ssl-cert-intaddr NSE Script

2016-12-06T16:51:31
ID NMAP:SSL-CERT-INTADDR.NSE
Type nmap
Reporter Steve Benson
Modified 2018-06-28T03:43:27

Description

Reports any private (RFC1918) IPv4 addresses found in the various fields of an SSL service's certificate. These will only be reported if the target address itself is not private. Nmap v7.30 or later is required.

See also:

  • http-internal-ip-disclosure.nse
  • ssl-cert

Script Arguments

mssql.domain, mssql.instance-all, mssql.instance-name, mssql.instance-port, mssql.password, mssql.protocol, mssql.scanned-ports-only, mssql.timeout, mssql.username

See the documentation for the mssql library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

smtp.domain

See the documentation for the smtp library.

randomseed, smbbasic, smbport, smbsign

See the documentation for the smb library.

tls.servername

See the documentation for the tls library.

Example Usage

nmap -p 443 --script ssl-cert-intaddr <target>

Script Output

443/tcp open  https
| ssl-cert-intaddr:
|   Subject commonName:
|     10.5.5.5
|   Subject organizationName:
|     10.0.2.1
|     10.0.2.2
|   Issuer emailAddress:
|     10.6.6.6
|   X509v3 Subject Alternative Name:
|_    10.3.4.5

Requires

  • shortport
  • sslcert
  • stdnse
  • string
  • ipOps

                                        
                                            local shortport = require "shortport"
local sslcert = require "sslcert"
local stdnse = require "stdnse"
local string = require "string"
local ipOps = require "ipOps"

description = [[
Reports any private (RFC1918) IPv4 addresses found in the various fields of
an SSL service's certificate.  These will only be reported if the target
address itself is not private.  Nmap v7.30 or later is required.
]]

---
-- @usage
-- nmap -p 443 --script ssl-cert-intaddr <target>
--
-- @output
-- 443/tcp open  https
-- | ssl-cert-intaddr:
-- |   Subject commonName:
-- |     10.5.5.5
-- |   Subject organizationName:
-- |     10.0.2.1
-- |     10.0.2.2
-- |   Issuer emailAddress:
-- |     10.6.6.6
-- |   X509v3 Subject Alternative Name:
-- |_    10.3.4.5
--
--@xmloutput
-- <table key="X509v3 Subject Alternative Name">
--   <elem>10.3.4.5</elem>
-- </table>
--
-- @see http-internal-ip-disclosure.nse
-- @see ssl-cert

author = "Steve Benson"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"vuln", "discovery", "safe"}
dependencies = {"https-redirect"}

-- only run this script if the target host is NOT a private (RFC1918) IP address)
-- and the port is an open SSL service
portrule = function(host, port)
  if ipOps.isPrivate(host.ip) then
    stdnse.debug1("%s is a private address - skipping.", host.ip)
    return false
  else
    -- same criteria as ssl-cert.nse
    return shortport.ssl(host, port) or sslcert.isPortSupported(port) or sslcert.getPrepareTLSWithoutReconnect(port)
  end
end

-- extracts any valid private (RFC1918) IPv4 addresses from any given string
-- returns a table containing them or nil if there were none found
local extractPrivateIPv4Addr = function(s)
  stdnse.debug2(" extractIPv4Addr: %s", s)

  local addrs = {}

  string.gsub(s, "%f[%d][12]?%d?%d%.[12]?%d?%d%.[12]?%d?%d%.[12]?%d?%d%f[^%d]",
    function(match)
      stdnse.debug2("  pattern match: %s", match)
      if ipOps.isPrivate(match) then
        stdnse.debug2("  is private (HIT): %s", match)
        addrs[#addrs + 1] = match
      end
    end)

  if #addrs>0 then
    return addrs
  else
    return nil
  end
end

-- search the Subject or Issuer fields for leaked private IP addresses
local searchCertField = function(certField, certFieldName)
  local k,v
  local leaks = stdnse.output_table()

  if certField then
    for k,v in pairs(certField) do

      -- if the name of this X509 field is numeric object identifier
      -- (i.e.  "1.2.33.4..")
      if type(k)=="table" then
        k = stdnse.strjoin(".", k)
      end

      stdnse.debug2("search %s %s", certFieldName, k)
      leaks[certFieldName.." "..k] = extractPrivateIPv4Addr(v)
    end
  end

  return leaks
end

-- search the X509v3 extensions for leaked private IP addresses
local searchCertExtensions = function(cert)
  if not cert.extensions then
    stdnse.debug1("X509v3 extensions not present in certificate or the extensions are not supported by this nmap version (7.30 or later needed)")
    return {}
  end

  local exti, ext, _
  local leaks = stdnse.output_table()

  for _ ,ext in pairs(cert.extensions) do
    if ext.value then
      stdnse.debug2("search ext %s", ext.name)
      leaks[ext.name] = extractPrivateIPv4Addr(ext.value)
    else
      stdnse.debug2("nosearch nil ext: %s", ext.name)
    end
  end

  return leaks
end

action = function(host, port)
  local ok, cert = sslcert.getCertificate(host, port)
  if not ok then
    stdnse.debug1("failed to obtain SSL certificate")
    return nil
  end

  local leaks = stdnse.output_table()

  for k,v in pairs(searchCertField(cert.subject, "Subject")) do
    leaks[k] = v
  end

  for k,v in pairs(searchCertField(cert.issuer, "Issuer")) do
    leaks[k] = v
  end

  for k,v in pairs(searchCertExtensions(cert)) do
    leaks[k] = v
  end

  if #leaks > 0 then
    return leaks
  else
    return nil
  end
end