I'm a student in computer security, and I'm wondering what would be the risks for a server if I can retrieve its SSL certificate using the nmap script ssl-cert ?
Thank you
Asked
Active
Viewed 6,025 times
0
1 Answers
0
There is no risk, this is not a vulnerability that is being exploited but just a way to retrieve information that is presented by the server for functional reasons and on purpose.
The simplified explanation is this:
If you want to establish an encrypted (or, more accurately: authenticated) connection to a server, you're going to need its public key. This key is commonly packaged in a certificate. When you connect to the server on a port where such a security protocol is running (for example TLS), it will send you the certificate, which you can use to establish a secure connection.
Nmap's ssl-cert script simply does this in a scripted fashion so that you can use it. You could also use openssl s_client or other tools. Your browser also retrieved the certificate of Super User before requesting this web page, you can view it by clicking on the lock icon in most browsers. The certificate contains various fields such as (typically) which domain it was issued for, and yes this is all on purpose.
There are some concerns like finding alternative virtual hosts on a web server through the certificate's alt names, but it's all for functional reasons and well known.
Luc
- 2,963
nmap -sV -sC <target>you will get the validity and withopenssl s_client -connect {HOSTNAME}:{PORT} -showcertsyou will grab the certificates and be able to see the public key if you view the grabbed certs (or add -vv to the nmap). the private key should be accessible only if you have administrative rights on the server. – Zina Aug 22 '16 at 23:53