Monday, October 9, 2023

Enumerating TLS Certificates with jq and Bash

Doubling back to share some more notes about web application security adjacent stuff. This is a bash script for reconnaissance that uses some tooling from Project Discovery - mapcidr and tlsx - in combination with jq and Bash, to enumerate TLS certificates.

We can assign our the search keys we're looking for to a bash array, search_keys, and then echo both the output of tlsx, as well as our search keys, into the bash translation utility, tr, to do a case-insensitive search for TLS certificates, matching for multiple possible keys.

We use globbing (*) to pattern match for the search keys anywhere they might appear in each line. Using jq, we extract the IP of each record to keep track of unique IP addresses, adding them to the unique_ips whenever we find a match, resulting in printing a sorted array of unique IP addresses that match any of our search keys.

This code gist is actually newer than the one I shared on Github and Cohost.

#!/bin/bash

# case-insensitive search of TLS certs by CIDR block 

if [ "$#" -lt 2 ]; then
    echo "Usage: $0 [cidr] [search_key1] [search_key2] [search_key3]"
    exit 1
fi

cidr="$1"
search_keys=("${@:2:4}")

declare -a unique_ips

mapcidr -cl "$cidr" 2>/dev/null | \
tlsx -ex -ss -mm -re -un -timeout 1 -json 2>/dev/null | \
while read -r line; do
    ip=$(echo $line | jq -r '.ip')
    for key in "${search_keys[@]}"; do
        if [[ "$(echo $line | tr '[:upper:]' '[:lower:]')" == \
	*$(echo "$key" | tr '[:upper:]' '[:lower:]')* && \
	! " ${unique_ips[@]} " =~ " $ip " ]]; then
            unique_ips+=("$ip")
            echo "$ip"
            break
        fi
    done
done

We submit a CIDR block — we'll use a Y Combinator IP address in this example — and print IP addresses with TLS records that match, like this:

$ ./tlsSearch.sh 209.216.230.240/23 "Y Combinator" test
209.216.230.239
209.216.230.240

I've started a small repo called "bashful" to share bash scripts for various tasks related to web app security. I might add this new updated version to it soon.

This script might be helpful for web application security researchers and "bug bounty" hunters. If you find it helpful, let me know.

Posted at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)