Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

ISC StormCast for Wednesday, December 2nd 2015

Tracking SSL Certificates

Published: 2015-12-01
Last Updated: 2015-12-01 09:26:05 UTC
by Xavier Mertens (Version: 1)
1 comment(s)

More and more online services (not only websites) have switched to "SSL" for a while and, if it increases the end-user security, sometimes it's a pain for security peeps who have too perform investigations or control (yes, it may happen also). During the last edition of BruCON, I collected certificates over the wire. It's easy to do via a tool like Bro which has this feature built-in. To enable it, just change your local.bro configuration file:

# Log certs per Seth
@load protocols/ssl/extract-certs-pem
redef SSL::extract_certs_pem = ALL_HOSTS; 

And restart your Bro process:

# broctl

Welcome to BroControl 1.4

Type "help" for help.

[BroControl] > install
removing old policies in /nsm/bro/spool/installed-scripts-do-not-touch/site ... done.
removing old policies in /nsm/bro/spool/installed-scripts-do-not-touch/auto ... done.
creating policy directories ... done.
installing site policies ... done.
generating standalone-layout.bro ... done.
generating local-networks.bro ... done.
generating broctl-config.bro ... done.
updating nodes ... done.
[BroControl] > status
Name       Type       Host       Status        Pid    Peers  Started            
bro        standalone localhost  running       4544   0      30 Nov 13:34:01
[BroControl] > restart
stopping ...
stopping bro ...
starting ...
starting bro ...
[BroControl] > exit

The new interesting log is called certs-remote.pem and will quickly be populated. The problem is that all certificates are stored in one big file.  We can split them in <number>.pem files using the following awk command:

$ awk '
split_after == 1 {close(n".pem"); n++;split_after=0}
/-----END CERTIFICATE-----/ {split_after=1}
print > n".pem"}' <certs-remote.pem

From the traffic collected during BruCON, I extracted 3811 certificates. The next step is to extract the URLs related to them:

$ for i in *.pem
do openssl x509 -in $i -text -noout | 
    grep DNS:|
    awk '{ print $1}'|
    awk -F ':' '{ print $2 }'|
    sed 's/,$//'
done | sort -u >domains.tmp

The command above extracted 2139 unique URLs (FDQN or wildcards) visited by BruCON attendees. Keeping an eye on SSL certificates can be interesting to track suspicious activity and also to keep an eye on which websites were visited by your users in a passive way. They also contain a lot of interesting information that could be useful during future investigations. Have also a look to the Passive SSL project supported by (the Luxembourg CERT).

Xavier Mertens
ISC Handler - Freelance Security Consultant

1 comment(s)
ISC StormCast for Tuesday, December 1st 2015

If you have more information or corrections regarding our diary, please share.

Recent Diaries

SHA1 Phase Out Overview
1 day ago by Johannes (4 comments)

Known “Good” DNS, An Observation
5 days ago by Richard (1 comment)

Malicious spam - Subject: RE: Bill
6 days ago by Brad (8 comments)

View All Diaries →

Latest Discussions

New software version released
created 1 week ago by Xme (0 replies)

AV Scans through a Write-Blocker
created 2 weeks ago by Anonymous (3 replies)

The Botnet of the Internet of Things
created 2 weeks ago by Xme (0 replies)

Twitter confirmation spam
created 2 weeks ago by Anonymous (1 reply)

ProtonMail DDOS Attacks
created 2 weeks ago by Rick (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

November 2015 Microsoft Patch Tuesday
3 weeks ago by Johannes (8 comments)

Microsoft Patch Tuesday followup: KB3097877 re-issued!
2 weeks ago by Rick (9 comments)

Cisco Cloud Web Security DNS Hijack
2 weeks ago by Rick (6 comments)

Actors using exploit kits - How they change tactics
1 week ago by Brad (2 comments)

Help Wanted: Please help test our experimental PFSense Client
1 week ago by Johannes (1 comment)