RDP Cert Scan with nmap

We recently had a red team where we had a lot of RDP endpoints, but not many other endpoints. We had some time pressure, so we looked to see if nmap had a script (we didn’t see one) and wrote a python script that grabbed the cert names. This is a good way to guess at internal hostnames. With our python script, it was also slow.

Anyway after the engagement I was thinking about writing this up as an NSE and looked more carefully at the existing nmap scripts. It turns out it’s already there with ssl-cert. I couldn’t find a command line switch to force nmap to run a script on a port, but it’s easy enough to edit the scripts themselves.

If you want port 3389 to check out the cert, edit shortport.lua (path on my box is /usr/share/nmap/nseLib/) and add it

local LIKELY_SSL_PORTS = {
  443, 465, 587, 636, 989, 990, 992, 993, 994, 995, 5061, 6679, 6697, 8443,
  9001, 3389
}

Also, you may want to try and grab certs off any port. In that case you can just return true regardless of port. In [/usr/share/nmap/script/]ssl-cert.nse

portrule = function(host, port)
  --return shortport.ssl(host, port) or sslcert.isPortSupported(port)
  return true
end

You can run it like this, and use any of the output that nmap does, so it’s simple to parse out.

nmap --script=ssl-cert  -Pn -p 57008 combat.cloudapp.net 

Starting Nmap 6.47 ( http://nmap.org ) at 2015-04-01 13:48 PDT
Nmap scan report for combat.cloudapp.net (104.42.2.122)
Host is up (0.030s latency).
PORT      STATE SERVICE
57008/tcp open  unknown
| ssl-cert: Subject: commonName=combat
| Issuer: commonName=combat
| Public Key type: rsa
| Public Key bits: 2048
| Not valid before: 2015-01-07T00:43:38+00:00
| Not valid after:  2015-07-08T23:43:38+00:00
| MD5:   c44a 7db5 5b74 ee63 d7bf 324d bc21 47d6
|_SHA-1: b865 1880 79d6 56bd e876 7006 ece0 f1fd a1bf 551e