1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
|
local shortport = require "shortport"
local sslcert = require "sslcert"
local stdnse = require "stdnse"
local string = require "string"
local table = require "table"
local ipOps = require "ipOps"
description = [[
Reports any private (RFC1918) IPv4 addresses found in the various fields of
an SSL service's certificate. These will only be reported if the target
address itself is not private. Nmap v7.30 or later is required.
]]
---
-- @usage
-- nmap -p 443 --script ssl-cert-intaddr <target>
--
-- @output
-- 443/tcp open https
-- | ssl-cert-intaddr:
-- | Subject commonName:
-- | 10.5.5.5
-- | Subject organizationName:
-- | 10.0.2.1
-- | 10.0.2.2
-- | Issuer emailAddress:
-- | 10.6.6.6
-- | X509v3 Subject Alternative Name:
-- |_ 10.3.4.5
--
--@xmloutput
-- <table key="X509v3 Subject Alternative Name">
-- <elem>10.3.4.5</elem>
-- </table>
--
-- @see http-internal-ip-disclosure.nse
-- @see ssl-cert.nse
author = "Steve Benson"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"vuln", "discovery", "safe"}
dependencies = {"https-redirect"}
-- only run this script if the target host is NOT a private (RFC1918) IP address)
-- and the port is an open SSL service
portrule = function(host, port)
if ipOps.isPrivate(host.ip) then
stdnse.debug1("%s is a private address - skipping.", host.ip)
return false
else
-- same criteria as ssl-cert.nse
return shortport.ssl(host, port) or sslcert.isPortSupported(port) or sslcert.getPrepareTLSWithoutReconnect(port)
end
end
-- extracts any valid private (RFC1918) IPv4 addresses from any given string
-- returns a table containing them or nil if there were none found
local extractPrivateIPv4Addr = function(s)
stdnse.debug2(" extractIPv4Addr: %s", s)
local addrs = {}
string.gsub(s, "%f[%d][12]?%d?%d%.[12]?%d?%d%.[12]?%d?%d%.[12]?%d?%d%f[^%d]",
function(match)
stdnse.debug2(" pattern match: %s", match)
if ipOps.isPrivate(match) then
stdnse.debug2(" is private (HIT): %s", match)
addrs[#addrs + 1] = match
end
end)
if #addrs>0 then
return addrs
else
return nil
end
end
-- search the Subject or Issuer fields for leaked private IP addresses
local searchCertField = function(certField, certFieldName)
local k,v
local leaks = stdnse.output_table()
if certField then
for k,v in pairs(certField) do
-- if the name of this X509 field is numeric object identifier
-- (i.e. "1.2.33.4..")
if type(k)=="table" then
k = table.concat(k, ".")
end
stdnse.debug2("search %s %s", certFieldName, k)
leaks[certFieldName.." "..k] = extractPrivateIPv4Addr(v)
end
end
return leaks
end
-- search the X509v3 extensions for leaked private IP addresses
local searchCertExtensions = function(cert)
if not cert.extensions then
stdnse.debug1("X509v3 extensions not present in certificate or the extensions are not supported by this nmap version (7.30 or later needed)")
return {}
end
local exti, ext, _
local leaks = stdnse.output_table()
for _ ,ext in pairs(cert.extensions) do
if ext.value then
stdnse.debug2("search ext %s", ext.name)
leaks[ext.name] = extractPrivateIPv4Addr(ext.value)
else
stdnse.debug2("nosearch nil ext: %s", ext.name)
end
end
return leaks
end
action = function(host, port)
local ok, cert = sslcert.getCertificate(host, port)
if not ok then
stdnse.debug1("failed to obtain SSL certificate")
return nil
end
local leaks = stdnse.output_table()
for k,v in pairs(searchCertField(cert.subject, "Subject")) do
leaks[k] = v
end
for k,v in pairs(searchCertField(cert.issuer, "Issuer")) do
leaks[k] = v
end
for k,v in pairs(searchCertExtensions(cert)) do
leaks[k] = v
end
if #leaks > 0 then
return leaks
else
return nil
end
end
|
