Skip to content

Collecting certificate details with nmap

Jump to bottom
Mat Davis edited this page Nov 13, 2019 · 1 revision

The goal of this document is to show how to leverage latest nmap capabilities to discover certificate files and its details like bits , expiration date, type.

Note: The nmap version provided with TADDM is at lower level (v5.2) than used in this document. By downloading latest version you lose support for any issues that might come up with nmap.

This example focuses on extending Linux Computer System Template but can be applied for other Operating Systems as well as probably as one package for Generic Computer System Sensor.

Define new extended attributes types in TADDM Data Management Portal for Certificate File CDM object as presented below on the screenshot:

Run scripts to create extended attributes database views:

dist/bin/extattr_views.sh scripts  
dist/bin/extattr_views.sh create

Download and install the most recent release of nmap using the RPM installer. This will populate /usr/share/nmap/scripts with the all of the appropriate scripts. Make sure that this version of nmap is first on the PATH. This might require a restart of TADDM application.

Download the following files into dist/etc/templates/cts

Install note: The template.xml file has a static reference to the version number of the Linux sensor that might not match your environment. Edit template.xml and change the sensor version to match your environment.

Set up a discovery profile where CustomTemplateSensor is enabled. The default profiles do not have this sensor enabled.

Run discovery of Linux endpoint that you want to collect certificates on port 443 (the list of ports can be extended by editing sensor.py, use comma as the separator).

If there is no certificate found on port 443, the CustomTemplateSensor will complete successfully and a debug message will be shown in the log.

For troubleshooting you can run (root not required):

nmap -p 443 -Pn -n -T5 --datadir=/usr/share/nmap/scripts --script=ssl-cert <endpoint ip>

The results can be checked with following SQL:

/opt/IBM/taddm/dist/bin # ./dbquery.sh -u administrator -p  collation "select T1.NAME_C, T3.BITS_C, T3.TYPE_C, T3.NOT_VALID_AFTER_C, T3.NOT_VALID_BEFORE_C from BB_UNITARYCOMPUTERSYSTEM24_V T1,BB_COMPUTERSYSTENTS_5A350BEFJ T2,EA_CERTIFICATEFILE55_V T3 WHERE T1.PK_C = T2.PK__JDOID_C AND T3.PK_C = T2.PK__CONFIGCONTENTS_C"  
NAME_C          BITS_C          TYPE_C          NOT_VALID_AFTER_C               NOT_VALID_BEFORE_C  
nc143098        1024            rsa             2024-06-24T19:51:01+00:00       2005-11-11T20:51:01+00:00
Home
Overview and Planning

Best Practices

Integration Scenarios

Sensors

Troubleshooting

Performance and Tuning

Reports

Customizations

Tools and Utilities

Clone this wiki locally