Information Security News |
ITWeb | Ansys eyes telecoms, infosec push ITWeb Rail and telecommunications remain the two highest-earning sectors for Ansys, delivering revenue of R60.2 million and R53.9 million, respectively, while defence and information security make up the company's third-biggest segment, followed by the ... |
More and more online services (not only websites)have switched to SSL for a while and, if it increases the end-user security, sometimes its a pain for security peeps who have too perform investigations or control (yes, it may happen also). During the last edition of BruCON, I collected certificates over the wire. Its easy to do via a tool like Bro which has this featurebuilt-in. To enable it, just change your local.bro configuration"> # Log certs per [email protected] protocols/ssl/extract-certs-pem"> # broctlWelcome to BroControl 1.4Type help for help.[BroControl] installremoving old policies in /nsm/bro/spool/installed-scripts-do-not-touch/site ... done.removing old policies in /nsm/bro/spool/installed-scripts-do-not-touch/auto ... done.creating policy directories ... done.installing site policies ... done.generating standalone-layout.bro ... done.generating local-networks.bro ... done.generating broctl-config.bro ... done.updating nodes ... done.[BroControl] statusName Type Host Status Pid Peers Started bro standalone localhost running 4544 0 30 Nov 13:34:01[BroControl] restartstopping ...stopping bro ...starting ...starting bro ...[BroControl] exit
The new interesting log is called certs-remote.pem and will quickly be populated. The problem is that allcertificates are stored in one big file.We can split them in number.pem filesusing the following"> $ awk split_after == 1 {close(n.pemsplit_after=0}/-----END CERTIFICATE-----/ {split_after=1}{print n.pem} certs-remote.pem
From the traffic collected during BruCON, I extracted 3811 certificates. The next step is to"> $ for i in *.pemdo openssl x509 -in $i -text -noout | grep DNS:| awk { print $1}| awk -F : { print $2 }| sed s/,$//done | sort -u domains.tmp
The command above extracted 2139 unique URLs (FDQN or wildcards) visited by BruCON attendees. Keeping an eye on SSL certificates can be interesting to track suspicious activity and also to keep an eye on which websites were visited by your users in a passive way. They also contain a lot of interesting information that could be useful during future investigations. Have also a look to the Passive SSL project supported by CIRCL.lu (the Luxembourg CERT).
Xavier Mertens
ISC Handler - Freelance Security Consultant
PGP Key