Detect SSL Certificates in Nmap

Introduction

In this lab, you will learn how to detect SSL certificates using Nmap's ssl-cert script. The lab guides you through scanning IP addresses and domain names to retrieve and display SSL/TLS certificate information, including the subject, issuer, and validity period.

You'll execute commands like nmap --script ssl-cert 192.168.1.1 and nmap --script ssl-cert scanme.nmap.org in the Xfce terminal, exploring options for specifying ports, increasing verbosity, and saving results to a file. Finally, you'll review the certificate details and compare them with service detection results.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL nmap(("Nmap")) -.-> nmap/NmapGroup(["Nmap"]) nmap/NmapGroup -.-> nmap/output_formats("Output Formats") nmap/NmapGroup -.-> nmap/save_output("Save Output to File") nmap/NmapGroup -.-> nmap/port_scanning("Port Scanning Methods") nmap/NmapGroup -.-> nmap/target_specification("Target Specification") nmap/NmapGroup -.-> nmap/verbosity("Verbosity Levels") nmap/NmapGroup -.-> nmap/service_detection("Service Detection") nmap/NmapGroup -.-> nmap/scripting_basics("Scripting Engine Basics") nmap/NmapGroup -.-> nmap/script_management("Script Categories and Updating") subgraph Lab Skills nmap/output_formats -.-> lab-547096{{"Detect SSL Certificates in Nmap"}} nmap/save_output -.-> lab-547096{{"Detect SSL Certificates in Nmap"}} nmap/port_scanning -.-> lab-547096{{"Detect SSL Certificates in Nmap"}} nmap/target_specification -.-> lab-547096{{"Detect SSL Certificates in Nmap"}} nmap/verbosity -.-> lab-547096{{"Detect SSL Certificates in Nmap"}} nmap/service_detection -.-> lab-547096{{"Detect SSL Certificates in Nmap"}} nmap/scripting_basics -.-> lab-547096{{"Detect SSL Certificates in Nmap"}} nmap/script_management -.-> lab-547096{{"Detect SSL Certificates in Nmap"}} end

Run SSL cert scan with nmap --script ssl-cert 192.168.1.1

In this step, we will use Nmap to perform an SSL certificate scan on a specified IP address. Nmap is a powerful network scanning tool, and its scripting engine allows us to extend its functionality. The ssl-cert script is designed to retrieve and display information about SSL/TLS certificates from a target server.

First, let's understand the basic command structure:

nmap --script ssl-cert <target_ip>

Here, <target_ip> is the IP address of the server you want to scan. In this case, we'll be scanning the IP address 192.168.1.1.

Now, open your Xfce terminal. Ensure you are in the ~/project directory. If not, navigate to it using the cd command:

cd ~/project

Next, execute the following command to run the SSL certificate scan:

sudo nmap --script ssl-cert 192.168.1.1

You might be prompted for your password. Since the labex user has sudo privileges without a password, just press Enter.

Note: 192.168.1.1 is a private IP address and may not be accessible from your current network configuration. If you don't have a server at that address, the scan might not return any results or might time out. For testing purposes, you can use a public IP address that you know has an SSL certificate, such as scanme.nmap.org, or 8.8.8.8.

Let's try scanning scanme.nmap.org instead:

sudo nmap --script ssl-cert scanme.nmap.org

This command will attempt to connect to scanme.nmap.org and retrieve its SSL certificate information. The output will display details such as the certificate's subject, issuer, validity period, and any Subject Alternative Names (SANs).

Example output (the actual output will vary):

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:00 UTC
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.031s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f

PORT   STATE SERVICE
22/tcp open  ssh
| ssl-cert: Subject: commonName=scanme.nmap.org
| Issuer: commonName=Let's Encrypt Authority X3
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-03-18T14:23:03+00:00
| Not valid after:  2020-06-16T14:23:03+00:00
| MD5:   ...
| SHA1:  ...
| -----BEGIN CERTIFICATE-----
| ...
| -----END CERTIFICATE-----

Nmap done: 1 IP address (1 host up) scanned in 2.18 seconds

This output shows the SSL certificate details for scanme.nmap.org, including the subject, issuer, and validity dates.

Scan port 443 with nmap --script ssl-cert -p 443 127.0.0.1

In this step, we will focus on scanning a specific port, 443, using Nmap and the ssl-cert script. Port 443 is the standard port for HTTPS (Hypertext Transfer Protocol Secure) traffic, which is used for secure communication over the internet. By specifying the port, we can narrow down the scan and retrieve SSL certificate information specifically for services running on that port.

The command we'll be using is:

nmap --script ssl-cert -p 443 127.0.0.1

Let's break down this command:

nmap: The Nmap command-line scanner.
--script ssl-cert: Specifies that we want to use the ssl-cert script to retrieve SSL certificate information.
-p 443: This option tells Nmap to only scan port 443.
127.0.0.1: This is the loopback address, also known as localhost. It refers to your own machine.

Now, open your Xfce terminal and make sure you are in the ~/project directory:

cd ~/project

Execute the following command to scan port 443 on localhost:

sudo nmap --script ssl-cert -p 443 127.0.0.1

Since 127.0.0.1 refers to your own machine, this command will attempt to retrieve the SSL certificate from any service running on port 443 on your LabEx VM. If there's no service listening on port 443, Nmap will report that the port is closed.

If you have a web server or other service configured to use HTTPS on your LabEx VM, you should see output similar to the following (the actual output will vary depending on the certificate and server configuration):

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:00 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000086s latency).

PORT    STATE SERVICE
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds

In this example, the output shows that port 443 is closed. This means that there is no service listening on that port on the localhost. If a service was running, the output would include the SSL certificate details, similar to the previous step.

If you want to test this command against a server that you know has HTTPS enabled on port 443, you can replace 127.0.0.1 with the IP address or domain name of that server. For example:

sudo nmap --script ssl-cert -p 443 scanme.nmap.org

This will scan port 443 on scanme.nmap.org and retrieve its SSL certificate information.

Add verbosity with nmap -v --script ssl-cert 192.168.1.1

In this step, we will add verbosity to our Nmap command. Verbosity in Nmap means increasing the amount of information displayed during the scan. This can be helpful for understanding what Nmap is doing and for troubleshooting any issues. The -v option increases the verbosity level. Using -v multiple times (e.g., -vv or -vvv) increases the verbosity even further.

The command we'll be using is:

nmap -v --script ssl-cert 192.168.1.1

Let's break down this command:

nmap: The Nmap command-line scanner.
-v: This option increases the verbosity level, providing more detailed output.
--script ssl-cert: Specifies that we want to use the ssl-cert script to retrieve SSL certificate information.
192.168.1.1: This is the target IP address.

Now, open your Xfce terminal and make sure you are in the ~/project directory:

cd ~/project

Execute the following command to run the SSL certificate scan with verbosity:

sudo nmap -v --script ssl-cert 192.168.1.1

As mentioned before, 192.168.1.1 is a private IP address and may not be accessible. If you don't have a server at that address, the scan might not return any results or might time out. For testing purposes, you can use a public IP address that you know has an SSL certificate, such as scanme.nmap.org.

Let's try scanning scanme.nmap.org with verbosity:

sudo nmap -v --script ssl-cert scanme.nmap.org

The output will now include more information about the scan process, such as the different phases Nmap goes through, the ports it's probing, and any errors or warnings that occur.

Example output (the actual output will vary):

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:00 UTC
NSE: Loaded 1 script for scanning.
Initiating Ping Scan at 10:00
Scanning scanme.nmap.org (45.33.32.156) [2 ports]
Completed Ping Scan at 10:00, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:00
Completed Parallel DNS resolution of 1 host. at 10:00, 0.01s elapsed
Initiating Connect Scan at 10:00
Scanning scanme.nmap.org (45.33.32.156) [1000 ports]
Discovered open port 22/tcp on 45.33.32.156
Completed Connect Scan at 10:00, 2.15s elapsed (1000 total ports)
NSE: Script scanning scanme.nmap.org (45.33.32.156)
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 10:00
Completed NSE at 10:00, 0.02s elapsed
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.031s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f

PORT   STATE SERVICE
22/tcp open  ssh
| ssl-cert: Subject: commonName=scanme.nmap.org
| Issuer: commonName=Let's Encrypt Authority X3
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-03-18T14:23:03+00:00
| Not valid after:  2020-06-16T14:23:03+00:00
| MD5:   ...
| SHA1:  ...
| -----BEGIN CERTIFICATE-----
| ...
| -----END CERTIFICATE-----

NSE: Script Post-scanning.
Initiating NSE at 10:00
Completed NSE at 10:00, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 2.34 seconds

Notice the additional information about the scan process, such as "Initiating Ping Scan," "Completed Connect Scan," and "NSE: Script scanning." This extra detail can be useful for understanding how Nmap works and for diagnosing any problems.

Save SSL results with nmap --script ssl-cert -oN ssl.txt 127.0.0.1

In this step, we will learn how to save the results of our Nmap scan to a file. This is useful for later analysis or for sharing the results with others. Nmap provides several options for saving output in different formats. The -oN option saves the output in a "normal" human-readable format.

The command we'll be using is:

nmap --script ssl-cert -oN ssl.txt 127.0.0.1

Let's break down this command:

nmap: The Nmap command-line scanner.
--script ssl-cert: Specifies that we want to use the ssl-cert script to retrieve SSL certificate information.
-oN ssl.txt: This option tells Nmap to save the output in normal format to a file named ssl.txt.
127.0.0.1: This is the target IP address (localhost).

Now, open your Xfce terminal and make sure you are in the ~/project directory:

cd ~/project

Execute the following command to run the SSL certificate scan and save the results to ssl.txt:

sudo nmap --script ssl-cert -oN ssl.txt 127.0.0.1

After the scan completes, you will find a file named ssl.txt in your ~/project directory. This file contains the output of the Nmap scan, including the SSL certificate information (if any) for the target.

To verify that the file was created and contains the scan results, you can use the cat command to display the contents of the file:

cat ssl.txt

If a service with an SSL certificate is running on 127.0.0.1, you will see the certificate details in the output. If no service is running, the file will contain information about the scan, but no certificate details.

For example, if port 443 is closed, the ssl.txt file might contain:

## Nmap 7.80 scan initiated Tue Oct 27 10:00:00 2023
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000086s latency).
PORT    STATE SERVICE
443/tcp closed https
## Nmap done at Tue Oct 27 10:00:00 2023 -- 1 IP address (1 host up) scanned in 0.07 seconds

If you want to scan a different target and save the results, simply replace 127.0.0.1 with the desired IP address or domain name. For example:

sudo nmap --script ssl-cert -oN ssl.txt scanme.nmap.org

This will scan scanme.nmap.org and save the results to ssl.txt. Remember to check the contents of ssl.txt using cat ssl.txt to confirm the scan results.

Review certificate details in Xfce terminal

In this step, we will review the SSL certificate details that we saved in the ssl.txt file in the previous step. We will use the cat command to display the contents of the file in the Xfce terminal and then examine the certificate information.

First, ensure you are in the ~/project directory:

cd ~/project

Now, use the cat command to display the contents of the ssl.txt file:

cat ssl.txt

The output will show the Nmap scan results, including the SSL certificate details if a service with an SSL certificate was found on the target.

Let's analyze the output. The important parts of the SSL certificate information typically include:

Subject: This field contains the domain name or entity that the certificate is issued to. Look for the commonName (CN) attribute within the Subject field.
Issuer: This field identifies the Certificate Authority (CA) that issued the certificate. Again, look for the commonName (CN) attribute.
Public Key type: Indicates the type of public key algorithm used (e.g., RSA, DSA, ECDSA).
Public Key bits: Specifies the key size in bits (e.g., 2048, 4096). Larger key sizes generally provide stronger security.
Signature Algorithm: Indicates the algorithm used to sign the certificate (e.g., sha256WithRSAEncryption).
Not valid before: The date and time when the certificate becomes valid.
Not valid after: The date and time when the certificate expires. It's crucial to ensure certificates are not expired.
MD5/SHA1: These are hash values of the certificate. While MD5 is considered weak, SHA1 is also being phased out. SHA256 or higher is preferred.
-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----: This is the actual encoded certificate data in PEM format.

For example, if you scanned scanme.nmap.org and saved the output to ssl.txt, the relevant part of the output might look like this:

PORT   STATE SERVICE
22/tcp open  ssh
| ssl-cert: Subject: commonName=scanme.nmap.org
| Issuer: commonName=Let's Encrypt Authority X3
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-03-18T14:23:03+00:00
| Not valid after:  2020-06-16T14:23:03+00:00
| MD5:   ...
| SHA1:  ...
| -----BEGIN CERTIFICATE-----
| ...
| -----END CERTIFICATE-----

In this example, you can see that the certificate is for scanme.nmap.org, issued by Let's Encrypt Authority X3, uses an RSA key with 2048 bits, and is signed with SHA256.

By reviewing these details, you can gain insights into the security and validity of the SSL certificate used by the target service.

If you scanned 127.0.0.1 and no SSL service was running, the ssl.txt file will not contain the detailed certificate information. In that case, you might want to install a simple web server with SSL enabled (outside the scope of this lab) to generate a certificate for testing.

Compare with service detection in Xfce terminal

In this step, we will compare the SSL certificate information we obtained with Nmap's service detection capabilities. This allows us to verify if the detected service matches the certificate details and identify any potential discrepancies.

First, let's run a standard Nmap service detection scan on the target. We'll use 127.0.0.1 as the target for this example. Make sure you are in the ~/project directory:

cd ~/project

Execute the following command:

sudo nmap -sV 127.0.0.1

The -sV option enables service version detection. Nmap will attempt to determine the service running on each open port.

The output will show the open ports and the detected service. For example:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:30 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000058s latency).
Not shown: 999 closed ports
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (protocol 2.0)
443/tcp open  ssl/http  ## Example: If a web server with SSL is running

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 5.23 seconds

Now, compare the service detection results with the SSL certificate details you reviewed in the previous step (from the ssl.txt file).

For example, if Nmap's service detection identifies port 443 as running ssl/http and the SSL certificate's Subject commonName matches the domain name associated with the web server, then the service detection and certificate details align.

However, if there's a mismatch, it could indicate a potential issue:

Incorrect Service Identification: Nmap might misidentify the service running on a port.
Misconfigured Certificate: The certificate might be issued for a different domain name than the one being served.
Man-in-the-Middle Attack: An attacker might be intercepting the connection and presenting a different certificate.

To further investigate discrepancies, you can use more specific Nmap scripts or tools like openssl to examine the certificate directly.

For example, if the service detection shows http on port 443 but the SSL certificate is for a different domain, it's a red flag. This could indicate a misconfiguration or a potential attack.

In summary, comparing Nmap's service detection with SSL certificate details helps you verify the integrity and security of the services running on a target.

Summary

In this lab, we used Nmap with the ssl-cert script to scan and retrieve SSL/TLS certificate information from target servers. We learned how to execute the basic command nmap --script ssl-cert <target_ip> to scan a specific IP address, and addressed potential issues with private IP addresses by using a public address like scanme.nmap.org for testing.

We also practiced running the scan using sudo and observed the output, which includes details such as the certificate's subject, issuer, and validity period. This provides a foundation for further exploration of Nmap's capabilities in SSL certificate analysis.