How To: Scanning For SSL Certificates From the Command Line

Background

Recently, there was a Remote Code Execution (RCE) vulnerability discovered in Palo Alto Firewalls. I found out about this through a post on the Full Disclosure mailing list by the researcher who discovered it.

Even more recently, another post was made, with a script to test for the vulnerability.

In that post, the author states they used a Shodan search to locate Palo Alto firewalls. While they don’t specify what search they used, I suspect it is something similar to:

ssl:"Palo Alto Networks" /php/login.php

If you visit Shodan and try the search, you’ll see that the string Palo Alto Networks occurs in the Organization field of the Issuer section of the certificate.



How to scan for SSL certificates from the command line


With this information in hand, we can put together a quick set of commands to grab the subject and issuer fields from SSL certificated from a list of IP addresses, and save it to a file:

for i in `cat ip-list.txt`; do echo $i >> ssl-data.out; timeout 1 openssl s_client -showcerts -connect $i:443 </dev/null 2>/dev/null | grep "subject\|issuer" >>ssl-data.out 2>&1; done

This will go through each IP address in the file ip-list.txt, output the IP address to the file ssl-data.out, then use the timeout command to run the openssl s_client command and attempt to connect to the IP on port 443 and get the certificate details and save them to the ssl-data.out file, and give up after 1 second if the host doesn’t respond.

Once we have the data, we can quickly search through it for the string Palo Alto Networks, and begin further investigation of the host.

HowToHunt