A small utility to request the SSL certificate from a public or private web application. CheckCert helps operators in the following ways:
- It validates whether or not a webserver can be reached.
Issuerfield can help determine if SSL/TLS inspection is in place.
- Hostnames can be obtained via the
Namefield in cases where IP addresses don't have associated PTR records.
Both a C# and BOF version of CheckCert are included. The BOF version was created to overcome an operational issue in an environment with tight egress rules. It was possible to establish DNS C2, however, it was difficult to find a suitable domain that was allowed outbound via HTTPS. The CheckCert BOF was created in an effort to minimize the amount of traffic sent via DNS, while providing the ability to request SSL certificates from publicly accessible domains.
You can grab a copy of CheckCert from the releases page. Alternatively, feel free to compile the solution yourself.
CheckCert.exe https://nytimes.com [+] Certificate for: https://nytimes.com Name: CN=nytimes.com Issuer: CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB Expiration: 4/5/2022 8:00:00 PM Effective Date: 1/2/2020 7:00:00 PM Thumbprint: CB29785052F1B91E530CBE546C11DFE62994D76E Serial Number: 00B947803967139F666A54B56C27B852B5 Public Key String: 3082010A0282010100DAF21805C1248D18F129104486B7882B99DBC30948B3691A7383075DEBA1FD054173E0FDB31432BAE4924F311CA2D1312541A85C08F8B0D0FAF7F35454C1E0D3C1ADC679E274A39124A5A4BCA93B7DB3D4E682591D6CA363A26D350CD06951089BD249148A33DD46174B0112B42786E312A878D5A8EC6B181A2DEFC4384558597081D596B2711CB9728ED423FED2FDD4DF315BE3F278C37A36CBE7BB4788447FD54EC5598D446CFA17EDA8D4C18FE5067B9263FCF0FD768BFE24D59BDFA89719E53F26937E1D526F9A71938D7F099BFE85077AA278F5B98F1E4081FB47E22313E0D588956A058DDA7AF7DED0B68F0F1DE662D594D31CED164C94B16C7D0D34A70203010001
The BOF can take a comma-separated list of domains. Several assumptions have been made, which can easily be changed by editing the source file and recompiling:
- The connect port has been set to 443.
- The HTTP referrer has been set to
User-Agentstring has been has been set to
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36.
You can grab a copy of the CheckCert BOF here. Alternatively, feel free to compile yourself using either the x86 or x64 Developer Command Prompt for VS:
cl.exe /c /GS- CheckCert.c /FoCheckCertx64.o
inline-execute C:\Users\skawa\Desktop\CheckCertx64.o www.ft.com,www.cnn.com [*] Tasked beacon to inline-execute C:\Users\skawa\Desktop\CheckCertx64.o [+] host called home, sent: 3704 bytes [+] received output: [+] Getting SSL certificate details for https://www.ft.com:443/ [+] received output: Name: CN=*.ft.com Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign Atlas R3 DV TLS CA 2020 Expiration: 06/28/2022 Effective Date: 05/27/2021 [+] received output: [+] Getting SSL certificate details for https://www.cnn.com:443/ [+] received output: Name: CN=*.api.cnn.com Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign Atlas R3 DV TLS CA 2020 Expiration: 05/22/2022 Effective Date: 04/20/2021