Crawling for Certificates?

flosofl asks: "I work for a large company in the Authentication and Cryptography Group. Recently, we have decided to centralize all management of our certificates. Right now we manage something on the order of 200 certs. We estimate that there may be something on the order of 100-150 certs in our enterprise that we are unaware of/managed locally. What we especially want to eliminate are the 'in house' cert servers that have cropped up here and there. What we need is a tool to crawl the network and discover these certificates. I thought maybe nmap, but could not find any options for this. I am aware of the Certificate Discovery Protocol, but can find nothing other than specification pages and I am not a programmer. We would like some kind of tool that would crawl the networks and discover servers with VeriSign, InstaSSL, and type of certs. We also would like to keep it inexpensive (sub $10,000). Any help would be appreciated."

Quick solutiin

Windows -> Search -> All Files -> *.crt and make sure the network is selected as the place to search for files.

ask me?

[buttahead]

ask me to write a plugin to perl's NetworkInfo-Discovery?

You Need a Programmer

[jmt9581]

Nmap is definitely a step in the right direction, but that would only handle the port scanning. AFAIK, nmap doesn't know how to parse SSL certificates. While nmap could probably be helpful in port scanning for services running on port 433, it's definitely not a complete solution.

Really you need to find a programmer to do this for you. With a budget of $10,000 I'm sure that you could get a decent crawler, and if you shop around a bit you could certainly get it done for less. There are a lot of consultants who do this for a living, and I wouldn't be surprised if you had someone with the requisite skills in-house. I would talk to the people around you and find a solid programmer who also knows a thing or two about networking and SSL certs.

If you'd like to contract the job out, contact me via e-mail through contact at biosysadmin.com and I'd be happy to give you a quote.

:)

Re:You Need a Programmer

[jmt9581]

One more thing: the Certificate Discovery Protocol (CDP) that you link to appears some setup on the server-side before it works: you need to be running a CDP server on port UDP 1460 to respond to requests from this protocol. So, you could theoretically implement this after you find out where all your SSL servers are. :)

Re:You Need a Programmer

[buttahead]

hey now... you're trying to move in on my territory :)

Re:You Need a Programmer

[BrynM]

Go post it on Rent A Coder

This is easy

[nocomment]

I'll crawl your network for 10 grand!

Re:This is easy

[buttahead]

hell.. I'll crawl under your non-raised floors checking cables for $10,000.

Wrong solution

Searching for certificates is the wrong way to handle this. I advise to simply make it a policy to not use any certificates for company use which are not maintained by you.

Re:Wrong solution

[bigsteve@dstc]

Simply make it a policy to not use any certificates for company use which are not maintained by you.

... and make it a policy that everyone should follow policy :-)

Re:Wrong solution

[dubl-u]

Searching for certificates is the wrong way to handle this. I advise to simply make it a policy to not use any certificates for company use which are not maintained by you.

Ok. The original poster's solution isn't so great, but just declaring it "policy" is about three orders of magnitude dumber.

Here's a simple, 4-step plan to solving the problem.

1. understand the problem -- Find out why people are creating their own certificates. There will be plenty of legitimate reasons.
2. give them something better -- Figure out a solution that addresses their needs as well as yours. And wherever possible, make it easier than what they're doing now. For example, create a web-based application that lets anybody in the company instantly get an officially blessed certificate.
3. make a policy -- Explain, in clear business terms, why your policy is the least-impact way to solve a real business problem.
4. enforce it -- Now you can set up the fancy automated scanner.

Remember, the other people in your company are, for the most part, doing their jobs in the best way that they know how. (And even when they aren't, it's best to start off treating them that way.) If you know something about how they could do their jobs better (e.g., by improving security though better certificates), then help them to achieve that.

But for fuck's sake, don't just go imposing random mandates on other people like some third-world dictator. I've consulted at some large companies that have so many rules, mandates, procedures, and forms that it's impossible to get anything productive done. And most of the good people figure that out and leave.

Re:Wrong solution

[Clover_Kicker]

It depends on the culture of the company.

In some companies, your job is to follow the procedures, not to fix stuff or make life easier.

I don't like it, I didn't make it that way, but I do have to work here.

>I've consulted at some large companies that have so many rules,
>mandates, procedures, and forms that it's impossible to get anything
>productive done. And most of the good people figure that out and
>leave.

Welcome to my nightmare. I wish I had something better to go to.

On a more productive note, you can do real work and make positive changes in those environment, it just takes a veeeerrryyy looooonnnnggg time to jump thru the hoops. You can salvage some of your sanity by having several of your good ideas in the (very long) pipeline at once.

Dear Sir,

We also would like to keep it inexpensive (sub $10,000).

Is your company hiring?

Kinda easy answer (depending on network config)

[itwerx]

1 - Use NMap to find all your SSL hosts.
2 - Sniff packets to/from those hosts (you're in a position to connect to them anyway I presume) and log all the connection handshakes.
3 - Process the logs to get a nice list of hosts and certs.

Repeat every couple of days for two or three weeks to catch dev servers and the like which might be offline periodically and voila'!

openssl sclient

[cnvogel]

Hi,

1.) nmap your network. Find https-servers (port 443), imaps, pop3s, ssmtp. Those should run ssl on connect.
1.b) find imap, pop3, smtp servers that support STARTTLS
1.c) use openssl s_client -showcerts -connect host:port to get the certificate
2.) ?
3.) Profit!

Chris

Done

[Permission+Denied]

I'd like my $10,000 in small unmarked bills.

nmap your_network_here -p 443 -oG - | awk '/443\/open/ {print $2;}' | while read i ; do
openssl s_client -showcerts -connect $i:443 < /dev/null 2>/dev/null | fgrep -v your_certficate_authority_here >/dev/null 2>&1 && echo $i
done

Two minutes, three lines of code, $10,000 - I'm undercharging my employer!

Seriously, though, don't run this without understanding each part. If you have a large network, split it up into separate commands using temp files. You'll probably want to add some code to check for self-signed certificates (assuming those aren't against your "corporate policy"). You'll also want to scan other ports running SSL directly, such as 995. Some services more commonly use STARTTLS in which case the openssl s_client won't work (LDAP v3, SMTP). For these services, you'll need to write a small network program linked to openssl that knows enough of the protocol to initiate STARTTLS and grab the certs. Overall, this is a half day of work at most for little programs to test all the STARTTLS possibilities.

I really have to question your company's judgment if they're willing to spend that much money on something so trivial. If you're large enough that rogue certificate servers actually pose a problem, you should definitely have some good *nix admin/network/systems programmer-types types who can do this for you.

What about personal certs?

[fuzzybunny]

Are you only talking about unmanaged ("server") certificates? Do your employees use personal certificates for authentication/signing/encryption/non-repudiation/ making toast/whatever?

As lots of posters have indicated, finding the ssl certificates is pretty easy.

Note that this only applies to individual's certificates, but what about keys? Not all keys are cert-based. Do you want to centrally manage employee or customer info via a PKI? Got a proper directory schema in place? Handling keys via tokens/got a token/card management system in place that'll hold up?

You should probably make sure you know the answers to those before starting anything.

the free solution

[truffle]

mail staff@mycompany.com

My group is now managing all secure certificates within the company. If you are currently managing a secure certificate, please inform me so I can arrange for a transfer of management. To better ensure company security, a single group managing certificates will be company policy from now on.

Seriously, why do you need to be so controlling as to seek out rogue certs.

Re:the free solution

[penguinboy]

It's possible that there are certificates in use that no one really knows about - for example, an HTTPS web application server set up for a group that just uses it without caring about all the technical details. Asking will probably find most of the certs, but there might be some other ones out there.

Create a business.

[aminorex]

If you want it, then others do too.
Hire someone to write a cross-platform
utility to scan disks for certs and
sniff network traffic for certs, and log
them all to a central service. Put a GUI
on it. Write documentation. That's worth
$10K. Now offer it for sale for $5k.
If it doesn't make money, open-source it.

Re:Create a business.

Is there some reason you manually word wrap at around 40 characters? It looks freaking stupid and it's also hard to read, jumping to a new line every fifth word.

Thanks guys (and gals - you never know...)

[flosofl]

Thanks people. MOST of the comments have helped point me in the direction we are probably gonna take with this.

I sent Tex this in email form earlier and thought I would let you guys know which way we're probably gonna go:

I was thinking about Nessus (it has an SSL plugin). It seems kinda noisy on the network (I haven't played with it enough). I think what we're gonna end up doing is having IT Security run nmap against our servers (about 2500+) and collate a list of SSL responses (https, ssmtp, etc..). Then set up a script to run the openssl s_client with the '-showcerts' option to get the certificate.

I wish there was a click-and-go solution, but ya can't have everything...

And, sorry, I can't hire contractors :) (and I'm sure not gonna pay $10,000 to write a small script - that money can go for other things - like air cannons!!)

Re:Thanks guys (and gals - you never know...)

You know, I really have to say this, why do you have a job when so many smart IT people don't?

Writing a script to find these SSL servers is trivial.

Re:Thanks guys (and gals - you never know...)

mini-rant:

You said you would pay up to $10k for a solution.

If you dont have the skills to write the correct three lines of script, why should it matter that the correctly implemented solution is only three lines long.

Is this solution any less good than something written in a month that does the same thing, only in C++?

are you embarrassed that actually the question you asked is trivial to implement, and you couldn't figure it out? thus now your $10k seems like largesse....

What do you want, a solution? If three lines of script is too little, Counterpane, or similar security consultancy, will probably do it for $10k+ (They have scripts that are 1000s of lines long im sure! - and they are pretty damn good)

Re:Thanks guys (and gals - you never know...)

[Iamnoone]

One "vector" that I don't think anyone has mentioned and that you may or may not need to check for. Someone did mention personal certificates which might be hard to find.

But one of the things I used certificates for was a "process" certificate that would be used, for instance, by a UNIX job that encrypts a data file to send to a business partner or receives encrypted file/datafeed from somewhere then decrypts and processes it.

You might need to spin through filesystems and see if there are gpg signed/encrypted files or key files, or depending on how your machines are set up the existence of gpg or pgp.

Having worked in a large organization, I can understand how a 10K funny money budget can be quickly burned through without getting any work done - by people attributing internal resource costs to the project. If you need to have a person from the network group, they want to charge a bunch of hours to your project for their "help". More infuriating are the rule-enforced bloodsuckers and albatrosses that you are required to add to the project and they then proceed to block every attempt to get anything done and charge you for the privilege...

Support OSS!!

[Quixote]

We also would like to keep it inexpensive (sub $10,000). Any help would be appreciated."

Hello? Why not pay some some small firm to come up with something suitable, released under GPL? You kill 2 birds with 1 stone: support OSS, and add to the GPL pool.

In general, people: if you have some control over a pool of money for some small tasks like these, throw them in the direction of OSS people!

Where is the real problem, though?

[JGski]

If you have rogue cert server "popping up" doesn't this suggest that a need is not being met by the existing IT strategy and infrastructure? Is centralization really going to make that need decrease, or more likely, simply increase?!

I know, the PHBs said this was the solution that needed to be implemented. Nevermind!

Ask Slashdot: I don't want to do my job. Will you?

flosofl asks: "As with most days, I don't really feal like working today. Will you do my job for me? I can't really pay you other than to say we would otherwise spend $10K (I am hoping that will make you feel like your time was actually worth something.) Anyway, today my task is to find all the SSL certs on our network. First shell scripter worth his salt will earn a +5 Informative."

Freshmeat?

[RabidMonkey]

This seems like a great place for opensource and commerce to come together.

If your company is willing to pay $10,000 for a product, why not post asking for someone to write something for you and pay them the money?

Seems like a good way to go and it's win/win .. the community gets a new tool and you get the program you want custom developed for a damn good price.

Holy Crap. Air Cannons!

[TubeSteak]

There's only one place to get those: SpudTech
Home to some of the most ridiculous potato cannons anywhere.