Re: ssl-cert.nse

[David Fifield <david () bamsoftware com>]

On Fri, Apr 02, 2010 at 02:40:03PM -0500, Norris Carden wrote:
> I'm looking for a way to determine if a SSL proxy is in place between a
> system and the web server.
>
> I believe the Bluecoat proxy replaces the server SSL certificate with an
> internal corporate one, but there are man-in-the-middle techniques that
> forge a certificate practically identical to the one from the server.
>
> Can you think of a way this ssl-cert.nse could be used to determine if
> the certificate is coming from the same address as the web server? Might
> this also be able to determine if the host side is using a SSL proxy? Is
> there another script or method that will accomplish this?

If you're connecting to external sites (so that an SSL proxy would not
have the private key and would not be able to forge a certificate) you
can check if the certificate verifies with Ncat.

$ ncat -v --ssl-verify site.com 443
...
Ncat: Certificate verification failed (unable to get local issuer certificate).

Depending on what platform you're on, Ncat might be using the system
default trust store, which on a company computer might have the Blue
Coat certificate trusted. You can force the user of the Ncat-supplied
one (which is the same as what comes with Internet Explorer) with
--ssl-trustfile.

$ ncat -v --ssl-verify site.com 443 --ssl-trustfile /usr/local/share/ncat/ca-bundle.crt
Or on Windows:
$ ncat -v --ssl-verify site.com 443 --ssl-trustfile "C:\Program Files\Nmap\ca-bundle.crt"

Running Ncat with -vvv will give lots of certificate information, and
will show you exactly where trusted certificates are being loaded from:

NCAT DEBUG: Using trusted CA certificates from /usr/share/ncat/ca-bundle.crt.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/