Last active
August 29, 2015 14:05
-
-
Save themson/09c54c12087a707c0acb to your computer and use it in GitHub Desktop.
Search for host names in x509 alternate names extension
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| TARGETS=$1 | |
| PORT=$2 | |
| OUTLOG=$3 | |
| HOSTLOG='https_hosts.log' | |
| if [ "$#" -ne 3 ]; then | |
| echo "Usage: $0 <targets.file> <port> <logfile>"; | |
| exit | |
| fi | |
| >&2 echo "Target Hosts: $(wc -l $TARGETS | cut -d\ -f1)" | |
| >&2 echo "Target Port: $PORT" | |
| sudo nmap -sT -p $PORT -n -PN -T4 --open -iL $TARGETS -oG https.log.gnmap > /dev/null | |
| grep "open/tcp//https" https.log.gnmap | awk {'print $2'} > $HOSTLOG | |
| >&2 echo -e "Live HTTPS Hosts: $(wc -l $HOSTLOG | cut -d\ -f1)" | |
| >&2 echo -e "Outputting alt hosts to: $OUTLOG" | |
| # Extract Alt Names | |
| for HOST in $(cat $HOSTLOG); do echo | openssl s_client -connect $HOST:$PORT 2> /dev/null | openssl x509 -text 2> /dev/null | grep DNS: | tr [","] ["\n"] | cut -d: -f2; done | sort -u >> $OUTLOG | |
| >&2 echo -e "Alternate Hosts: $(wc -l $OUTLOG | cut -d\ -f1)\n" | |
| # Lookup associated host records | |
| for HOST in $(cat $OUTLOG); do OUTPUT=$(dig +short $HOST); echo -e "Records: $OUTPUT\nHOSTNAME: $HOST\n"; done >> $OUTLOG.records | |
| cat $OUTLOG | |
| echo -e "\nAssociated DNS Records (A AAAA)" | |
| cat $OUTLOG.records | |
| rm $HOSTLOG |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
./cert_alt_names.sh
Usage: ./cert_alt_names.sh <targets.file>
./cert_alt_names.sh ./targets.txt 443 altnames.log
Target Hosts: 19
Target Port: 443
Live HTTPS Hosts: 7
Outputting alt hosts to: altnames.log
Alternate Hosts: 16
alt.test.com
sip.test.com
webmail.test.com
...