Steve BensonNMAP:SSL-CERT-INTADDR.NSEssl-cert-intaddr NSE Script
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%
Reports any private (RFC1918) IPv4 addresses found in the various fields of an SSL service’s certificate. These will only be reported if the target address itself is not private. Nmap v7.30 or later is required.
See also:
Script Arguments
tls.servername
See the documentation for the tls library.
smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername
See the documentation for the smbauth library.
smtp.domain
See the documentation for the smtp library.
randomseed, smbbasic, smbport, smbsign
See the documentation for the smb library.
mssql.domain, mssql.instance-all, mssql.instance-name, mssql.instance-port, mssql.password, mssql.protocol, mssql.scanned-ports-only, mssql.timeout, mssql.username
See the documentation for the mssql library.
Example Usage
nmap -p 443 --script ssl-cert-intaddr <target>
Script Output
443/tcp open https
| ssl-cert-intaddr:
| Subject commonName:
| 10.5.5.5
| Subject organizationName:
| 10.0.2.1
| 10.0.2.2
| Issuer emailAddress:
| 10.6.6.6
| X509v3 Subject Alternative Name:
|_ 10.3.4.5
Requires
local shortport = require "shortport"
local sslcert = require "sslcert"
local stdnse = require "stdnse"
local string = require "string"
local table = require "table"
local ipOps = require "ipOps"
description = [[
Reports any private (RFC1918) IPv4 addresses found in the various fields of
an SSL service's certificate. These will only be reported if the target
address itself is not private. Nmap v7.30 or later is required.
]]
---
-- @usage
-- nmap -p 443 --script ssl-cert-intaddr <target>
--
-- @output
-- 443/tcp open https
-- | ssl-cert-intaddr:
-- | Subject commonName:
-- | 10.5.5.5
-- | Subject organizationName:
-- | 10.0.2.1
-- | 10.0.2.2
-- | Issuer emailAddress:
-- | 10.6.6.6
-- | X509v3 Subject Alternative Name:
-- |_ 10.3.4.5
--
--@xmloutput
-- <table key="X509v3 Subject Alternative Name">
-- <elem>10.3.4.5</elem>
-- </table>
--
-- @see http-internal-ip-disclosure.nse
-- @see ssl-cert.nse
author = "Steve Benson"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"vuln", "discovery", "safe"}
dependencies = {"https-redirect"}
-- only run this script if the target host is NOT a private (RFC1918) IP address)
-- and the port is an open SSL service
portrule = function(host, port)
if ipOps.isPrivate(host.ip) then
stdnse.debug1("%s is a private address - skipping.", host.ip)
return false
else
-- same criteria as ssl-cert.nse
return shortport.ssl(host, port) or sslcert.isPortSupported(port) or sslcert.getPrepareTLSWithoutReconnect(port)
end
end
-- extracts any valid private (RFC1918) IPv4 addresses from any given string
-- returns a table containing them or nil if there were none found
local extractPrivateIPv4Addr = function(s)
stdnse.debug2(" extractIPv4Addr: %s", s)
local addrs = {}
string.gsub(s, "%f[%d][12]?%d?%d%.[12]?%d?%d%.[12]?%d?%d%.[12]?%d?%d%f[^%d]",
function(match)
stdnse.debug2(" pattern match: %s", match)
if ipOps.isPrivate(match) then
stdnse.debug2(" is private (HIT): %s", match)
addrs[#addrs + 1] = match
end
end)
if #addrs>0 then
return addrs
else
return nil
end
end
-- search the Subject or Issuer fields for leaked private IP addresses
local searchCertField = function(certField, certFieldName)
local k,v
local leaks = stdnse.output_table()
if certField then
for k,v in pairs(certField) do
-- if the name of this X509 field is numeric object identifier
-- (i.e. "1.2.33.4..")
if type(k)=="table" then
k = table.concat(k, ".")
end
stdnse.debug2("search %s %s", certFieldName, k)
leaks[certFieldName.." "..k] = extractPrivateIPv4Addr(v)
end
end
return leaks
end
-- search the X509v3 extensions for leaked private IP addresses
local searchCertExtensions = function(cert)
if not cert.extensions then
stdnse.debug1("X509v3 extensions not present in certificate or the extensions are not supported by this nmap version (7.30 or later needed)")
return {}
end
local exti, ext, _
local leaks = stdnse.output_table()
for _ ,ext in pairs(cert.extensions) do
if ext.value then
stdnse.debug2("search ext %s", ext.name)
leaks[ext.name] = extractPrivateIPv4Addr(ext.value)
else
stdnse.debug2("nosearch nil ext: %s", ext.name)
end
end
return leaks
end
action = function(host, port)
local ok, cert = sslcert.getCertificate(host, port)
if not ok then
stdnse.debug1("failed to obtain SSL certificate")
return nil
end
local leaks = stdnse.output_table()
for k,v in pairs(searchCertField(cert.subject, "Subject")) do
leaks[k] = v
end
for k,v in pairs(searchCertField(cert.issuer, "Issuer")) do
leaks[k] = v
end
for k,v in pairs(searchCertExtensions(cert)) do
leaks[k] = v
end
if #leaks > 0 then
return leaks
else
return nil
end
end
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%