Thursday, January 19, 2012

Obtaining Host/Domain Names Through SSL Certificates

During vulnerability and penetration assessments one common beginning task is taking a given IP address space and identifying domain and host names that operate within. It's always helpful to know these names because a lot of web servers operate using host headers to direct web requests to the correct site content, i.e. you need the name to get to the right site. It's pretty easy to find a target company's domain by looking at their website or email addresses. Similarly it's pretty easy to append a "www." or "mail." to a company's domain name to find some basic host names. However, if you stopped there chances are you're missing something.

I always want to know what other domains and alternate host names are being hosted and specifically what web apps are running within those additional domain/host names. This is because I tend to get more mileage from web application vulnerabilities than I do from classic network vulnerabilities.

There are myriad ways of finding out this information. You might start with attempting zone transfers on the domains you do know to dump all host names. This rarely works so you might use a tool to identify host names based on a dictionary of potential values. This will work somewhat but those DNS records must be in your dictionary and you'll invariably miss some. For additional domain names, you might start performing reverse DNS lookups on the IP address space that's in scope for the assessment. Accurate reverse DNS zones are often not available so you might use a tool like Maltego which uses other information sources to identify those other domain names.

Yet another way of identifying straggling domain/host names is to grab SSL certificates on the network and look at the "commonName" attributes. Then you can take any new domain names identified and run them through the same process you already went through for the names you already knew. This may seem arcane but I've personally been in situations where I was unaware of a domain, obtained it through an SSL certificate, performed dictionary-based enumeration of the domain, and identified a hostname for a vulnerable web application listening on a site with host headers. The point is that I would have never known the app existed by just connecting to the web server's IP address without a name. Thorough coverage is the name of the game.

NMAP has a nice script built in to do just this:

nmap -p 443,444,8443,8080,8088 --script=ssl-cert --open A.B.C.D/XY

No comments:

Post a Comment