Tracking SSL Certificates
More and more online services (not only websites) have switched to "SSL" for a while and, if it increases the end-user security, sometimes it's a pain for security peeps who have too perform investigations or control (yes, it may happen also). During the last edition of BruCON, I collected certificates over the wire. It's easy to do via a tool like Bro which has this feature built-in. To enable it, just change your local.bro configuration file:
# Log certs per Seth @load protocols/ssl/extract-certs-pem redef SSL::extract_certs_pem = ALL_HOSTS;
And restart your Bro process:
# broctl Welcome to BroControl 1.4 Type "help" for help. [BroControl] > install removing old policies in /nsm/bro/spool/installed-scripts-do-not-touch/site ... done. removing old policies in /nsm/bro/spool/installed-scripts-do-not-touch/auto ... done. creating policy directories ... done. installing site policies ... done. generating standalone-layout.bro ... done. generating local-networks.bro ... done. generating broctl-config.bro ... done. updating nodes ... done. [BroControl] > status Name Type Host Status Pid Peers Started bro standalone localhost running 4544 0 30 Nov 13:34:01 [BroControl] > restart stopping ... stopping bro ... starting ... starting bro ... [BroControl] > exit
The new interesting log is called certs-remote.pem and will quickly be populated. The problem is that all certificates are stored in one big file. We can split them in <number>.pem files using the following awk command:
$ awk ' split_after == 1 {close(n".pem"); n++;split_after=0} /-----END CERTIFICATE-----/ {split_after=1} { print > n".pem"}' <certs-remote.pem
From the traffic collected during BruCON, I extracted 3811 certificates. The next step is to extract the URLs related to them:
$ for i in *.pem do openssl x509 -in $i -text -noout | grep DNS:| awk '{ print $1}'| awk -F ':' '{ print $2 }'| sed 's/,$//' done | sort -u >domains.tmp
The command above extracted 2139 unique URLs (FDQN or wildcards) visited by BruCON attendees. Keeping an eye on SSL certificates can be interesting to track suspicious activity and also to keep an eye on which websites were visited by your users in a passive way. They also contain a lot of interesting information that could be useful during future investigations. Have also a look to the Passive SSL project supported by CIRCL.lu (the Luxembourg CERT).
Xavier Mertens
ISC Handler - Freelance Security Consultant
PGP Key
Reverse-Engineering Malware: Malware Analysis Tools and Techniques | Amsterdam | Jan 20th - Jan 25th 2025 |
Comments
Keep in mind deriving URLs visited from certificates is less accurate due to flawed usage (mostly in HTTPS), but finding flawed usage becomes possible. Users conditioned to flawed usage in HTTPS are likely to be duped into accepting certificate anomaly in malicious circumstances.
This would also support searches for such anomalies and investigating possible malicious intent behind the anomaly. Or as I have seen some really poor usage such a bank outsourcing their online account access resulting in redirection to the provider, but at least the provider is using an EV cert. When notified, said bank brushed off the possibility their customers are being conditioned for a malicious actor dupe them into revealing their account credentials.
Anonymous
Dec 1st 2015
9 years ago
A proxy supporting SSL decryption is ideal if you have that kind of network control.
Anonymous
Dec 2nd 2015
9 years ago
Everything seems to be working as described and certs are being extracted to a single file but that file is in the /nsm/bro/spool/[hostname-interface name] directory.
Is there any way to have Bro break up the certs-remote.pem files each day and store them with the other logs in the /nsm/bro/logs/[date] directories?
Anonymous
Dec 3rd 2015
9 years ago