Nmap Development mailing list archives
Re: [nse] ssl-cert: add support for Google Certificate Catalog
From: Tom Sellers <nmap () fadedcode net>
Date: Sat, 10 Sep 2011 12:56:15 -0500
On 9/10/2011 12:27 PM, Vasiliy Kulikov wrote:
Hi, The patch introduces support for Google Certificate Catalog: http://googleonlinesecurity.blogspot.com/2011/04/improving-ssl-certificate-security.html "Google’s web crawlers scan the web on a regular basis in order to provide our search and other services. In the process, we also keep a record of all the SSL certificates we see. The Google Certificate Catalog is a database of all of those certificates, published in DNS. ... The basic idea is that if a certificate doesn’t appear in our database, despite being correctly signed by a well-known CA and having a matching domain name, then there may be something suspicious about that certificate." Index: scripts/ssl-cert.nse =================================================================== --- scripts/ssl-cert.nse (revision 26333) +++ scripts/ssl-cert.nse (working copy) @@ -200,6 +222,26 @@ lines[#lines + 1] = cert.pem end + if nmap.verbosity() > 0 then + local sha1 = stdnse.tohex(cert.digest(cert, "sha1")) + local query = sha1 .. ".certs.googlednstest.com" + stdnse.print_debug("%s %s", SCRIPT_NAME, query) + + local status, decoded_response = dns.query(query, { dtype = "TXT" } ) + + if status then + local a, b, c = string.match(status, "(%d+) (%d+) (%d+)") + local da, db = os.date("%x", 60*60*24*tonumber(a)), os.date("%x", 60*60*24*tonumber(b)) + + lines[#lines + 1] = "Google Certificate Catalog" + lines[#lines + 1] = " First/Last time saw: " .. da .. " / " .. db + lines[#lines + 1] = " Saw between: " .. tonumber(c) + else + lines[#lines + 1] = "Google Certificate Catalog" + lines[#lines + 1] = " Absent" + end + end + return stdnse.strjoin("\n", lines) end
While I realize that this script uses the host's dns mechanisms to perform the lookups, it does so for an atypical reason. If the patch is accepted should the script be added to the external category? Thanks, Tom _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [nse] ssl-cert: add support for Google Certificate Catalog Vasiliy Kulikov (Sep 10)
- Re: [nse] ssl-cert: add support for Google Certificate Catalog Tom Sellers (Sep 10)
- Re: [nse] ssl-cert: add support for Google Certificate Catalog Fyodor (Sep 10)
- Re: [nse] ssl-cert: add support for Google Certificate Catalog Vasiliy Kulikov (Sep 11)
- Message not available
- Re: [nse] ssl-cert: add support for Google Certificate Catalog Vasiliy Kulikov (Sep 14)
- Re: [nse] ssl-cert: add support for Google Certificate Catalog Henri Doreau (Sep 16)
- Re: [nse] ssl-cert: add support for Google Certificate Catalog Vasiliy Kulikov (Sep 16)
- Re: [nse] ssl-cert: add support for Google Certificate Catalog Henri Doreau (Sep 16)
- Re: [nse] ssl-cert: add support for Google Certificate Catalog Henri Doreau (Sep 22)
- Re: [nse] ssl-cert: add support for Google Certificate Catalog Vasiliy Kulikov (Sep 11)