mr.automation Posted January 6, 2015 Share Posted January 6, 2015 I'm trying to think of a way to use nmap to scan a range of IP's only on 443 to discover certs and then put this information into a file so that I can alerts on ones that are expiring. using something like "nmap -sV -p 443 <ip_range> will give you very simple results about the port being open and I think there is an NSE script for ssl-cert, but has anyone done something like this where you could get the cert name, expiry date, key and the output that to a file so you could run another on it to send out an e-mail alert if the cert is less than 30 days from expiring or expired? Quote Link to comment Share on other sites More sharing options...
cooper Posted January 6, 2015 Share Posted January 6, 2015 for ip in 127.0.0.{0..255} do openssl s_client -connect $ip:443 -showcerts > $ip.crt done I'm guessing you can parse the information in the produced files later (or as a part of the loop here) to see what needs to be done next, if anything. Quote Link to comment Share on other sites More sharing options...
mr.automation Posted January 7, 2015 Author Share Posted January 7, 2015 awesome. thanks. I also found a tool online that's free that does the bulk of this as well. Just in case people want to use this: https://www.digicert.com/cert-inspector.htm Just requires a free account but it will give you the cert, what hosts are using, it's weaknesses, expiry dates, etc. Still, nice to have both options. Thanks for the help. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.