From 35e118802be56967719145b86ce8935409fa9c87 Mon Sep 17 00:00:00 2001 From: fyodor Date: Sat, 28 Sep 2013 03:13:07 +0000 Subject: [PATCH] Add some fingerprints of problematic keys reportedly belonging to APT1. Contributed by Mariusz Ziulek. http://seclists.org/nmap-dev/2013/q3/638 --- nselib/data/ssl-fingerprints | 33 ++++++++++++++++++++++++++++++--- scripts/ssl-known-key.nse | 12 +++++++----- 2 files changed, 37 insertions(+), 8 deletions(-) diff --git a/nselib/data/ssl-fingerprints b/nselib/data/ssl-fingerprints index c272c429f..b304d79a9 100644 --- a/nselib/data/ssl-fingerprints +++ b/nselib/data/ssl-fingerprints @@ -1,6 +1,7 @@ -# SHA-1 hashes of SSL certificates that have known private keys. These are from -# Little Black Box 0.1 (http://code.google.com/p/littleblackbox/), which has -# this copyright notice: +# SHA-1 hashes of SSL certificates that have known private keys. Most +# of these are from Little Black Box 0.1 +# (http://code.google.com/p/littleblackbox/), which has this copyright +# notice: # # Copyright (c) 2010 Craig Heffner # @@ -2045,3 +2046,29 @@ FFC5BE611E44997728EEC8B5C21C28B19C87B8C8 FFD51A486C89C80C126A6767FA967D7883570858 FFF1C6FD1DBD58604E5E5C4D444C9072CFCDF8EF FFFEB1B7BEC6D2A261CCA510808A4BAC8DE712EA + +[APT1 - https://www.mandiant.com/blog/md5-sha1/] +7BC0CC2CF7C3A996C32DBE7E938993F7087105B4 +7855C132AF1390413D4E4FF4EAD321F8802D8243 +F3E3C590D7126BD227733E9D8313D2575C421243 +D4D4E896CE7D73B573F0A0006080A246AEC61FE7 +BCDF4809C1886AC95478BBAFDE246D0603934298 +6B4855DF8AFC8D57A671FE5ED628F6D88852A922 +D50FDC82C328319AC60F256D3119B8708CD5717B +70B48D5177EEBE9C762E9A37ECABEBFD10E1B7E9 +3A6A299B764500CE1B6E58A32A257139D61A3543 +BF4F90E0029B2263AF1141963DDF2A0C71A6B5FB +B21139583DEC0DAE344CCA530690EC1F344ACC79 +21971FFEF58BAF6F638DF2F7E2CCEB4C58B173C8 +04ECFF66973C92A1C348666D5A4738557CCE0CFC +F97D1A703AEC44D0F53A3A294E33ACDA43A49DE1 +C0D32301A7C96ECB0BC8E381EC19E6B4EAF5D2FE +1B27A897CDA019DA2C3A6DC838761871E8BF5B5D +D515996E8696612DC78FC6DB39006466FC6550DF +8F79315659E59C79F1301EF4AEE67B18AE2D9F1C +A57A84975E31E376E3512DA7B05AD06EF6441F53 +B3DB37A0EDDE97B3C3C15DA5F2D81D27AF82F583 +6D8F1454F6392361FB2464B744D4FC09EEE5FCFD +B66E230F404B2CC1C033CCACDA5D0A14B74A2752 +4ACBADB86A91834493DDE276736CDF8F7EF5D497 +86A48093D9B577955C4C9BD19E30536AAE5543D4 diff --git a/scripts/ssl-known-key.nse b/scripts/ssl-known-key.nse index 5507e6ebc..975551223 100644 --- a/scripts/ssl-known-key.nse +++ b/scripts/ssl-known-key.nse @@ -12,11 +12,13 @@ description = [[ Checks whether the SSL certificate used by a host has a fingerprint that matches an included database of problematic keys. -The only database currently checked the LittleBlackBox 0.1 database of -compromised keys from various devices, but any file of fingerprints -will serve just as well. For example, this could be used to find weak -Debian OpenSSL keys using the widely available (but too large to -include with Nmap) list. +The only databases currently checked are the LittleBlackBox 0.1 +database of compromised keys from various devices and some keys +reportedly used by the Chinese state-sponsored hacking division APT1 +(https://www.mandiant.com/blog/md5-sha1/). However, any file of +fingerprints will serve just as well. For example, this could be used +to find weak Debian OpenSSL keys using the widely available (but too +large to include with Nmap) list. ]] ---