metasploit-framework/modules/auxiliary/scanner/http/cert.rb

130 lines
3.3 KiB
Ruby
Raw Normal View History

##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::WmapScanSSL
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
def initialize
super(
'Name' => 'HTTP SSL Certificate Checker',
'Version' => '$Revision: 11796 $',
'Author' => 'nebulus',
'License' => MSF_LICENSE,
'Description' => %q{
This module will check the certificate of the specified web servers
to ensure the subject and issuer match the supplied pattern and that the certificate
is not expired.
Note: Be sure to check your expression if using msfcli, shells tend to not like certain
things and will strip/interpret them (= is a perfect example). It is better to use in
console.
}
)
register_options(
[
Opt::RPORT(443),
OptString.new('ISSUER', [ true, "Show a warning if the Issuer doesn't match this regex", '.*']),
OptBool.new('SHOWALL', [ false, "Show all certificates (issuer,time) regardless of match", false]),
], self.class)
end
# Fingerprint a single host
def run_host(ip)
connect
cert = OpenSSL::X509::Certificate.new(sock.peer_cert)
disconnect
if(not cert)
print_status("#{ip} No certificate subject or CN found")
return
end
issuer_pattern = Regexp.new(datastore['ISSUER'], [Regexp::EXTENDED, 'n'])
sub = cert.subject.to_a
before = Time.parse("#{cert.not_before}")
after = Time.parse("#{cert.not_after}")
now = Time.now
a = now <=> before
b = now <=> after
vhostn = 'EMPTY'
sub.each do |n|
if n[0] == 'CN'
vhostn = n[1]
end
end
if ( "#{cert.issuer}" !~ /#{issuer_pattern}/)
print_good("#{ip} - '#{vhostn}' : #{cert.issuer} (BAD ISSUER)" )
elsif datastore['SHOWALL']
# show verbose as status
print_status("#{ip} - '#{vhostn}' : #{cert.issuer}")
end
if ( a < 1 or b > 0 )
print_good("#{ip} - '#{vhostn}' : '" + before.to_s + "' - '" + after.to_s + "' (EXPIRED)'")
elsif
# show verbose as status
print_status("#{ip} - '#{vhostn}' : '" + before.to_s + "' - '" + after.to_s + "'")
end
report_note(
:host => ip,
:port => rport,
:proto => 'tcp',
:type => 'http.vhost',
:data => {:name => vhostn}
) if vhostn
# Store the SSL certificate itself
report_note(
:host => ip,
:proto => 'tcp',
:port => rport,
:type => 'ssl.certificate',
:data => {
:cn => vhostn,
:subject => cert.subject.to_a,
:algorithm => cert.signature_algorithm
}
) if vhostn
# Update the server hostname if necessary
if vhostn !~ /localhost|snakeoil/i
report_host(
:host => ip,
:name => vhostn
)
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
rescue ::Timeout::Error, ::Errno::EPIPE
rescue ::OpenSSL::SSL::SSLError => e
return if(e.to_s.match(/^SSL_connect /) ) # strange errors / exception if SSL connection aborted
rescue ::Exception => e
return if(e.to_s =~ /execution expired/)
print_error("Error: '#{ip}' '#{e.class}' '#{e}' '#{e.backtrace}'")
end
end