0x01 前言
Censys的证书搜索比较强,先来看看关于证书的基础知识,这样才能知道能根据哪些字段进行精确搜索。
0x02 TLS协议
TLS(Transport Layer Security)协议,是一种加密通信协议,用于保护网络通信的安全性。TLS协议被广泛应用于Web浏览器、电子邮件、即时通讯等网络应用中,以确保数据的保密性、完整性和可信性。
TLS协议基于SSL(Secure Sockets Layer)协议,是SSL3.0的升级版。TLS协议采用公钥加密技术和数字证书验证机制,可以保障网络通信的安全性。TLS协议的主要目标是保护通信双方之间的数据传输安全,防止数据被窃听、篡改和伪造,以及确保通信的可信性。
0x03 证书
证书是TLS协议中非常重要的组成部分,用于验证通信双方的身份和保证通信的安全性。TLS证书是由证书颁发机构(CA)颁发的数字证书,用于证明通信双方的身份。TLS证书包含了证书颁发机构、证书拥有者的信息、公钥等内容。TLS证书可以防止中间人攻击、伪装攻击等安全威胁,保障通信双方之间的信息安全。
包含的字段:
-
Serial Number(序列号):用于唯一标识证书。 -
Version Number(版本号):用于表示证书的版本。 -
Signature Algorithm(签名算法):用于指定数字签名所采用的算法,如 RSA和ECDSA等。 -
Issuer(颁发者):证书颁发机构的名称。 -
Subject(主题):证书拥有者的信息,包括名称、地址、国家等。 -
Public Key(公钥):用于加密数据的公钥。 -
Validity Period(有效期):证书的生效时间和失效时间。 -
Extensions(扩展字段):包括 Key Usage、Extended Key Usage、Subject Alternative Name等。
Version: v1
Serial Number: 14787583368751341194
Signature Algorithm: SHA1-RSA
Issuer:
Country: CN
Province: GD
Locality: SZ
Organization: tencent
Organizational Unit: csig
CommonName: ca.qq.com
Email Address: [email protected]
Validity:
Not Before: 2020-01-08 06:19 UTC
Not After : 2030-01-05 06:19 UTC
Subject:
Country: CN
Province: GD
Locality: SZ
Organization: tencent
Organizational Unit: csig
CommonName: private.qq.com
Email Address: [email protected]
Subject Public Key Info:
Public Key Algorithm: RSA
Public Key:
Exponent: 65537
Public Key Modulus: (2048 bits) :
xx:xx:xx:xx:xx:xx:xx:xx
Certificate Signature Algorithm: SHA1-RSA
Certificate Signature:
xx:xx:xx:xx:xx:xx:xx:xx
0x04 证书搜索常用语法
"parsed.subject.common_name": 搜索具有特定通用名称的证书。
"parsed.issuer.organization": 搜索颁发组织为特定组织的证书。
"parsed.fingerprint_sha256": 搜索具有特定SHA-256指纹的证书。
"parsed.extensions.subject_alt_name.dns_names": 搜索具有特定DNS名称的证书。
"parsed.extensions.basic_constraints.is_ca": 搜索是否为CA证书。
"parsed.signature.signature_algorithm.name": 搜索使用特定签名算法的证书。
"parsed.subject.organization": 搜索具有特定组织名称的证书。
"parsed.subject.locality": 搜索具有特定城市或地区名称的证书。
"parsed.subject.country": 搜索具有特定国家代码的证书。
"parsed.subject.state": 搜索具有特定州或省份名称的证书。
"parsed.validity.start": 搜索有效期开始日期在特定日期之前或之后的证书。
"parsed.validity.length": 搜索有效期长度在特定天数范围内的证书。
"parsed.extensions.key_usage.digital_signature": 搜索具有数字签名用途的证书。
"parsed.extensions.key_usage.key_encipherment": 搜索具有密钥加密用途的证书。
"parsed.extensions.extended_key_usage": 搜索具有特定扩展密钥用途的证书。
"tags.raw": 搜索具有特定标签的证书。
"metadata.validity.end": 搜索有效期截止日期在特定日期之前或之后的证书。
"metadata.protocol": 搜索具有特定TLS协议版本的证书。
"metadata.public_key_algorithm": 搜索使用特定公钥算法的证书。
"metadata.serial_number": 搜索具有特定序列号的证书。
0x05 安全应用
5.1 Cobalt Strike Servers
services.certificate: {
"64257fc0fac31c01a5ccd816c73ea86e639260da1604d04db869bb603c2886e6",
"87f2085c32b6a2cc709b365f55873e207a9caa10bffecf2fd16d3cf9d94d390c"
}
or services.tls.certificates.leaf_data.issuer.common_name: "Major Cobalt Strike"
or services.tls.certificates.leaf_data.subject.common_name: "Major Cobalt Strike"
5.2 Metasploit Servers
services.http.response.html_title: "Metasploit" and (
services.tls.certificates.leaf_data.subject.organization: "Rapid7"
or services.tls.certificates.leaf_data.subject.common_name: "MetasploitSelfSignedCA"
)
or services.jarm.fingerprint: {
"07d14d16d21d21d00042d43d000000aa99ce74e2c6d013c745aa52b5cc042d",
"07d14d16d21d21d07c42d43d000000f50d155305214cf247147c43c0f1a823"
}
5.3 Nessus Scanner Servers
services.http.response.headers.server: "NessusWWW"
or services.tls.certificates.leaf_data.subject.organizational_unit: "Nessus Server"
5.4 NTOP Network Analyzers
services.http.response.html_title: "Welcome to ntopng"
or same_service(
services.http.response.html_title: "Global Traffic Statistics"
and services.http.response.headers.server: "ntop/*"
)
5.5 Merlin C2
services.jarm.fingerprint: "29d21b20d29d29d21c41d21b21b41d494e0df9532e75299f15ba73156cee38"
5.6 Mythic C2
same_service(port: 7443 and tls.certificates.leaf_data.subject.organization: "Mythic")
5.7 Deimos C2
services.jarm.fingerprint: "00000000000000000041d00000041d9535d5979f591ae8e547c5e5743e5b64"
5.8 Covenant C2
same_service(
http.response.body: {"Blazor", "covenant.css"}
and tls.certificates.leaf_data.issuer.common_name: "Covenant"
)
5.9 PoshC2
same_service(
services.tls.certificates.leaf_data.subject.common_name="P18055077" and
services.tls.certificates.leaf_data.subject.province="Minnesota" and
services.tls.certificates.leaf_data.subject.locality="Minnetonka" and
services.tls.certificates.leaf_data.subject.organization="Pajfds" and
services.tls.certificates.leaf_data.subject.organizational_unit="Jethpro"
)
5.10 Sliver C2
same_service(
services.tls.certificates.leaf_data.pubkey_bit_size: 2048 and
services.tls.certificates.leaf_data.subject.organization: /(ACME|Partners|Tech|Cloud|Synergy|Test|Debug)? ?(co|llc|inc|corp|ltd)?/ and
services.jarm.fingerprint: 3fd21b20d00000021c43d21b21b43d41226dd5dfc615dd4a96265559485910 and
services.tls.certificates.leaf_data.subject.country: US and
services.tls.certificates.leaf_data.subject.postal_code: /<1001-9999>/
)
5.11 EvilGinx2
services.jarm.fingerprint: "20d14d20d21d20d20c20d14d20d20daddf8a68a1444c74b6dbe09910a511e6"
5.12 Brute Ratel C4
services.http.response.body_hash="sha1:1a279f5df4103743b823ec2a6a08436fdf63fe30"
5.13 Empire C2
same_service(
services.http.response.body_hash: {"sha1:bc517bf173440dad15b99a051389fadc366d5df2", "sha1:dcb32e6256459d3660fdc90e4c79e95a921841cc"}
and services.http.response.headers.expires: 0
and services.http.response.headers.cache_control: "*"
)
5.14 Raccoon Stealer V2 (RecordBreaker C2)
services.banner_hashes: "sha256:7987d0c39c4839572ab88c6d82da01395f74e0c31f12d94c58d0e1bed0b0c75c"
5.15 NimPlant C2
services.http.response.headers.Server: "NimPlant C2 Server" or services.http.response.body_hashes: "sha256:636d68bd1bc19d763de95d0a6406f4f77953f9973389857353ac445e2b6fff87"
5.16 RedGuard
services.tls.certificates.leaf_data.subject_dn: "C=CN, L=HangZhou, O=Alibaba (China) Technology Co.\, Ltd., CN=*.aliyun.com"
5.17 AsyncRAT
services.tls.certificates.leaf_data.subject.common_name: "AsyncRAT Server"
5.18 BitRAT
services.tls.certificates.leaf_data.subject.common_name: "BitRAT"
5.19 OrcusRAT
services.tls.certificates.leaf_data.subject.common_name: {"Orcus Server", "OrcusServerCertificate"}
5.20 QuasarRAT
services.tls.certificates.leaf_data.subject.common_name: {"Anony96", "Quasar Server CA"}
5.21 NanoCore
services.tls.certificates.leaf_data.subject.common_name: "unk"
5.22 DcRat
services.tls.certificates.leaf_data.subject.common_name: "DcRat Server"
5.23 Deimos C2
same_service((services.http.response.html_title="Deimos C2" or services.tls.certificates.leaf_data.subject.organization="Acme Co") and services.port: 8443)
5.24 Posh C2
services.tls.certificates.leaf_data.subject_dn: "C=US, ST=Minnesota, L=Minnetonka, O=Pajfds, OU=Jethpro, CN=P18055077"
5.25 IcedID Banking Trojan
services.tls.certificates.leaf_data.subject_dn: "CN=localhost, C=AU, ST=Some-State, O=Internet Widgits Pty Ltd"
5.26 Gozi Malware
services.tls.certificates.leaf_data.issuer_dn: "C=XX, ST=1, L=1, O=1, OU=1, CN=*"
5.27 存在目录遍历的恶意文件服务器
same_service(
(services.http.response.html_title:"Index of /" or services.http.response.html_title:"Directory Listing for /")
and services.http.response.body: /.*?(metasploit|cobaltstrike|sliver|covenant|brc4|brute-ratel|commander-runme|bruteratel|ps2exe|(badger|shellcode|sc|beacon|artifact|payload|teamviewer|anydesk|mimikatz|cs).(exe|ps1|vbs|bin|nupkg)).*/
)
5.28 Splunk
services.software.product: "Splunk"
0x06 工业控制系统
6.1 工控协议
services.service_name: {BACNET, CODESYS, EIP, FINS, FOX, IEC60870_5_104, S7, MODBUS}
6.2 Prismview(三星电子广告牌)
services.tls.certificates.leaf_data.subject.common_name: "Prismview" or services.http.response.headers.server: "Prismview Player"
6.3 加油站泵控制器(ATGs)
(same_service(port: 10001 and banner: "IN-TANK INVENTORY") or services.service_name: ATG) and services.truncated: false
# services.truncated: false 排除蜜罐
6.4 电动汽车充电器
same_service(http.response.headers.server: "gSOAP/2.8" and http.response.headers.content_length: 583)
6.5 Carel PlantVisor
services.http.response.html_title: "CAREL Pl@ntVisor"
6.6 C4 Max车辆GPS
services.banner: "[1m[35mWelcome on console"
6.7 GaugeTech电表
services.http.response.headers.server: "EIG Embedded Web Server"
6.8 XZERES风力涡轮机
services.http.response.html_title: "XZERES Wind"
6.9 Nordex风力涡轮机
services.http.response.html_title: "Nordex Control" or services.tls.certificates.leaf_data.issuer.domain_component: "NORDEX-AG"
6.10 Saferoads VMS
services.http.response.html_title: "Saferoads VMS"
0x07 物联网设备
7.1 Roombas
services.tls.certificates.leaf_data.issuer.common_name: "Roomba CA"
7.2 Mein Automowers
services.http.response.headers.Www_Authenticate: `Basic realm= "Mein Automower (Robonect Hx+)"`
7.3 WinAQMS环境监测仪
services.banner: "WinAQMS Data Server" and services.truncated: false
7.4 Emerson Site Supervisor
services.http.response.html_title: "Emerson Site Supervisor"
7.5 Brightsign Digital Sign
services.http.response.html_title: "'BrightSign®"
7.6 Elnet功率表
same_service(services.http.response.headers.Server="CAL1.0" and services.http.response.status_code: 200)
7.7 Nethix无线控制器
services.http.response.headers.set_cookie: "NethixSession"
7.8 Compromised Mikrotik路由器
services.service_name: MIKROTIK_BW and services.pptp.hostname: "HACKED"
0x08 Dashboards
8.1 cAdvisor
same_service(services.http.response.html_title=`cAdvisor - /` and services.http.response.status_code=200 and services.http.request.uri="*/containers/")
8.2 HashiCorp
same_service(services.http.response.html_title=`Consul by HashiCorp` and services.http.request.uri: "*/ui/")
8.3 Netdata
same_service(services.http.response.headers.Server="Netdata Embedded HTTP*" and services.http.response.html_title="netdata dashboard")
8.4 Rancher
same_service(services.http.response.headers.unknown.name: "X-Rancher-Version" and services.http.response.html_title: "Loading…")
8.5 Traefik
same_service(services.http.request.uri: "*/dashboard/" and services.http.response.html_title: "Traefik")
8.6 Weave
same_service(services.http.response.html_title: "Weave Scope" and services.http.response.body="*WEAVEWORKS_CSRF*")
0x09 游戏服务器
9.1 Counter-Strike: Global Offensive
same_service(banner: "Counter-Strike: Global Offensive Server" and service_name: VALVE)
0x10 其他服务
列目录
services.http.response.html_title: "Index of /"
Swagger UI
services.http.response.html_title: "Swagger UI - "
Mongo Express
services.http.response.html_title: "Home - Mongo Express"
shell2http
services.http.response.html_title: "shell2http"
Busybox Shells
same_service(services.banner: "Enter 'help' for a list of built-in commands" and services.service_name: TELNET) and services.truncated: false
Redis未授权访问
services.redis.ping_response: "PONG"
Kubernetes
services.kubernetes.pod_names: *
WordPress
services.http.response.body: "The wp-config.php creation script uses this file"
AdGuard
same_service(services.http.response.html_title: "Setup AdGuard Home" and services.http.request.uri="*/install.html")
Prometheus
same_service(services.http.response.html_title: "node exporter" and services.http.response.body: "/metrics")
VictoriaMetrics Agent
services.http.response.body: "<h2>vmagent</h2>"
SonarQube
same_service(http.response.html_title: "SonarQube" and http.response.status_code: 200 and http.response.protocol: "HTTP/1.1")
0x11 高级查询
蜜罐主机
services.truncated: true
53端口不是DNS服务
same_service(services.port: 53 and not services.service_name: DNS) and services.truncated: false
22端口不是SSH服务
same_service(services.port: 22 and not services.service_name: {SSH} and not services.banner: {"Connection refused", "SSH-", "Exceeded MaxStartups", "Too many users", "Connection closed by server"}) and services.truncated: false
80 or 443 端口不是HTTP or HTTPS服务
not same_service(services.port: 443 and services.name: UNKNOWN and services.tls.certificates.leaf_data.subject_dn: *) and same_service(services.port: {80, 443} and not services.service_name: {KUBERNETES, ANYCONNECT, OPENVPN, HTTP} and not services.banner: “HTTP/”) and services.truncated: false
声明
请不要用于任何违反国家法律法规、社会公德和道德规范的行为,包括但不限于非法窃取他人隐私、破坏网络安全等。如读者违反上述规定,造成的后果和损失均与我无关,读者将自行承担相应的法律责任。
原文始发于微信公众号(小宝的安全学习笔记):SRC信息搜集技巧之Censys
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论