description = [[ Queries Google's Certificate Catalog for the SSL certificates retrieved from target hosts. The Certificate Catalog provides information about how recently and for how long Google has seen the given certificate. If a certificate doesn't appear in the database, despite being correctly signed by a well-known CA and having a matching domain name, it may be suspicious. It uses the certificate gotten from ssl-cert.nse script, so that script must be run as well. ]] --- -- @usage -- nmap -p 443 --script ssl-cert,ssl-google-cert-catalog -- -- @output -- PORT STATE SERVICE ---443/tcp open https ---| ssl-google-cert-catalog: ---| First/Last time saw: 19 Aug 2011 / 10 Sep 2011 ---|_ Days saw between: 20 author = "Vasiliy Kulikov" license = "Same as Nmap--See http://nmap.org/book/man-legal.html" categories = { "safe", "discovery", "external" } dependencies = { "ssl-cert" } require("nmap") require("shortport") require("stdnse") require("dns") local get_cert = function(host, port) if nmap.registry[host.ip] and nmap.registry[host.ip][port] then return nmap.registry[host.ip][port]["ssl-cert"] end end local format_date = function(day_num) return os.date("%d %b %Y", 60 * 60 * 24 * tonumber(day_num)) end portrule = shortport.ssl action = function(host, port) local lines, sha1, query local cert = get_cert(host, port.number) if not cert then return nil end sha1 = stdnse.tohex(cert.digest(cert, "sha1")) query = sha1 .. ".certs.googlednstest.com" stdnse.print_debug("%s %s", SCRIPT_NAME, query) local status, decoded_response = dns.query(query, { dtype = "TXT" }) lines = {} if status then local raw_start, raw_stop, delta = string.match(decoded_response, "(%d+) (%d+) (%d+)") local date_start, date_stop = format_date(raw_start), format_date(raw_stop) table.insert(lines, "First/Last time saw: " .. date_start .. " / " .. date_stop) table.insert(lines, "Days saw between: " .. tonumber(delta)) else table.insert(lines, "No DB entry") end return stdnse.format_output(true, lines) end