RDP Cert Scan with nmap

We recently had a red team where we had a lot of RDP endpoints, but not many other endpoints. We had some time pressure, so we looked to see if nmap had a script (we didn’t see one) and wrote a python script that grabbed the cert names. This is a good way to guess at internal hostnames. With our python script, it was also slow.

Anyway after the engagement I was thinking about writing this up as an NSE and looked more carefully at the existing nmap scripts. It turns out it’s already there with ssl-cert. I couldn’t find a command line switch to force nmap to run a script on a port, but it’s easy enough to edit the scripts themselves.

If you want port 3389 to check out the cert, edit shortport.lua (path on my box is /usr/share/nmap/nseLib/) and add it

  443, 465, 587, 636, 989, 990, 992, 993, 994, 995, 5061, 6679, 6697, 8443,
  9001, 3389

Also, you may want to try and grab certs off any port. In that case you can just return true regardless of port. In [/usr/share/nmap/script/]ssl-cert.nse

portrule = function(host, port)
  --return shortport.ssl(host, port) or sslcert.isPortSupported(port)
  return true

You can run it like this, and use any of the output that nmap does, so it’s simple to parse out.

nmap --script=ssl-cert  -Pn -p 57008 combat.cloudapp.net 

Starting Nmap 6.47 ( http://nmap.org ) at 2015-04-01 13:48 PDT
Nmap scan report for combat.cloudapp.net (
Host is up (0.030s latency).
57008/tcp open  unknown
| ssl-cert: Subject: commonName=combat
| Issuer: commonName=combat
| Public Key type: rsa
| Public Key bits: 2048
| Not valid before: 2015-01-07T00:43:38+00:00
| Not valid after:  2015-07-08T23:43:38+00:00
| MD5:   c44a 7db5 5b74 ee63 d7bf 324d bc21 47d6
|_SHA-1: b865 1880 79d6 56bd e876 7006 ece0 f1fd a1bf 551e

2 Responses to RDP Cert Scan with nmap

  1. mhswende says:

    ” couldn’t find a command line switch to force nmap to run a script on a port”
    Use the +-operator: “nmap –script=+ssl-cert -Pn -p 57008 combat.cloudapp.ne”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: