HTTPS cert scanning differences between Metasploit and Nmap

Metasploit has auxiliary modules dedicated to HTTPS cert and SSL scanning. I was interest to compare this Metasploit module with Nmap ssl-cert NSE script.

I decided to scan a /24 rang, how represent 255 IP addresses with the 2 tools, compare the results and the time to do these scans.

Metasploit

By default, the Metasploit “scanner/http/cert auxiliary” module is configured with 50 threads, you can if you want increase the number of thread  by setting the THREADS option. We have set THREADS to 256. We have also decrease the ConnectTimeout advanced configuration option to 1 second, and set the SHOWALL option to true in order to get issuers and times.

Metasploit suggest to use this auxiliary module in the console than with the cli.

Cli testing

time sudo msfcli scanner/http/cert ConnectTimeout=1 SHOWALL=true THREADS=256 RHOSTS=xxx.xxx.xxx.xxx/24 E

Metasploit, between the cli, has take around 14 seconds to scan all the 255 IP addresses, and return us 9 responses.

Console testing

Metasploit, between the console, has take around 5 seconds to scan all the 255 IP addresses, and return us 9 responses.

Example of output :

[+] xxx.xxx.xxx.xxx – ‘toto.sploit.com’ : /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
[-] xxx.xxx.xxx.xxx – ‘toto.sploit.com’ : ‘Sat Jan 01 00:00:00 UTC 2000’ – ‘Sat Jan 01 00:00:00 UTC 2000′ (EXPIRED)’

With the console, or the cli, we have some strange behaviors on certificates times how should, normally, announce if the certificate is expired or not, all the 9 certificates are expired with this kind of output : ‘Sat Jan 01 00:00:00 UTC 2000′ – ‘Sat Jan 01 00:00:00 UTC 2000’ (EXPIRED)‘.

By switching the SSLVersion advanced option from SSL3 to SSL2, I discovered one more certificate. So Metasploit cert scanner discover a total of 10 certificates on 11.

Nmap

With Nmap, the following command will permit you to scan the https cert. The amount of information printed about the certificate depends on the verbosity level. With no extra verbosity, the script prints the validity period and the commonName, organizationName, stateOrProvinceName, and countryName of the subject.

time sudo nmap –script=ssl-cert -PN -T4 -p 443 -oN xxx.xxx.xxx.xxx-255_ssl_cert.txt xxx.xxx.xxx.xxx/24

Nmap has take around 11 seconds to scan all the 255 IP addresses, and return us only 11 responses.

Example of output :

Nmap scan report for toto.sploit.com (xxx.xxx.xxx.xxx)
Host is up (0.14s latency).
PORT    STATE SERVICE
443/tcp open  https
| ssl-cert: Subject: commonName=toto.sploit.com/organizationName=Sploit Inc./stateOrProvinceName=Luna/countryName=EU
| Issuer: commonName=UTN-USERFirst-Hardware/organizationName=The USERTRUST Network/stateOrProvinceName=UT/countryName=US
| Not valid before: 2007-10-22 00:00:00
| Not valid after:  2010-10-21 23:59:59
| MD5:   661a 63d2 1554 e5cc 250c 8991 ae34 56ce
|_SHA-1: e3e9 1fc1 6843 3b9b d686 e9ea fec2 6c2b ac01 afa3

There is surely a bug in the Metasploit auxiliary module on the certification expiration check.

A single Nmap NSE script, provide you more information’s on the certificate (MD5, cipher and details of the ssl-cert). In order to have the same information’s with Metasploit you need to execute another auxiliary module “scanner/http/ssl“. This other module will also scan the 255 IP addresses in around 5 seconds, but will still return 10 responses. They’re is still a missing certificate how is an SSL3 version.

With Nmap NSE script you don’t have to switch between the SSL versions to discover all the SSL certs.

Update : The Metasploit cert auxiliary scanner module times has been corrected and now the cert times informations are effectives, but still discover 10 certificates on 11.

2 thoughts on “HTTPS cert scanning differences between Metasploit and Nmap

  1. Hello, I actually wrote that module and believe the issue is an unexpected date format on the not_before and not_after portions of the certificate (I didn’t have many cases to test).

    if you wouldn’t mind adding on line 152 to modules/auxiliary/scanner/http/cert.rb:

    print_status(“BEFORE: ‘#{cert.not_before}’ AFTER: ‘#{cert.not_after}’)

    And sending it to me (or posting it), I’ll take a look at it. Conversely, you can also open a ticket here (https://www.metasploit.com/redmine/login) (requires registration) and let the metasploit developers address.

Comments are closed.