An SSL certificate associated with the group known as APT1 was detected on the remote host. APT1’s command and control infrastructure uses several self-signed certificates to encrypt communications in their command and control infrastructure. The remote host appears to be using one of these certificates, which indicates it may have been compromised.
#TRUSTED 84df567ae113b4b9236890c485494b074667dc996200b7a7097856086f17c4f94231129dde537794172c5b2f86f7e37d369abe88a6027fa9bf93d629cac20096c9851bfda237457bcdbf20ee1d426add7d2511464f9bb9c696b8d7c3c75f06b87a54603b3d378a1d813ef4decb2b3319c9ecb7a005cc4b302e7e818db9a4d33449d2639f6b5d57085e4a5a2d331b4d98084e624e5db98eba6c474c57de5bc567f56268d4d416ab6307cfa75ae998d2413aea937f89fa583404c66d9948f9160dae8aa5e28d06c9767c8599b4b1158d9d9c24f14c240579ebdaabac9a0d69e4d99d7d5f62e4315220f9c6aca3ff78199821dc5bfd7aa69c0d24fd506d0a1465acc13621d498aecd5ed4111e4e1719d157e2a6560624240c98986ca638a892619fd2ebf9b7559fbd88cf3e4bb8e0c455cd0d4ff3305630660474f7a6ac851169ddfb99ddf295292fc790056c68d0b77c8fc17182d90189a0563fd8ca071ad0c5fda68abbec9920988f461b951a7c016cc6c1eade157ddb9546bdf660fe416cb0619e657f37a23daecdabc2bfd3657b4a0e6089b1e11f5b7fc674f5e5228e8566647b4ad354094e584afd83c980abd3e06a3f852c013e4b8c1aa89114e65d06419dc45c9ddd82c95fc289340a9c8cd86d5d9f7b6d6aee2b38ef1697c1adcc62b00f5d8a8cd717eb38061e273b7991abb17b6afabd8401d00bb2d52445ebe8435dcc
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(64688);
script_version("1.8");
script_set_attribute(attribute:"plugin_modification_date", value:"2020/10/26");
script_name(english:"APT1-Related SSL Certificate Detected");
script_summary(english:"Checks for known bad certs");
script_set_attribute(
attribute:"synopsis",
value:
"An SSL certificate used in a malware-based command and control
infrastructure was detected on the remote host."
);
script_set_attribute(
attribute:"description",
value:
"An SSL certificate associated with the group known as APT1 was
detected on the remote host. APT1's command and control
infrastructure uses several self-signed certificates to encrypt
communications in their command and control infrastructure. The
remote host appears to be using one of these certificates, which
indicates it may have been compromised."
);
# https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
script_set_attribute(attribute:"see_also",value:"http://www.nessus.org/u?229f64ed");
# https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report-appendix.zip
script_set_attribute(attribute:"see_also",value:"http://www.nessus.org/u?e1be6908");
script_set_attribute(
attribute:"solution",
value:
"Determine if the system has been compromised, restore from a set of
known good backups if necessary, and investigate your network for further
signs of a breach."
);
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_attribute(attribute:"plugin_publication_date",value:"2013/02/19");
script_set_attribute(attribute:"plugin_type",value:"remote");
script_set_attribute(attribute:"malware", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"General");
script_copyright(english:"This script is Copyright (C) 2013-2020 Tenable Network Security, Inc.");
script_dependencies("ssl_supported_versions.nasl");
script_require_keys("SSL/Supported");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("x509_func.inc");
get_kb_item_or_exit("SSL/Supported");
# subject DN
apt1_certs['VIRTUALLYTHERE']['subject'] = make_nested_list(
make_list('2.5.4.6','US'), # Country
make_list('2.5.4.8','Some-State'), # State
make_list('2.5.4.10','www.virtuallythere.com'), # Organization
make_list('2.5.4.11','new'), # Organization Unit
make_list('2.5.4.3','new') # Common name
);
apt1_certs['IBM']['subject'] = make_nested_list(
make_list('2.5.4.6','US'), # Country
make_list('2.5.4.8','Some-State'), # State
make_list('2.5.4.10','Internet Widgits Pty Ltd'), # Organization
make_list('2.5.4.3','IBM') # Common name
);
apt1_certs['WEBMAIL']['subject'] = make_nested_list(
make_list('2.5.4.3','WEBMAIL') # Common name
);
apt1_certs['ALPHA']['subject'] = make_nested_list(
make_list('2.5.4.3','ALPHA') # Common name
);
apt1_certs['EMAIL']['subject'] = make_nested_list(
make_list('2.5.4.3','EMAIL') # Common name
);
apt1_certs['LAME']['subject'] = make_nested_list(
make_list('2.5.4.3','LM-68AB71FBD8F5') # Common name
);
apt1_certs['NS']['subject'] = make_nested_list(
make_list('2.5.4.3','NS') # Common name
);
apt1_certs['SERVER']['subject'] = make_nested_list(
make_list('2.5.4.3','SERVER') # Common name
);
apt1_certs['SUR']['subject'] = make_nested_list(
make_list('2.5.4.3','SUR') # Common name
);
apt1_certs['AOL']['subject'] = make_nested_list(
make_list('2.5.4.3','mail.aol.com') # Common name
);
apt1_certs['YAHOO']['subject'] = make_nested_list(
make_list('2.5.4.3','mail.yahoo.com') # Common name
);
apt1_certs['MOON-NIGHT']['subject'] = make_nested_list(
make_list('2.5.4.3','MOON-NIGHT') # Common name
);
apt1_certs['NO-NAME']['subject'] = make_nested_list(
make_list('2.5.4.6','US'), # Country
make_list('2.5.4.8','Washington'), # State
make_list('2.5.4.7','Anytown'), # Locality
make_list('2.5.4.10','ACLU'), # Organization
make_list('2.5.4.11','A@@hole'), # Organization Unit
make_list('2.5.4.3','NoName'), # Common name
make_list('1.2.840.113549.1.9.1','[email protected]') # Email address
);
# subject public key info
apt1_certs['VIRTUALLYTHERE']['subjectPublicKeyInfo'] = make_nested_list(
'1.2.840.113549.1.1.1', # Public key algorithm (rsaEncryption)
make_nested_list( # modulus
'\x00\xee\x48\x13\x76\xf1\x76\x4b\x6a\xfe\x6d\x8c\x5e\x60\x44' +
'\x19\xb1\x0a\xb1\x9e\xbb\x63\x80\x8f\xc8\x43\xc8\x73\xae\x77' +
'\x4e\x16\x01\x4e\x8f\x88\xf8\xa2\x8c\x4d\x2e\xb2\x3d\x6b\xbd' +
'\x2e\xcc\x1b\xb0\xc3\x5d\xd6\xa6\xbc\x1e\x1a\x31\xb2\x27\x84' +
'\x64\x9c\x0b\xb7\x1e\xb0\x5e\x82\x96\xe8\x71\xf6\xca\x95\xcf' +
'\xe1\x40\xbd\x45\x05\x94\x25\x74\xa0\x90\xce\x61\xb9\x8e\xba' +
'\xed\xaa\x62\xd4\x10\x79\x68\xeb\xfb\x31\x63\x0c\x7b\x11\x2d' +
'\x8f\xcf\x57\xa8\xc4\x6c\xfd\x77\xc4\x04\xf5\x46\x84\xe4\x24' +
'\xc6\xfe\xdc\x3a\x06\x9c\x3e\xed\xf9',
'\x01\x00\x01' # Exponent
)
);
apt1_certs['IBM']['subjectPublicKeyInfo'] = make_nested_list(
'1.2.840.113549.1.1.1', # Public key algorithm (rsaEncryption)
make_nested_list( # modulus
'\x00\xd3\x89\x1c\x10\x09\xd8\xec\x74\x2f\x5c\x1e\x24\xc0\x89' +
'\xcd\x02\x2f\xad\x13\xfa\x37\xea\x9a\xf9\x73\xef\x08\xdd\x3c' +
'\x6f\x43\xe3\x21\x69\xf4\x72\xff\x43\x72\xc3\xcc\x1b\x79\x91' +
'\x01\xc8\x75\xc9\x7a\x37\xc0\x82\xa9\x25\x6e\x0a\x05\x04\x64' +
'\xfd\xe2\x9e\xd9\x2c\x3d\xf1\x79\x3a\xc9\x7b\xb2\x2d\x8c\x3e' +
'\x5d\xc4\x11\x98\xac\x1a\xd4\xfd\xc0\x4d\x78\x10\x98\x73\x3a' +
'\xe0\x88\xa3\xab\xa6\x5c\x6e\x47\x9a\x21\xb5\x57\xc3\xa1\x7d' +
'\x5e\xf0\xb6\x6d\x84\x15\x6a\xcd\xe8\x62\x31\x0e\x42\x89\x8f' +
'\xf5\x1f\x48\xbc\xb3\x2d\x87\xcb\xa4\xe8\xc9\xa7\x09\x15\xf6' +
'\x72\xa0\xce\x84\x1c\x29\xe8\xb0\xff\xd5\x3d\x82\x78\x25\x4b' +
'\xef\xd8\x94\x74\x69\xcc\xa4\x44\x11\xd5\x97\x13\xc6\x83\xd6' +
'\xe7\x8a\xf9\xa6\xe0\x71\x67\xbf\x0b\xb4\xe0\x52\x2f\x4a\xe2' +
'\x3a\x25\x3a\xa4\xec\x17\x7f\x32\x0f\x3d\x67\x73\xe7\x5b\x60' +
'\x2c\x56\x0c\x41\x46\xe0\x87\xf8\xcc\xb9\x9c\x7f\x78\x29\xe3' +
'\x7f\x00\xe0\x2f\xa5\x59\x5a\x51\x20\x08\xb9\x84\x3c\x30\xea' +
'\xc1\x70\xe1\xf7\xdb\x97\x0e\x39\xfc\x2d\xc0\xcf\x9d\x79\xcd' +
'\xeb\x2a\xe3\x9b\xec\xc4\xd0\xc9\x15\x2f\xf9\x5c\x2a\x78\xf4' +
'\x46\xbf',
'\x01\x00\x01' # Exponent
)
);
apt1_certs['WEBMAIL']['subjectPublicKeyInfo'] = make_nested_list(
'1.2.840.113549.1.1.1', # Public key algorithm (rsaEncryption)
make_nested_list( # modulus
'\x00\xaf\x6c\x48\x9f\xe0\x02\xae\xff\x2f\xe2\x3e\x54\x11\x65' +
'\x1b\x4d\xc9\x6c\xd4\x80\x28\x9e\xc0\xc0\x11\xcb\xbc\x6d\x4f' +
'\x18\xc8\x9a\x7f\x7f\xe7\xcd\x6b\x1f\xd6\x3f\x5b\x29\x7b\x51' +
'\x7f\xde\xc1\xed\xbc\x80\x3b\x97\x59\xed\x6a\xab\xfb\x99\x2d' +
'\x13\xa5\x5d\xff\x50\x57\xe5\xcd\xab\xeb\xe6\x06\xc8\x3c\xdf' +
'\xc2\xb9\x9b\x08\x5b\xaa\xdc\x7d\xcd\xc3\x1f\xf0\x90\xd9\x6f' +
'\xef\x57\x2a\x8a\x26\xaa\x9e\xf1\xf8\x91\x74\x9f\x37\x52\x96' +
'\x72\x14\x28\xb5\xe9\x03\x1c\x13\x4b\x0d\xf6\x5c\x0a\x04\xed' +
'\x96\x45\x69\x0d\x86\x52\xe9\x32\x41',
'\x01\x00\x01' # Exponent
)
);
apt1_certs['ALPHA']['subjectPublicKeyInfo'] = make_nested_list(
'1.2.840.113549.1.1.1', # Public key algorithm (rsaEncryption)
make_nested_list( # modulus
'\x00\xde\x6f\x4a\xe4\xda\x2b\x48\xfb\x2b\x47\x47\x6b\x49\x8c' +
'\xd1\x11\x25\x93\xb5\x6e\x98\x61\x84\x10\x39\x61\x62\x92\x17' +
'\x28\xe0\x2f\x1f\x03\xab\x28\x8b\x9f\x51\x88\xcc\x7e\x79\x4e' +
'\x64\x3d\xf2\xd4\xb5\x75\xc1\xdd\xbc\x20\xa5\x1a\x31\x8f\x8a' +
'\x2f\x18\x19\xe2\x05\x42\x40\x6c\x8e\x71\x10\x2c\x1e\x82\x85' +
'\x6f\xa8\xf7\x5f\xc9\x45\x8d\xc6\xeb\xc4\x59\x80\x51\x72\xfc' +
'\x9c\xe1\x63\x95\xdb\x2e\xf9\x56\xc8\xb9\xd6\x86\x84\x5f\x45' +
'\x91\xd8\xf5\x51\x0e\xb6\x76\x16\xc6\x21\x67\x5a\x04\x94\xe4' +
'\xe8\x24\xfb\x7e\xdf\xd9\x46\xee\xf9',
'\x01\x00\x01' # Exponent
)
);
apt1_certs['EMAIL']['subjectPublicKeyInfo'] = make_nested_list(
'1.2.840.113549.1.1.1', # Public key algorithm (rsaEncryption)
make_nested_list( # modulus
'\x00\x92\xc0\xca\xdf\x95\xb1\x5f\x42\x36\xf4\xa0\x68\xdb\xb2' +
'\xc3\xad\x9e\x9b\x4a\x47\xf5\xb4\x00\x19\xf7\xce\x08\x55\x45' +
'\x34\x7d\x82\xd8\xd8\xb1\xf4\x13\xb3\x48\x6f\x60\xec\x76\x5b' +
'\x47\x1a\x47\x13\xb7\xfb\x91\xc9\x94\x89\x66\xdd\xdc\xfb\xb7' +
'\x82\x0c\xdd\xeb\x63\x70\xd5\xd4\x4e\x38\xc4\x84\x85\xe9\xd5' +
'\xd3\x1d\xbc\x47\x34\x5c\x8d\x40\x41\xf9\x09\x40\x30\x4c\x8c' +
'\xa9\xf0\x84\xe1\xfe\x47\x3d\xcc\x57\x0c\xed\x6f\x15\x4a\xa4' +
'\x4b\x57\x24\xe1\xff\xf3\xfb\xea\x05\x50\xdc\xed\x0f\x23\xa4' +
'\x35\x61\x32\xaf\xd3\x3e\x05\xcc\x1f',
'\x01\x00\x01' # Exponent
)
);
apt1_certs['LAME']['subjectPublicKeyInfo'] = make_nested_list(
'1.2.840.113549.1.1.1', # Public key algorithm (rsaEncryption)
make_nested_list( # modulus
'\x00\xd9\x18\x49\x6f\xff\x1b\x97\x40\x21\x80\x7c\x14\xaa\x51' +
'\x30\x73\x5a\x86\x35\xac\xb1\x40\x93\x32\x9d\xb1\xfd\xbc\xb5' +
'\x65\x5e\xef\xcf\xc7\xad\x62\x97\x0e\xf4\x04\x77\xe7\xeb\x70' +
'\xf8\xb4\x37\x51\xd3\x29\x3f\x9c\x80\xeb\xcc\x40\x4e\x35\x82' +
'\x85\x3a\x48\xd1\x07\xa2\x07\x24\xf8\x28\xa9\x93\x5c\x2e\xb2' +
'\x20\xf8\xcc\x5d\x75\x24\x02\x7c\x4a\x76\x44\x71\xb3\x51\x2d' +
'\x91\x81\x1a\x71\xa3\x0a\xf3\x8d\x8d\x82\xd8\xf8\x17\x0b\x32' +
'\x13\xdb\x65\x7e\xdf\x42\x06\x1e\x0e\xcd\xe0\xe4\x98\xd2\x39' +
'\x6e\xa2\xd9\x5d\x11\x54\x8b\x4a\x09',
'\x01\x00\x01' # Exponent
)
);
apt1_certs['NS']['subjectPublicKeyInfo'] = make_nested_list(
'1.2.840.113549.1.1.1', # Public key algorithm (rsaEncryption)
make_nested_list( # modulus
'\x00\xaf\x05\x10\x20\x6b\xd0\x47\x8a\x6d\x03\xfd\xde\xc9\x64' +
'\x22\xe1\xc0\x49\x4f\x89\x97\x0d\xa8\xf9\x0f\x54\x14\x4c\xa3' +
'\x94\xcc\x9d\x6f\x6b\x34\x37\x90\x00\xcc\xbd\x2a\xab\x8b\x30' +
'\xa8\x0b\x88\xef\x73\xf0\xde\x2e\x22\x3f\xf4\xc7\x01\xee\x80' +
'\xd2\xc8\x8c\x84\x9a\x00\x12\xcd\x89\x2b\xf0\x59\x37\x30\x80' +
'\x52\x3d\xdf\x60\x40\xe0\x25\x2f\xc7\x8e\xa3\x86\xdb\xc2\x28' +
'\xb8\x3d\x07\x46\xa1\x4b\x18\xa0\xbc\x06\x97\x97\x0e\x4f\x65' +
'\x18\x95\x0c\xac\x58\xb2\x17\x1b\xba\x66\xfd\x2d\x19\xad\xdc' +
'\x6d\xe6\x6f\xd3\x16\xb3\xb2\xcc\xfb',
'\x01\x00\x01' # Exponent
)
);
apt1_certs['SERVER']['subjectPublicKeyInfo'] = make_nested_list(
'1.2.840.113549.1.1.1', # Public key algorithm (rsaEncryption)
make_nested_list( # modulus
'\x00\xa7\x38\xc7\xc7\x43\x52\x3b\x59\xc9\x7f\xcc\xbc\x9b\xfa' +
'\x40\xaf\x4d\x7d\x82\x97\xe6\xe3\xec\x69\xeb\xb7\x44\xd6\x75' +
'\xd5\xf4\x4b\xbb\x18\xe2\x54\x8e\x67\x0e\x65\xe9\xb3\xa8\xc8' +
'\xeb\xff\x95\xff\x42\x14\x89\x7a\x31\x7e\x1b\xb0\x6d\x8f\x89' +
'\xdb\xca\xa3\x1b\xce\x8a\x62\x76\xe8\x72\xb6\x62\xd0\xdd\x24' +
'\xef\x35\xaf\xf0\x3a\x96\xa1\xe4\x5a\x19\x76\xe9\x51\x4e\x8d' +
'\x0b\x43\x2b\xfa\xaf\x36\x4a\xb4\x21\x88\x1b\xff\x00\x6f\xf5' +
'\x98\x63\xf5\x0d\xf3\xf5\x10\x3c\xa0\x04\x78\x23\x3c\x2b\x54' +
'\x41\x02\x19\xb2\x35\x78\xcd\x07\x5b',
'\x01\x00\x01' # Exponent
)
);
apt1_certs['SUR']['subjectPublicKeyInfo'] = make_nested_list(
'1.2.840.113549.1.1.1', # Public key algorithm (rsaEncryption)
make_nested_list( # modulus
'\x00\x99\x60\xd5\xab\x5f\x52\x57\x48\x98\x93\xed\x37\x59\xb3' +
'\xf1\xe6\x7d\x44\xc7\x55\x25\x25\x82\x3c\x9c\xa7\x9d\xab\xd7' +
'\x7f\xa4\x56\x64\xe5\x17\x31\x5a\x9c\x21\xe3\xd6\xe7\x6a\x11' +
'\x65\xc9\x4b\xd2\x5c\x45\x49\xde\xae\x2d\x72\xa9\x7f\x3f\x59' +
'\xf7\xcc\xff\x56\x93\xcd\xa6\xfb\xeb\x0d\x15\x0f\x76\xb8\x78' +
'\xae\x4e\x46\xae\xe5\x98\x79\xea\x4a\xc9\xe2\x52\x52\x77\x08' +
'\x8e\x1c\x0f\xf3\x29\xe1\xa8\x1c\x28\x98\xa8\xeb\x76\x10\xf1' +
'\x08\x06\xd9\x09\xa3\xe4\x54\x35\xba\x4d\x29\xc3\xed\xf9\xa8' +
'\x2c\xe4\x95\xb7\xf2\xa7\x89\x4d\x85',
'\x01\x00\x01' # Exponent
)
);
apt1_certs['AOL']['subjectPublicKeyInfo'] = make_nested_list(
'1.2.840.113549.1.1.1', # Public key algorithm (rsaEncryption)
make_nested_list( # modulus
'\x00\xb8\x68\xc6\xe9\x75\xc5\x4b\x73\x27\xe3\xaa\x9d\xd9\xf2' +
'\xba\x73\xec\x86\x5a\x1c\x89\x3c\xd0\x37\x5e\xa7\x3e\x9d\x48' +
'\x84\xcd\xa4\x12\x19\x15\x57\xca\xba\xfe\xca\x2e\x2b\x72\x70' +
'\x5f\xd7\x64\xad\x7a\x6e\x7e\xc2\x06\xdd\x99\x3c\x95\x05\x19' +
'\xf2\xd7\x28\x8c\x45\x8f\x91\xc8\x61\x6e\x23\x2c\xb8\x2b\x07' +
'\x08\x21\xb8\x9a\x4a\x4e\x12\x70\xc9\xeb\x19\x3a\xe0\xf0\x3e' +
'\x72\xfb\xad\xb3\xdd\x57\x34\xe8\x18\x8b\x29\x8f\x33\xbc\x32' +
'\xe3\xb0\xe8\xc0\x3a\x5c\xfa\xe5\xaa\xc2\x17\x94\x1f\x81\xe7' +
'\x9b\x60\x2a\x7a\xaa\xbf\xe1\x34\xe1',
'\x01\x00\x01' # Exponent
)
);
apt1_certs['YAHOO']['subjectPublicKeyInfo'] = make_nested_list(
'1.2.840.113549.1.1.1', # Public key algorithm (rsaEncryption)
make_nested_list( # modulus
'\x00\xfc\xff\x51\xf1\x18\xff\x58\x49\x43\xe6\xbb\x01\x4e\x77' +
'\x64\x13\xca\x79\x1c\x4a\x24\xd4\xec\x13\x1e\x46\x68\x1d\xe3' +
'\xd0\xac\xbc\x08\xd4\x88\xd5\x62\x5c\x82\xbd\x95\x2c\x66\x49' +
'\xe4\x80\x2f\xc5\x79\x5a\xe2\x91\xef\x7c\xb7\x9f\x6e\x57\x6a' +
'\xba\xf5\x13\x20\x6d\x61\x9c\xdb\x12\xb7\x46\x32\x94\x78\x4d' +
'\x58\xcf\x69\xa2\x82\x43\xb4\xb9\x05\x62\x75\x86\xfc\x0a\x92' +
'\x21\x55\x64\xfb\x03\x6a\xc8\x2e\x55\x86\xe8\x68\xa5\xe9\xe3' +
'\x93\xf8\x4a\x85\x91\x89\x99\xd0\x3c\x5e\xc3\x16\xdc\x01\x0f' +
'\x9d\x41\x5c\x7a\xd4\x0d\x6a\x8a\x49',
'\x01\x00\x01' # Exponent
)
);
apt1_certs['MOON-NIGHT']['subjectPublicKeyInfo'] = make_nested_list(
'1.2.840.113549.1.1.1', # Public key algorithm (rsaEncryption)
make_nested_list( # modulus
'\x00\xb4\x41\x24\x7c\x01\x23\x67\x6b\x66\xad\x47\x3d\x23\xae' +
'\x08\x9c\xe4\x4c\x2b\x9b\xff\x25\x92\x11\xae\x9f\x55\x73\xcb' +
'\xd7\x8f\x2c\xe3\x17\xd4\xe6\x81\x40\x68\x4a\xcd\xa4\xba\x33' +
'\xf8\xf3\xb7\xe9\xbc\x7d\x0c\x51\x13\x35\xd9\xa8\xb9\xbd\x8c' +
'\x8d\x0d\xa6\x28\xc8\xb6\xf7\x66\x1d\xe3\x69\xf2\x9e\x4c\xe4' +
'\x03\xc1\x3b\xae\x55\xa5\xc7\x3e\xde\x80\x1b\x07\x5d\x0f\xa7' +
'\xa3\xf0\x50\x60\xd4\x80\x29\x12\x5f\x1b\x11\x8c\x8a\x3d\xe5' +
'\xb3\xad\xc1\x76\xda\x0c\xa4\x63\xa4\x8b\x22\x0d\x49\x1a\xa0' +
'\x23\x99\x80\xbd\x09\x3d\x60\xdc\xf9',
'\x01\x00\x01' # Exponent
)
);
apt1_certs['NO-NAME']['subjectPublicKeyInfo'] = make_nested_list(
'1.2.840.113549.1.1.1', # Public key algorithm (rsaEncryption)
make_nested_list( # modulus
'\x00\x9b\xcc\xf3\x67\x5c\x02\xdb\x83\xd0\x5d\x52\x05\x3c\x8a' +
'\x66\x16\xfa\xb2\x5d\x78\x43\x91\x64\x80\x09\x5b\xc6\x1f\xb6' +
'\xdc\x1f\x60\xfb\xe2\xd2\x15\x0b\xf5\x46\x3a\x76\xc5\x4e\x91' +
'\x21\x4d\x33\x46\x25\x04\x28\x70\x69\x25\x87\x38\x01\x1d\x85' +
'\x94\x9f\x49\xd0\x1c\x94\x2f\x1e\x58\xe3\x49\x2a\x89\x83\xc0' +
'\x0b\x76\x53\x49\x34\xf7\x85\x5e\x43\x35\xa4\x16\x24\x76\x8d' +
'\x5b\x2a\x23\xbb\x57\x34\xaf\x16\x74\x2b\xf8\x64\x44\x15\x6d' +
'\x15\x8b\x7a\xa6\x4e\xa1\xd0\xe0\x77\xb0\x2e\xd4\xd9\x00\xdd' +
'\x93\xd6\x3d\xa5\xe3\x2b\xec\x76\x49',
'\x01\x00\x01' # Exponent
)
);
# Get list of ports that use SSL or StartTLS.
port = get_ssl_ports(fork:TRUE);
if (isnull(port))
exit(1, "The host does not appear to have any SSL-based services.");
# Get the certificate chain from the target.
chain = get_server_cert(
port : port,
encoding : "der",
getchain : TRUE
);
if (isnull(chain) || max_index(chain) <= 0)
exit(1, "Failed to retrieve the certificate chain from port " + port + ".");
chain = parse_cert_chain(chain);
if (isnull(chain))
exit(1, "Failed to parse certificate chain on port " + port + ".");
# The offending certificate is self-signed, meaning that it can only
# occur at the top of the certificate chain.
top = chain[max_index(chain) - 1];
top = top["tbsCertificate"];
foreach name (keys(apt1_certs))
{
# Check that the top certificate in the chain has a subject DN
# and public key that matches one of the known bad certificates.
if (
obj_cmp(top['subject'], apt1_certs[name]['subject']) &&
obj_cmp(top['subjectPublicKeyInfo'], apt1_certs[name]['subjectPublicKeyInfo'])
)
{
if (report_verbosity > 0)
{
key = apt1_certs[name]['subjectPublicKeyInfo'][1];
report =
'\nThe following certificate is being used by the remote host, which' +
'\nindicates it may have an APT1 malware infection :\n\n' +
'Subject : ' + format_dn(apt1_certs[name]['subject']) + '\n' +
add_hex_string(name:"Public Key", data:key[0]) +
add_hex_string(name:"Exponent", data:key[1]);
security_hole(port:port, extra:report);
}
else security_hole(port);
exit(0);
# never reached
}
}
exit(0, "The certificate chain from port " + port + " is not affected.");