SSL Search — A tool to identify infrastructure and discover attack surfaces.

This tool allows the user to scan SSL certificates for numerous IPv4 Addresses at scale with one goal — identifying Infrastructure of some “target”.

It also has API integration with major cloud service providers (CSPs) allowing the user to directly search targets infrastructure on GCP for example.

How it works

Each public key certificate contains various bits of data about the certificate along with the cryptographic information. We can scan this information for a given IP &Port combination by establishing a connection to the server.

https://en.wikipedia.org/wiki/Public_key_certificate

The Subject Field and the string form of the SAN Field (Subject Alternative Name) of every x509 SSL certificate are compared against a target regex. If the certificate is a match for the target — the IP & Port combination is considered a valid finding.

Once we have valid findings — we can choose to enrich them by passing them through various enrichment steps like :

1. Grabbing HTTPS server header if possible
2. Generating the JARM fingerprint if possible

Features

• x509 Certificate scanning— Subject & SAN matching to identify target infrastructure / domains / subdomains / IPs.
• Attack surface assessment — The results help identify the public attack surface that needs to be protected.
• Company/Domain Targeting — You can utilize the tool to scan SSL certificates specifically for companies or domains, allowing for focused analysis and evaluation of their digital assets.
• Enrichment — The findings can be enriched further by grabbing server headers for HTTPs services and generating JARM fingerprint if needed.

Installation

Compile from source https://github.com/HarshVaragiya/sslsearch

go install github.com/HarshVaragiya/sslsearch@latest

Examples

1. Identifying target infrastructure across all regions on a specific cloud service provider and enriching those findings via server header grabbing and JARM fingerprinting.

sslsearch aws --keyword-regex '.*target.*' --jarm --server-header

finding “default” certs in AWS

2. Performing mass scan for an entire region of a cloud service provider and enriching those findings.

sslsearch gcp --keyword-regex '.*' --region-regex 'us-west4' --jarm --server-header

a whole GCP region scanned

3. Scanning a given CIDR range (public or private) for target.

sslsearch cidr 10.10.10.0/24 --keyword-regex '.*taget.*' --console-out

scanning private IPv4 range CIDR for all SSL certs on port 443

4. Scanning the whole Internet (just for fun).

sslsearch cidr 0.0.0.0/0 --keyword-regex '.*' --threads 20000 --jarm --server-header --jarm-threads 400 --server-header-threads 200

scanning 0.0.0.0/0

one can’t. multiple can. just look at shodan

Use Cases

1. Identifying your own public attack surface / getting to know your online exposure by mapping all public resources.
2. Targeted scanning for bug bounty / given scope.
3. Identifying Secure Mail Servers / RDP Services belonging to a target. Any service that uses x509 certificate for securing traffic can be found using this.

Other research worthy “Find the needle” use-cases

1. Locating Phishing / knockoff sites to some target domain by changing one letter.
2. Scan a whole CSP in order to find tools like meterpreter listeners, c2 servers, other malicious sites using JARM etc — https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a/

References

• GitHub Repository: https://github.com/HarshVaragiya/sslsearch
• JARM — By Salesforce : https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a/

Built after following these research projects :

• https://github.com/jhaddix/awsScrape
• https://github.com/femueller/cloud-ip-ranges
• https://github.com/hdm/jarm-go
• https://github.com/salesforce/jarm