Nmap Development mailing list archives
[nse] ssl-cert: add support for Google Certificate Catalog
From: Vasiliy Kulikov <segooon () gmail com>
Date: Sat, 10 Sep 2011 21:27:41 +0400
Hi, The patch introduces support for Google Certificate Catalog: http://googleonlinesecurity.blogspot.com/2011/04/improving-ssl-certificate-security.html "Google’s web crawlers scan the web on a regular basis in order to provide our search and other services. In the process, we also keep a record of all the SSL certificates we see. The Google Certificate Catalog is a database of all of those certificates, published in DNS. ... The basic idea is that if a certificate doesn’t appear in our database, despite being correctly signed by a well-known CA and having a matching domain name, then there may be something suspicious about that certificate." Index: scripts/ssl-cert.nse =================================================================== --- scripts/ssl-cert.nse (revision 26333) +++ scripts/ssl-cert.nse (working copy) @@ -200,6 +222,26 @@ lines[#lines + 1] = cert.pem end + if nmap.verbosity() > 0 then + local sha1 = stdnse.tohex(cert.digest(cert, "sha1")) + local query = sha1 .. ".certs.googlednstest.com" + stdnse.print_debug("%s %s", SCRIPT_NAME, query) + + local status, decoded_response = dns.query(query, { dtype = "TXT" } ) + + if status then + local a, b, c = string.match(status, "(%d+) (%d+) (%d+)") + local da, db = os.date("%x", 60*60*24*tonumber(a)), os.date("%x", 60*60*24*tonumber(b)) + + lines[#lines + 1] = "Google Certificate Catalog" + lines[#lines + 1] = " First/Last time saw: " .. da .. " / " .. db + lines[#lines + 1] = " Saw between: " .. tonumber(c) + else + lines[#lines + 1] = "Google Certificate Catalog" + lines[#lines + 1] = " Absent" + end + end + return stdnse.strjoin("\n", lines) end -- Vasiliy _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [nse] ssl-cert: add support for Google Certificate Catalog Vasiliy Kulikov (Sep 10)
- Re: [nse] ssl-cert: add support for Google Certificate Catalog Tom Sellers (Sep 10)
- Re: [nse] ssl-cert: add support for Google Certificate Catalog Fyodor (Sep 10)
- Re: [nse] ssl-cert: add support for Google Certificate Catalog Vasiliy Kulikov (Sep 11)
- Message not available
- Re: [nse] ssl-cert: add support for Google Certificate Catalog Vasiliy Kulikov (Sep 14)
- Re: [nse] ssl-cert: add support for Google Certificate Catalog Henri Doreau (Sep 16)
- Re: [nse] ssl-cert: add support for Google Certificate Catalog Vasiliy Kulikov (Sep 16)
- Re: [nse] ssl-cert: add support for Google Certificate Catalog Henri Doreau (Sep 16)
- Re: [nse] ssl-cert: add support for Google Certificate Catalog Henri Doreau (Sep 22)
- Re: [nse] ssl-cert: add support for Google Certificate Catalog Vasiliy Kulikov (Sep 11)