('2.5.4.6','US'), # Country
make_list('2.5.4.8','Some-State'), # State
make_list('2.5.4.10','Internet Widgits Pty Ltd'), # Organization
make_list('2.5.4.3','IBM') # Common name
);
apt1_certs['WEBMAIL']['subject'] = make_nested_list(
make_list('2.5.4.3','WEBMAIL') # Common name
);
apt1_certs['ALPHA']['subject'] = make_nested_list(
make_list('2.5.4.3','ALPHA') # Common name
);
apt1_certs['EMAIL']['subject'] = make_nested_list(
make_list('2.5.4.3','EMAIL') # Common name
);
apt1_certs['LAME']['subject'] = make_nested_list(
make_list('2.5.4.3','LM-68AB71FBD8F5') # Common name
);
apt1_certs['NS']['subject'] = make_nested_list(
make_list('2.5.4.3','NS') # Common name
);
apt1_certs['SERVER']['subject'] = make_nested_list(
make_list('2.5.4.3','SERVER') # Common name
);
apt1_certs['SUR']['subject'] = make_nested_list(
make_list('2.5.4.3','SUR') # Common name
);
apt1_certs['AOL']['subject'] = make_nested_list(
make_list('2.5.4.3','mail.aol.com') # Common name
);
apt1_certs['YAHOO']['subject'] = make_nested_list(
make_list('2.5.4.3','mail.yahoo.com') # Common name
);
apt1_certs['MOON-NIGHT']['subject'] = make_nested_list(
make_list('2.5.4.3','MOON-NIGHT') # Common name
);
apt1_certs['NO-NAME']['subject'] = make_nested_list(
make_list('2.5.4.6','US'), # Country
make_list('2.5.4.8','Washington'), # State
make_list('2.5.4.7','Anytown'), # Locality
make_list('2.5.4.10','ACLU'), # Organization
make_list('2.5.4.11','A@@hole'), # Organization Unit
make_list('2.5.4.3','NoName'), # Common name
make_list('1.2.840.113549.1.9.1','[email protected]') # Email address
);
# subject public key info
apt1_certs['VIRTUALLYTHERE']['subjectPublicKeyInfo'] = make_nested_list(
'1.2.840.113549.1.1.1', # Public key algorithm (rsaEncryption)
make_nested_list( # modulus
'\x00\xee\x48\x13\x76\xf1\x76\x4b\x6a\xfe\x6d\x8c\x5e\x60\x44' +
'\x19\xb1\x0a\xb1\x9e\xbb\x63\x80\x8f\xc8\x43\xc8\x73\xae\x77' +
'\x4e\x16\x01\x4e\x8f\x88\xf8\xa2\x8c\x4d\x2e\xb2\x3d\x6b\xbd' +
'\x2e\xcc\x1b\xb0\xc3\x5d\xd6\xa6\xbc\x1e\x1a\x31\xb2\x27\x84' +
'\x64\x9c\x0b\xb7\x1e\xb0\x5e\x82\x96\xe8\x71\xf6\xca\x95\xcf' +
'\xe1\x40\xbd\x45\x05\x94\x25\x74\xa0\x90\xce\x61\xb9\x8e\xba' +
'\xed\xaa\x62\xd4\x10\x79\x68\xeb\xfb\x31\x63\x0c\x7b\x11\x2d' +
'\x8f\xcf\x57\xa8\xc4\x6c\xfd\x77\xc4\x04\xf5\x46\x84\xe4\x24' +
'\xc6\xfe\xdc\x3a\x06\x9c\x3e\xed\xf9',
'\x01\x00\x01' # Exponent
)
);
apt1_certs['IBM']['subjectPublicKeyInfo'] = make_nested_list(
'1.2.840.113549.1.1.1', # Public key algorithm (rsaEncryption)
make_nested_list( # modulus
'\x00\xd3\x89\x1c\x10\x09\xd8\xec\x74\x2f\x5c\x1e\x24\xc0\x89' +
'\xcd\x02\x2f\xad\x13\xfa\x37\xea\x9a\xf9\x73\xef\x08\xdd\x3c' +
'\x6f\x43\xe3\x21\x69\xf4\x72\xff\x43\x72\xc3\xcc\x1b\x79\x91' +
'\x01\xc8\x75\xc9\x7a\x37\xc0\x82\xa9\x25\x6e\x0a\x05\x04\x64' +
'\xfd\xe2\x9e\xd9\x2c\x3d\xf1\x79\x3a\xc9\x7b\xb2\x2d\x8c\x3e' +
'\x5d\xc4\x11\x98\xac\x1a\xd4\xfd\xc0\x4d\x78\x10\x98\x73\x3a' +
'\xe0\x88\xa3\xab\xa6\x5c\x6e\x47\x9a\x21\xb5\x57\xc3\xa1\x7d' +
'\x5e\xf0\xb6\x6d\x84\x15\x6a\xcd\xe8\x62\x31\x0e\x42\x89\x8f' +
'\xf5\x1f\x48\xbc\xb3\x2d\x87\xcb\xa4\xe8\xc9\xa7\x09\x15\xf6' +
'\x72\xa0\xce\x84\x1c\x29\xe8\xb0\xff\xd5\x3d\x82\x78\x25\x4b' +
'\xef\xd8\x94\x74\x69\xcc\xa4\x44\x11\xd5\x97\x13\xc6\x83\xd6' +
'\xe7\x8a\xf9\xa6\xe0\x71\x67\xbf\x0b\xb4\xe0\x52\x2f\x4a\xe2' +
'\x3a\x25\x3a\xa4\xec\x17\x7f\x32\x0f\x3d\x67\x73\xe7\x5b\x60' +
'\x2c\x56\x0c\x41\x46\xe0\x87\xf8\xcc\xb9\x9c\x7f\x78\x29\xe3' +
'\x7f\x00\xe0\x2f\xa5\x59\x5a\x51\x20\x08\xb9\x84\x3c\x30\xea' +
'\xc1\x70\xe1\xf7\xdb\x97\x0e\x39\xfc\x2d\xc0\xcf\x9d\x79\xcd' +
'\xeb\x2a\xe3\x9b\xec\xc4\xd0\xc9\x15\x2f\xf9\x5c\x2a\x78\xf4' +
'\x46\xbf',
'\x01\x00\x01' # Exponent
)
);
apt1_certs['WEBMAIL']['subjectPublicKeyInfo'] = make_nested_list(
'1.2.840.113549.1.1.1', # Public key algorithm (rsaEncryption)
make_nested_list( # modulus
'\x00\xaf\x6c\x48\x9f\xe0\x02\xae\xff\x2f\xe2\x3e\x54\x11\x65' +
'\x1b\x4d\xc9\x6c\xd4\x80\x28\x9e\xc0\xc0\x11\xcb\xbc\x6d\x4f' +
'\x18\xc8\x9a\x7f\x7f\xe7\xcd\x6b\x1f\xd6\x3f\x5b\x29\x7b\x51' +
'\x7f\xde\xc1\xed\xbc\x80\x3b\x97\x59\xed\x6a\xab\xfb\x99\x2d' +
'\x13\xa5\x5d\xff\x50\x57\xe5\xcd\xab\xeb\xe6\x06\xc8\x3c\xdf' +
'\xc2\xb9\x9b\x08\x5b\xaa\xdc\x7d\xcd\xc3\x1f\xf0\x90\xd9\x6f' +
'\xef\x57\x2a\x8a\x26\xaa\x9e\xf1\xf8\x91\x74\x9f\x37\x52\x96' +
'\x72\x14\x28\xb5\xe9\x03\x1c\x13\x4b\x0d\xf6\x5c\x0a\x04\xed' +
'\x96\x45\x69\x0d\x86\x52\xe9\x32\x41',
'\x01\x00\x01' # Exponent
)
);
apt1_certs['ALPHA']['subjectPublicKeyInfo'] = make_nested_list(
'1.2.840.113549.1.1.1', # Public key algorithm (rsaEncryption)
make_nested_list( # modulus
'\x00\xde\x6f\x4a\xe4\xda\x2b\x48\xfb\x2b\x47\x47\x6b\x49\x8c' +
'\xd1\x11\x25\x93\xb5\x6e\x98\x61\x84\x10\x39\x61\x62\x92\x17' +
'\x28\xe0\x2f\x1f\x03\xab\x28\x8b\x9f\x51\x88\xcc\x7e\x79\x4e' +
'\x64\x3d\xf2\xd4\xb5\x75\xc1\xdd\xbc\x20\xa5\x1a\x31\x8f\x8a' +
'\x2f\x18\x19\xe2\x05\x42\x40\x6c\x8e\x71\x10\x2c\x1e\x82\x85' +
'\x6f\xa8\xf7\x5f\xc9\x45\x8d\xc6\xeb\xc4\x59\x80\x51\x72\xfc' +
'\x9c\xe1\x63\x95\xdb\x2e\xf9\x56\xc8\xb9\xd6\x86\x84\x5f\x45' +
'\x91\xd8\xf5\x51\x0e\xb6\x76\x16\xc6\x21\x67\x5a\x04\x94\xe4' +
'\xe8\x24\xfb\x7e\xdf\xd9\x46\xee\xf9',
'\x01\x00\x01' # Exponent
)
);
apt1_certs['EMAIL']['subjectPublicKeyInfo'] = make_nested_list(
'1.2.840.113549.1.1.1', # Public key algorithm (rsaEncryption)
make_nested_list( # modulus
'\x00\x92\xc0\xca\xdf\x95\xb1\x5f\x42\x36\xf4\xa0\x68\xdb\xb2' +
'\xc3\xad\x9e\x9b\x4a\x47\xf5\xb4\x00\x19\xf7\xce\x08\x55\x45' +
'\x34\x7d\x82\xd8\xd8\xb1\xf4\x13\xb3\x48\x6f\x60\xec\x76\x5b' +
'\x47\x1a\x47\x13\xb7\xfb\x91\xc9\x94\x89\x66\xdd\xdc\xfb\xb7' +
'\x82\x0c\xdd\xeb\x63\x70\xd5\xd4\x4e\x38\xc4\x84\x85\xe9\xd5' +
'\xd3\x1d\xbc\x47\x34\x5c\x8d\x40\x41\xf9\x09\x40\x30\x4c\x8c' +
'\xa9\xf0\x84\xe1\xfe\x47\x3d\xcc\x57\x0c\xed\x6f\x15\x4a\xa4' +
'\x4b\x57\x24\xe1\xff\xf3\xfb\xea\x05\x50\xdc\xed\x0f\x23\xa4' +
'\x35\x61\x32\xaf\xd3\x3e\x05\xcc\x1f',
'\x01\x00\x01' # Exponent
)
);
apt1_certs['LAME']['subjectPublicKeyInfo'] = make_nested_list(
'1.2.840.113549.1.1.1', # Public key algorithm (rsaEncryption)
make_nested_list( # modulus
'\x00\xd9\x18\x49\x6f\xff\x1b\x97\x40\x21\x80\x7c\x14\xaa\x51' +
'\x30\x73\x5a\x86\x35\xac\xb1\x40\x93\x32\x9d\xb1\xfd\xbc\xb5' +
'\x65\x5e\xef\xcf\xc7\xad\x62\x97\x0e\xf4\x04\x77\xe7\xeb\x70' +
'\xf8\xb4\x37\x51\xd3\x29\x3f\x9c\x80\xeb\xcc\x40\x4e\x35\x82' +
'\x85\x3a\x48\xd1\x07\xa2\x07\x24\xf8\x28\xa9\x93\x5c\x2e\xb2' +
'\x20\xf8\xcc\x5d\x75\x24\x02\x7c\x4a\x76\x44\x71\xb3\x51\x2d' +
'\x91\x81\x1a\x71\xa3\x0a\xf3\x8d\x8d\x82\xd8\xf8\x17\x0b\x32' +
'\x13\xdb\x65\x7e\xdf\x42\x06\x1e\x0e\xcd\xe0\xe4\x98\xd2\x39' +
'\x6e\xa2\xd9\x5d\x11\x54\x8b\x4a\x09',
'\x01\x00\x01' # Exponent
)
);
apt1_certs['NS']['subjectPublicKeyInfo'] = make_nested_list(
'1.2.840.113549.1.1.1', # Public key algorithm (rsaEncryption)
make_nested_list( # modulus
'\x00\xaf\x05\x10\x20\x6b\xd0\x47\x8a\x6d\x03\xfd\xde\xc9\x64' +
'\x22\xe1\xc0\x49\x4f\x89\x97\x0d\xa8\xf9\x0f\x54\x14\x4c\xa3' +
'\x94\xcc\x9d\x6f\x6b\x34\x37\x90\x00\xcc\xbd\x2a\xab\x8b\x30' +
'\xa8\x0b\x88\xef\x73\xf0\xde\x2e\x22\x3f\xf4\xc7\x01\xee\x80' +
'\xd2\xc8\x8c\x84\x9a\x00\x12\xcd\x89\x2b\xf0\x59\x37\x30\x80' +
'\x52\x3d\xdf\x60\x40\xe0\x25\x2f\xc7\x8e\xa3\x86\xdb\xc2\x28' +
'\xb8\x3d\x07\x46\xa1\x4b\x18\xa0\xbc\x06\x97\x97\x0e\x4f\x65' +
'\x18\x95\x0c\xac\x58\xb2\x17\x1b\xba\x66\xfd\x2d\x19\xad\xdc' +
'\x6d\xe6\x6f\xd3\x16\xb3\xb2\xcc\xfb',
'\x01\x00\x01' # Exponent
)
);
apt1_certs['SERVER']['subjectPublicKeyInfo'] = make_nested_list(
'1.2.840.113549.1.1.1', # Public key algorithm (rsaEncryption)
make_nested_list( # modulus
'\x00\xa7\x38\xc7\xc7\x43\x52\x3b\x59\xc9\x7f\xcc\xbc\x9b\xfa' +
'\x40\xaf\x4d\x7d\x82\x97\xe6\xe3\xec\x69\xeb\xb7\x44\xd6\x75' +
'\xd5\xf4\x4b\xbb\x18\xe2\x54\x8e\x67\x0e\x65\xe9\xb3\xa8\xc8' +
'\xeb\xff\x95\xff\x42\x14\x89\x7a\x31\x7e\x1b\xb0\x6d\x8f\x89' +
'\xdb\xca\xa3\x1b\xce\x8a\x62\x76\xe8\x72\xb6\x62\xd0\xdd\x24' +
'\xef\x35\xaf\xf0\x3a\x96\xa1\xe4\x5a\x19\x76\xe9\x51\x4e\x8d' +
'\x0b\x43\x2b\xfa\xaf\x36\x4a\xb4\x21\x88\x1b\xff\x00\x6f\xf5' +
'\x98\x63\xf5\x0d\xf3\xf5\x10\x3c\xa0\x04\x78\x23\x3c\x2b\x54' +
'\x41\x02\x19\xb2\x35\x78\xcd\x07\x5b',
'\x01\x00\x01' # Exponent
)
);
apt1_certs['SUR']['subjectPublicKeyInfo'] = make_nested_list(
'1.2.840.113549.1.1.1', # Public key algorithm (rsaEncryption)
make_nested_list( # modulus
'\x00\x99\x60\xd5\xab\x5f\x52\x57\x48\x98\x93\xed\x37\x59\xb3' +
'\xf1\xe6\x7d\x44\xc7\x55\x25\x25\x82\x3c\x9c\xa7\x9d\xab\xd7' +
'\x7f\xa4\x56\x64\xe5\x17\x31\x5a\x9c\x21\xe3\xd6\xe7\x6a\x11' +
'\x65\xc9\x4b\xd2\x5c\x45\x49\xde\xae\x2d\x72\xa9\x7f\x3f\x59' +
'\xf7\xcc\xff\x56\x93\xcd\xa6\xfb\xeb\x0d\x15\x0f\x76\xb8\x78' +
'\xae\x4e\x46\xae\xe5\x98\x79\xea\x4a\xc9\xe2\x52\x52\x77\x08' +
'\x8e\x1c\x0f\xf3\x29\xe1\xa8\x1c\x28\x98\xa8\xeb\x76\x10\xf1' +
'\x08\x06\xd9\x09\xa3\xe4\x54\x35\xba\x4d\x29\xc3\xed\xf9\xa8' +
'\x2c\xe4\x95\xb7\xf2\xa7\x89\x4d\x85',
'\x01\x00\x01' # Exponent
)
);
apt1_certs['AOL']['subjectPublicKeyInfo'] = make_nested_list(
'1.2.840.113549.1.1.1', # Public key algorithm (rsaEncryption)
make_nested_list( # modulus
'\x00\xb8\x68\xc6\xe9\x75\xc5\x4b\x73\x27\xe3\xaa\x9d\xd9\xf2' +
'\xba\x73\xec\x86\x5a\x1c\x89\x3c\xd0\x37\x5e\xa7\x3e\x9d\x48' +
'\x84\xcd\xa4\x12\x19\x15\x57\xca\xba\xfe\xca\x2e\x2b\x72\x70' +
'\x5f\xd7\x64\xad\x7a\x6e\x7e\xc2\x06\xdd\x99\x3c\x95\x05\x19' +
'\xf2\xd7\x28\x8c\x45\x8f\x91\xc8\x61\x6e\x23\x2c\xb8\x2b\x07' +
'\x08\x21\xb8\x9a\x4a\x4e\x12\x70\xc9\xeb\x19\x3a\xe0\xf0\x3e' +
'\x72\xfb\xad\xb3\xdd\x57\x34\xe8\x18\x8b\x29\x8f\x33\xbc\x32' +
'\xe3\xb0\xe8\xc0\x3a\x5c\xfa\xe5\xaa\xc2\x17\x94\x1f\x81\xe7' +
'\x9b\x60\x2a\x7a\xaa\xbf\xe1\x34\xe1',
'\x01\x00\x01' # Exponent
)
);
apt1_certs['YAHOO']['subjectPublicKeyInfo'] = make_nested_list(
'1.2.840.113549.1.1.1', # Public key algorithm (rsaEncryption)
make_nested_list( # modulus
'\x00\xfc\xff\x51\xf1\x18\xff\x58\x49\x43\xe6\xbb\x01\x4e\x77' +
'\x64\x13\xca\x79\x1c\x4a\x24\xd4\xec\x13\x1e\x46\x68\x1d\xe3' +
'\xd0\xac\xbc\x08\xd4\x88\xd5\x62\x5c\x82\xbd\x95\x2c\x66\x49' +
'\xe4\x80\x2f\xc5\x79\x5a\xe2\x91\xef\x7c\xb7\x9f\x6e\x57\x6a' +
'\xba\xf5\x13\x20\x6d\x61\x9c\xdb\x12\xb7\x46\x32\x94\x78\x4d' +
'\x58\xcf\x69\xa2\x82\x43\xb4\xb9\x05\x62\x75\x86\xfc\x0a\x92' +
'\x21\x55\x64\xfb\x03\x6a\xc8\x2e\x55\x86\xe8\x68\xa5\xe9\xe3' +
'\x93\xf8\x4a\x85\x91\x89\x99\xd0\x3c\x5e\xc3\x16\xdc\x01\x0f' +
'\x9d\x41\x5c\x7a\xd4\x0d\x6a\x8a\x49',
'\x01\x00\x01' # Exponent
)
);
apt1_certs['MOON-NIGHT']['subjectPublicKeyInfo'] = make_nested_list(
'1.2.840.113549.1.1.1', # Public key algorithm (rsaEncryption)
make_nested_list( # modulus
'\x00\xb4\x41\x24\x7c\x01\x23\x67\x6b\x66\xad\x47\x3d\x23\xae' +
'\x08\x9c\xe4\x4c\x2b\x9b\xff\x25\x92\x11\xae\x9f\x55\x73\xcb' +
'\xd7\x8f\x2c\xe3\x17\xd4\xe6\x81\x40\x68\x4a\xcd\xa4\xba\x33' +
'\xf8\xf3\xb7\xe9\xbc\x7d\x0c\x51\x13\x35\xd9\xa8\xb9\xbd\x8c' +
'\x8d\x0d\xa6\x28\xc8\xb6\xf7\x66\x1d\xe3\x69\xf2\x9e\x4c\xe4' +
'\x03\xc1\x3b\xae\x55\xa5\xc7\x3e\xde\x80\x1b\x07\x5d\x0f\xa7' +
'\xa3\xf0\x50\x60\xd4\x80\x29\x12\x5f\x1b\x11\x8c\x8a\x3d\xe5' +
'\xb3\xad\xc1\x76\xda\x0c\xa4\x63\xa4\x8b\x22\x0d\x49\x1a\xa0' +
'\x23\x99\x80\xbd\x09\x3d\x60\xdc\xf9',
'\x01\x00\x01' # Exponent
)
);
apt1_certs['NO-NAME']['subjectPublicKeyInfo'] = make_nested_list(
'1.2.840.113549.1.1.1', # Public key algorithm (rsaEncryption)
make_nested_list( # modulus
'\x00\x9b\xcc\xf3\x67\x5c\x02\xdb\x83\xd0\x5d\x52\x05\x3c\x8a' +
'\x66\x16\xfa\xb2\x5d\x78\x43\x91\x64\x80\x09\x5b\xc6\x1f\xb6' +
'\xdc\x1f\x60\xfb\xe2\xd2\x15\x0b\xf5\x46\x3a\x76\xc5\x4e\x91' +
'\x21\x4d\x33\x46\x25\x04\x28\x70\x69\x25\x87\x38\x01\x1d\x85' +
'\x94\x9f\x49\xd0\x1c\x94\x2f\x1e\x58\xe3\x49\x2a\x89\x83\xc0' +
'\x0b\x76\x53\x49\x34\xf7\x85\x5e\x43\x35\xa4\x16\x24\x76\x8d' +
'\x5b\x2a\x23\xbb\x57\x34\xaf\x16\x74\x2b\xf8\x64\x44\x15\x6d' +
'\x15\x8b\x7a\xa6\x4e\xa1\xd0\xe0\x77\xb0\x2e\xd4\xd9\x00\xdd' +
'\x93\xd6\x3d\xa5\xe3\x2b\xec\x76\x49',
'\x01\x00\x01' # Exponent
)
);
# Get list of ports that use SSL or StartTLS.
port = get_ssl_ports(fork:TRUE);
if (isnull(port))
exit(1, "The host does not appear to have any SSL-based services.");
# Get the certificate chain from the target.
chain = get_server_cert(
port : port,
encoding : "der",
getchain : TRUE
);
if (isnull(chain) || max_index(chain) <= 0)
exit(1, "Failed to retrieve the certificate chain from port " + port + ".");
chain = parse_cert_chain(chain);
if (isnull(chain))
exit(1, "Failed to parse certificate chain on port " + port + ".");
# The offending certificate is self-signed, meaning that it can only
# occur at the top of the certificate chain.
top = chain[max_index(chain) - 1];
top = top["tbsCertificate"];
foreach name (keys(apt1_certs))
{
# Check that the top certificate in the chain has a subject DN
# and public key that matches one of the known bad certificates.
if (
obj_cmp(top['subject'], apt1_certs[name]['subject']) &&
obj_cmp(top['subjectPublicKeyInfo'], apt1_certs[name]['subjectPublicKeyInfo'])
)
{
if (report_verbosity > 0)
{
key = apt1_certs[name]['subjectPublicKeyInfo'][1];
report =
'\nThe following certificate is being used by the remote host, which' +
'\nindicates it may have an APT1 malware infection :\n\n' +
'Subject : ' + format_dn(apt1_certs[name]['subject']) + '\n' +
add_hex_string(name:"Public Key", data:key[0]) +
add_hex_string(name:"Exponent", data:key[1]);
security_hole(port:port, extra:report);
}
else security_hole(port);
exit(0);
# never reached
}
}
exit(0, "The certificate chain from port " + port + " is not affected.");