Enumerating FQDN’s via TLS/SSL certs !

While analyzing my logging information from my load-balancers (LB) and web application firewalls (WAF), it came to my attention that a lot of scanning just happens on IP:443 and not on the fqdn. These scanners often omit or insert a numeric HTTP host header, since they sweep ip address ranges. This gets easily blocked and detected by the LB/WAF.

Enumerating FQDN/hostnames is a pretty important step to analyze websites, since a lot content switching and/or SNI (Server Name Indication) is in place nowadays to host multiple sites on the same IP/PORT.

Since enumerating on HTTP can be quite challenging, TLS/SSL comes in very handy this time (and for free :))

So I started wondering how I could figure out these “secured” websites ;)

Beside some reverse DNS magic I skip in this article (which in most cloud environments is not revealing much), let’s use good old OpenSSL

Remark: I’m using my own certificates and websites in this article as examples for testing.

So as a first step, let’s connect over a TLS/SSL connection (please note the IP address in command)

# openssl s_client -connect 52.224.105.14:443
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = www.radarhack.com
verify return:1
---
Certificate chain
0 s:/CN=www.radarhack.com
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGHjCCBQagAwIBAgISA+ukn32ARwTeWqgqAGAfgcjzMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA2MTMxODM2NDlaFw0x

While DNS is not revealing the hostname, the TLS certificate is: www.radarhack.com

While this is no rocket science, there is some more information available in the certificate when decoded explicitly:

# openssl s_client -showcerts -connect   www.dockersec.io:443 </dev/null  | openssl x509 -text | grep -A1 "X509v3 Subject Alternative Name: "
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = dockerhack.io
verify return:1
X509v3 Subject Alternative Name:
DNS:dockerhack.io, DNS:dockersec.io, DNS:radarsec.com, DNS:www.dockerhack.io, DNS:www.dockersec.io, DNS:www.radarsec.com

DONE
#

This is way more valuable information for a hacker or scanner, 
since it allows to identify:
- hostnames and the ‘other’ IP addresses
- virtual hostnames
- content switched web sites
-etc …

While testing a few high profile website, this simple trick allowed to identify way more then necessary. 
- it revealed fqdn’s like www-temp.xxx.xxx, test.xxx.xxx, etc …
- not all hostnames are hosted on the same IP:PORT, so it allowed in some cases to reveal the entire public presence …