Recently, there was a Remote Code Execution (RCE) vulnerability discovered in Palo Alto Firewalls. I found out about this through a post on the Full Disclosure mailing list by the researcher who discovered it.
Even more recently, another post was made, with a script to test for the vulnerability.
In that post, the author states they used a Shodan search to locate Palo Alto firewalls. While they don’t specify what search they used, I suspect it is something similar to:
ssl:"Palo Alto Networks" /php/login.php
If you visit Shodan and try the search, you’ll see that the string
Palo Alto Networks occurs in the Organization field of the Issuer section of the certificate.
How to scan for SSL certificates from the command line
With this information in hand, we can put together a quick set of commands to grab the
issuer fields from SSL certificated from a list of IP addresses, and save it to a file:
for i in `cat ip-list.txt`; do echo $i >> ssl-data.out; timeout 1 openssl s_client -showcerts -connect $i:443 </dev/null 2>/dev/null | grep "subject\|issuer" >>ssl-data.out 2>&1; done
This will go through each IP address in the file
ip-list.txt, output the IP address to the file
ssl-data.out, then use the
timeout command to run the
openssl s_client command and attempt to connect to the IP on port 443 and get the certificate details and save them to the
ssl-data.out file, and give up after 1 second if the host doesn’t respond.
Once we have the data, we can quickly search through it for the string
Palo Alto Networks, and begin further investigation of the host.