Crawling for Certificates?

flosofl asks: "I work for a large company in the Authentication and Cryptography Group. Recently, we have decided to centralize all management of our certificates. Right now we manage something on the order of 200 certs. We estimate that there may be something on the order of 100-150 certs in our enterprise that we are unaware of/managed locally. What we especially want to eliminate are the 'in house' cert servers that have cropped up here and there. What we need is a tool to crawl the network and discover these certificates. I thought maybe nmap, but could not find any options for this. I am aware of the Certificate Discovery Protocol, but can find nothing other than specification pages and I am not a programmer. We would like some kind of tool that would crawl the networks and discover servers with VeriSign, InstaSSL, and type of certs. We also would like to keep it inexpensive (sub $10,000). Any help would be appreciated."

ask me?

[buttahead]

ask me to write a plugin to perl's NetworkInfo-Discovery?

You Need a Programmer

[jmt9581]

Nmap is definitely a step in the right direction, but that would only handle the port scanning. AFAIK, nmap doesn't know how to parse SSL certificates. While nmap could probably be helpful in port scanning for services running on port 433, it's definitely not a complete solution.

Really you need to find a programmer to do this for you. With a budget of $10,000 I'm sure that you could get a decent crawler, and if you shop around a bit you could certainly get it done for less. There are a lot of consultants who do this for a living, and I wouldn't be surprised if you had someone with the requisite skills in-house. I would talk to the people around you and find a solid programmer who also knows a thing or two about networking and SSL certs.

If you'd like to contract the job out, contact me via e-mail through contact at biosysadmin.com and I'd be happy to give you a quote.

:)

Re:You Need a Programmer

[jmt9581]

One more thing: the Certificate Discovery Protocol (CDP) that you link to appears some setup on the server-side before it works: you need to be running a CDP server on port UDP 1460 to respond to requests from this protocol. So, you could theoretically implement this after you find out where all your SSL servers are. :)

Wrong solution

Searching for certificates is the wrong way to handle this. I advise to simply make it a policy to not use any certificates for company use which are not maintained by you.

Kinda easy answer (depending on network config)

[itwerx]

1 - Use NMap to find all your SSL hosts.
2 - Sniff packets to/from those hosts (you're in a position to connect to them anyway I presume) and log all the connection handshakes.
3 - Process the logs to get a nice list of hosts and certs.

Repeat every couple of days for two or three weeks to catch dev servers and the like which might be offline periodically and voila'!

openssl sclient

[cnvogel]

Hi,

1.) nmap your network. Find https-servers (port 443), imaps, pop3s, ssmtp. Those should run ssl on connect.
1.b) find imap, pop3, smtp servers that support STARTTLS
1.c) use openssl s_client -showcerts -connect host:port to get the certificate
2.) ?
3.) Profit!

Chris

Done

[Permission+Denied]

I'd like my $10,000 in small unmarked bills.

nmap your_network_here -p 443 -oG - | awk '/443\/open/ {print $2;}' | while read i ; do
openssl s_client -showcerts -connect $i:443 < /dev/null 2>/dev/null | fgrep -v your_certficate_authority_here >/dev/null 2>&1 && echo $i
done

Two minutes, three lines of code, $10,000 - I'm undercharging my employer!

Seriously, though, don't run this without understanding each part. If you have a large network, split it up into separate commands using temp files. You'll probably want to add some code to check for self-signed certificates (assuming those aren't against your "corporate policy"). You'll also want to scan other ports running SSL directly, such as 995. Some services more commonly use STARTTLS in which case the openssl s_client won't work (LDAP v3, SMTP). For these services, you'll need to write a small network program linked to openssl that knows enough of the protocol to initiate STARTTLS and grab the certs. Overall, this is a half day of work at most for little programs to test all the STARTTLS possibilities.

I really have to question your company's judgment if they're willing to spend that much money on something so trivial. If you're large enough that rogue certificate servers actually pose a problem, you should definitely have some good *nix admin/network/systems programmer-types types who can do this for you.

Thanks guys (and gals - you never know...)

[flosofl]

Thanks people. MOST of the comments have helped point me in the direction we are probably gonna take with this.

I sent Tex this in email form earlier and thought I would let you guys know which way we're probably gonna go:

I was thinking about Nessus (it has an SSL plugin). It seems kinda noisy on the network (I haven't played with it enough). I think what we're gonna end up doing is having IT Security run nmap against our servers (about 2500+) and collate a list of SSL responses (https, ssmtp, etc..). Then set up a script to run the openssl s_client with the '-showcerts' option to get the certificate.

I wish there was a click-and-go solution, but ya can't have everything...

And, sorry, I can't hire contractors :) (and I'm sure not gonna pay $10,000 to write a small script - that money can go for other things - like air cannons!!)