SSL Certs Scanner

SSL Certs Scanner (ssl-scan.pl) is a useful and quite handy tool that allows you to get the detailed information about all the SSL certificates are being used in your company. The script is written in Perl and utilizes openssl, nmap, and multithreading to efficiently and quickly scan networks.

How the script works:

  1. It scans user-defined networks to find opened ports where a potential TLS/SSL-compatible service can sit. The script executes multiple instances of nmap to do so, for example:
    nmap -Pn --min-hostgroup 64 --host-timeout 60s --max-retries 3 --open -oX - -p 443,636,989,990,992,993-995,5061,8443-8450,9443-9450,9990 192.168.100.0/24 10.100.100.5/32
  2. After getting a list of opened ports (format Location:IP address:port, the script tries to retrieve all public certificates from the discovered targets by calling multiple instances of openssl:
    echo | timeout 20 openssl s_client -showcerts -servername google.com -connect google.com:443 2>/dev/null | openssl x509 -noout -subject_hash -issuer_hash -text
  3. Downloaded and decoded certificates go through regex parsers for extracting details and compliance checks.
  4. The last step is to generate HTML reports and email them to user-defined recipients.

Install & Configure

Name: SSL Certs Scanner
Version: 0.2 (check for the latest version)
Language: perl
Platform: Linux Logo Linux (should also work on Windows but has not been tested)
Requirements: Perl libraries: Thread::Queue, Date::Manip, Nmap::Parser, MIME::Lite. Utilities: openssl, nmap
Download

Install libraries on CentOS:

yum -y install epel-release
yum -y install nmap perl-Nmap-Parser perl-MIME-Lite perl-Date-Manip

Install libraries on Debian:

apt-get -y install nmap libnmap-parser-perl libmime-lite-perl libdate-manip-perl

Download and install:

wget https://svelab.com/download/ssl-scan.zip -O /tmp/ssl-scan.zip
mkdir -p /root/scripts
unzip /tmp/ssl-scan.zip -d /root/scripts/
rm -f /tmp/ssl-scan.zip
chmod +x /root/scripts/ssl-scan.pl
exit

Configurable user variables in the script:

Variable Default value Description
threads_nmap 32 Number of simultaneously running nmap instances to get the list of available hosts and opened ports (to prepare a list of potential SSL services to be checked)
threads_openssl 64 Number of simultaneously running openssl instances against discovered SSL services (you need ~10MB of free RAM per each thread)
nmap_host_timeout 60s Value for the --host-timeout parameter of Nmap. Nmap – Timing and Performance
nmap_min_hostgroup 64 Value for the --min-hostgroup parameter of Nmap. Nmap – Timing and Performance
nmap_max_retries 3 Value for the --max-retries parameter of Nmap. Nmap – Timing and Performance
ssl_ports 443, 636, 989, 990, 992, 993-995, 5061, 8443-8450, 9443-9450, 9990 Set of ports to be scanned by Nmap
ssl_timeout 20 Defines how long openssl will be waiting for a response from a target host to retrieve its certificate
workdir /root/ssl-scan-reports Working directory for storing final HTML reports
prefix certs Prefix for HTML reports, for example, certs_broken.html
email_send 1 Send final reports via email or not. 1 – on, 0 – off
email_from ssl-scan@toolbox.example.local Email header – field ‘From:’
email_rcpt admin@example.com Generated reports will be emailed to these recipients
email_cc blank Carbon copy (other recipients)
email_server localhost SMTP server to be used for sending emails
email_user blank SMTP Authentication (if required) – Username
email_pass blank SMTP Authentication (if required) – Password
email_footer <a href=”https://toolbox”>Toolbox</a> Custom HTML code to be added to the footer of an email with HTML reports
expiring_warn_days 60 Amount of days before the end of a certificate validity to mark it as expiring
networks Inside the script Set of locations and networks to be scanned, replace with your values

You should take into account:

  • openssl instances consume a lot of memory (~10MB per thread), so be wise if you want to increase the number of threads, otherwise you may encounter with the OOM Killer, as shown below:
    Mar 25 14:30:45 lm-centos7 kernel: Out of memory: Kill process 4348 (ssl-scan.pl) score 793 or sacrifice child
    Mar 25 14:30:45 lm-centos7 kernel: Killed process 4348 (ssl-scan.pl) total-vm:6938448kB, anon-rss:1658344kB, file-rss:0kB, shmem-rss:0kB
    
  • You can significantly reduce the time required to perform a scan by decreasing the nmap_host_timeout and nmap_max_retries, but at the cost of reducing the accuracy of discovered services on networks.

Usage

Execute in the CLI:

root@svelab:/root/scripts# ./ssl-scan.pl

Screenshots:

Output of the script during scanning
SSL Certs Scanner
Email with reports
SSL Certs Scanner - Email
Sample report (certificates with x509 SAN issues)
SSL Certs Scanner - Sample report

To monitor what the script doing in real-time:

root@svelab:~# watch -n1 'ps aux | grep -E "(openssl|nmap)" | grep -v -E "(grep|sh )"'

Source code

See also

Coming soon:
SSL Certs Generator (CLI)
Test Website’s Certificate and Configuration

Contact us

Please, feel free to contact us if you have any questions or suggestions. Post a comment below if you want to report a bug.

By |2018-04-28T21:28:51+00:00March 22nd, 2018|Audit, Linux, Monitoring, Scripts, Security, Tools|0 Comments

Leave A Comment