├── CheckCert_BOF ├── CheckCertx64.o └── src │ ├── CheckCert.c │ ├── CheckCert.h │ └── beacon.h ├── CheckCert_DotNet ├── CheckCert.sln └── CheckCert │ ├── App.config │ ├── CheckCert.csproj │ ├── Program.cs │ └── Properties │ └── AssemblyInfo.cs └── README.md /CheckCert_BOF/CheckCertx64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xforcered/CheckCert/7099cd85e8500fb8ef9a6538ae4344083e907110/CheckCert_BOF/CheckCertx64.o -------------------------------------------------------------------------------- /CheckCert_BOF/src/CheckCert.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include "beacon.h" 3 | #include "CheckCert.h" 4 | 5 | //Initiate a web request 6 | void HTTPRequest(LPCWSTR http, INTERNET_PORT port, LPCWSTR referrer, LPCWSTR agent) { 7 | 8 | //Variables 9 | BOOL hResults = FALSE; 10 | HINTERNET hSession = NULL, hConnect = NULL, hRequest = NULL; 11 | FILETIME expiryFt, effectiveDateFt; 12 | SYSTEMTIME expirySt, effectiveSt; 13 | CERT_CONTEXT* pCert = { 0 }; 14 | DWORD dwLen, len; 15 | char* name = NULL; 16 | char* issuer = NULL; 17 | 18 | //winhttp - define pointers 19 | HINSTANCE hinst = LoadLibrary("winhttp.dll"); 20 | WinHttpOpen_t pWinHttpOpen = (WinHttpOpen_t)GetProcAddress(hinst, "WinHttpOpen"); 21 | WinHttpSetTimeouts_t pWinHttpSetTimeouts = (WinHttpSetTimeouts_t)GetProcAddress(hinst, "WinHttpSetTimeouts"); 22 | WinHttpConnect_t pWinHttpConnect = (WinHttpConnect_t)GetProcAddress(hinst, "WinHttpConnect"); 23 | WinHttpOpenRequest_t pWinHttpOpenRequest = (WinHttpOpenRequest_t)GetProcAddress(hinst, "WinHttpOpenRequest"); 24 | WinHttpSendRequest_t pWinHttpSendRequest = (WinHttpSendRequest_t)GetProcAddress(hinst, "WinHttpSendRequest"); 25 | WinHttpQueryOption_t pWinHttpQueryOption = (WinHttpQueryOption_t)GetProcAddress(hinst, "WinHttpQueryOption"); 26 | WinHttpCloseHandle_t pWinHttpCloseHandle = (WinHttpCloseHandle_t)GetProcAddress(hinst, "WinHttpCloseHandle"); 27 | 28 | //crypt32 - define pointers 29 | hinst = LoadLibrary("crypt32.dll"); 30 | CertNameToStrA_t pCertNameToStrA = (CertNameToStrA_t)GetProcAddress(hinst, "CertNameToStrA"); 31 | 32 | //kernel32 - define pointers 33 | hinst = LoadLibrary("Kernel32.dll"); 34 | FileTimeToSystemTime_t pFileTimeToSystemTime = (FileTimeToSystemTime_t)GetProcAddress(hinst, "FileTimeToSystemTime"); 35 | 36 | //Begin HTTP request 37 | //Obtain a session handle 38 | hSession = pWinHttpOpen(agent, WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, WINHTTP_NO_PROXY_NAME, WINHTTP_NO_PROXY_BYPASS, 0); 39 | 40 | //Set reasonable timout values 41 | pWinHttpSetTimeouts(hSession, 2000, 2000, 2000, 2000); 42 | 43 | //Specify an HTTP server 44 | if (hSession) 45 | hConnect = pWinHttpConnect(hSession, http, port, 0); 46 | 47 | //Create an request handle 48 | if (hConnect) 49 | //WINHTTP_FLAG_SECURE makes secure connection 50 | hRequest = pWinHttpOpenRequest(hConnect, L"GET", referrer, NULL, WINHTTP_NO_REFERER, WINHTTP_DEFAULT_ACCEPT_TYPES, WINHTTP_FLAG_SECURE); 51 | else 52 | BeaconPrintf(CALLBACK_OUTPUT,"[!] Failed to create HTTP request handle.\n"); 53 | 54 | //Connect to the server by sending a request 55 | if (hRequest) 56 | hResults = pWinHttpSendRequest(hRequest, WINHTTP_NO_ADDITIONAL_HEADERS, 0, WINHTTP_NO_REQUEST_DATA, 0, 0, 0); 57 | else 58 | BeaconPrintf(CALLBACK_OUTPUT,"[!] Cannot connect to server.\n"); 59 | 60 | //Obtain the SSL certificate using WINHTTP_OPTION_SERVER_CERT_CONTEXT 61 | if (hResults) 62 | hResults = pWinHttpQueryOption(hRequest, WINHTTP_OPTION_SERVER_CERT_CONTEXT, &pCert, &dwLen); 63 | else 64 | BeaconPrintf(CALLBACK_OUTPUT,"[!] Unable to get SSL certificate.\n"); 65 | 66 | //Begin parsing the SSL certificate context 67 | if (hResults) { 68 | //Parse the SSL certificate context and obtain the CNAME/subject 69 | len = pCertNameToStrA(X509_ASN_ENCODING, &pCert->pCertInfo->Subject, CERT_X500_NAME_STR, NULL, 0); 70 | if (len) { 71 | name = KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), 0, len); 72 | if (name) { 73 | pCertNameToStrA(X509_ASN_ENCODING, &pCert->pCertInfo->Subject, CERT_X500_NAME_STR, name, len); 74 | } 75 | } 76 | 77 | //Parse the SSL certificate context and obtain the issuer of the SSL certificate 78 | len = pCertNameToStrA(X509_ASN_ENCODING, &pCert->pCertInfo->Issuer, CERT_X500_NAME_STR, NULL, 0); 79 | if (len) { 80 | issuer = KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), 0, len); 81 | if (issuer) { 82 | pCertNameToStrA(X509_ASN_ENCODING, &pCert->pCertInfo->Issuer, CERT_X500_NAME_STR, issuer, len); 83 | } 84 | } 85 | 86 | //Parse the SSL certificate context and obtain the expiry date 87 | expiryFt = pCert->pCertInfo->NotAfter; 88 | 89 | //Parse the SSL certificate context and obtain the issue/effective date 90 | effectiveDateFt = pCert->pCertInfo->NotBefore; 91 | 92 | //Convert date to readable time 93 | pFileTimeToSystemTime(&expiryFt, &expirySt); 94 | pFileTimeToSystemTime(&effectiveDateFt, &effectiveSt); 95 | } 96 | 97 | //Name and issuer will be NULL if unable to obtain a SSL certificate 98 | if (name != NULL) 99 | BeaconPrintf(CALLBACK_OUTPUT,"\nName: %s\nIssuer: %s\nExpiration: %02d/%02d/%d\nEffective Date: %02d/%02d/%d\n", name, issuer, expirySt.wMonth, expirySt.wDay, expirySt.wYear, effectiveSt.wMonth, effectiveSt.wDay, effectiveSt.wYear); 100 | 101 | //Free memory 102 | KERNEL32$HeapFree(KERNEL32$GetProcessHeap(), 0, name); 103 | KERNEL32$HeapFree(KERNEL32$GetProcessHeap(), 0, issuer); 104 | 105 | //Close open handles 106 | if (hRequest) pWinHttpCloseHandle(hRequest); 107 | if (hConnect) pWinHttpCloseHandle(hConnect); 108 | if (hSession) pWinHttpCloseHandle(hSession); 109 | } 110 | 111 | //BOF Entry Point 112 | void go(char* args, int length) { 113 | 114 | //Variables 115 | char * target = MSVCRT$strtok(args, ","); 116 | char* url = "/"; //set a default referrer of / as a referrer is required 117 | char* port = "443"; //set a default port of 443 118 | LPCWSTR agent = L"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36"; 119 | 120 | while (target != NULL) { 121 | 122 | //Converts arg to wide char 123 | size_t convertedChars = 0; 124 | size_t wideSize = MSVCRT$strlen(target) + 1; 125 | 126 | //Convert domain to wide char and store in http variable 127 | wchar_t* http = (wchar_t*) MSVCRT$malloc(wideSize * sizeof(wchar_t)); 128 | MSVCRT$mbstowcs_s(&convertedChars, http, wideSize, target, _TRUNCATE); 129 | 130 | //Convert url to wide char and store in referrer variable 131 | wideSize = MSVCRT$strlen(url) + 1; 132 | wchar_t* referrer = (wchar_t*)MSVCRT$malloc(1 * sizeof(wchar_t)); 133 | MSVCRT$mbstowcs_s(&convertedChars, referrer, wideSize, url, _TRUNCATE); 134 | 135 | BeaconPrintf(CALLBACK_OUTPUT, "\n[+] Getting SSL certificate details for https://%s:%s%s\n", target, port, url); 136 | 137 | //Connect to web application over HTTPS and grab the certificate 138 | HTTPRequest(http, MSVCRT$atoi(port), referrer, agent); 139 | 140 | //Clear current target 141 | target = MSVCRT$strtok(NULL, ","); 142 | } 143 | } -------------------------------------------------------------------------------- /CheckCert_BOF/src/CheckCert.h: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | //#pragma comment(lib, "winhttp.lib") 7 | //#pragma comment(lib, "crypt32.lib") 8 | 9 | /* 10 | #define MSVCRT$wcscpy_s wcscpy_s 11 | */ 12 | 13 | //MSVCRT 14 | WINBASEAPI void* WINAPI MSVCRT$malloc(SIZE_T); 15 | WINBASEAPI int __cdecl MSVCRT$strcmp(const char* _Str1, const char* _Str2); 16 | WINBASEAPI SIZE_T WINAPI MSVCRT$strlen(const char* str); 17 | WINBASEAPI errno_t __cdecl MSVCRT$mbstowcs_s(size_t* pReturnValue, wchar_t* wcstr, size_t sizeInWords, const char* mbstr, size_t count); 18 | DECLSPEC_IMPORT int __cdecl MSVCRT$atoi(const char *str); 19 | WINBASEAPI void* WINAPI MSVCRT$strtok(char* str, const char* delim); 20 | 21 | //KERNEL32 22 | WINBASEAPI HANDLE WINAPI KERNEL32$GetProcessHeap(); 23 | WINBASEAPI void* WINAPI KERNEL32$HeapAlloc(HANDLE hHeap, DWORD dwFlags, SIZE_T dwBytes); 24 | WINBASEAPI BOOL WINAPI KERNEL32$HeapFree(HANDLE hHeap, DWORD dwFlags, _Frees_ptr_opt_ LPVOID lpMem); 25 | WINBASEAPI FARPROC WINAPI KERNEL32$GetProcAddress(HMODULE hModule, LPCSTR lpProcName); 26 | 27 | //winhttp.dll 28 | typedef HINTERNET(WINAPI* WinHttpOpen_t)( 29 | IN LPCWSTR pszAgentW, 30 | IN DWORD dwAccessType, 31 | IN LPCWSTR pszProxyW, 32 | IN LPCWSTR pszProxyBypassW, 33 | IN DWORD dwFlags 34 | ); 35 | 36 | typedef BOOL(WINAPI* WinHttpSetTimeouts_t)( 37 | IN HINTERNET hInternet, 38 | IN int nResolveTimeout, 39 | IN int nConnectTimeout, 40 | IN int nSendTimeout, 41 | IN int nReceiveTimeout 42 | ); 43 | 44 | typedef HINTERNET(WINAPI* WinHttpConnect_t)( 45 | IN HINTERNET hSession, 46 | IN LPCWSTR pswzServerName, 47 | IN INTERNET_PORT nServerPort, 48 | IN DWORD dwReserved 49 | ); 50 | 51 | typedef HINTERNET(WINAPI* WinHttpOpenRequest_t)( 52 | IN HINTERNET hConnect, 53 | IN LPCWSTR pwszVerb, 54 | IN LPCWSTR pwszObjectName, 55 | IN LPCWSTR pwszVersion, 56 | IN LPCWSTR pwszReferrer, 57 | IN LPCWSTR* ppwszAcceptTypes, 58 | IN DWORD dwFlags 59 | ); 60 | 61 | typedef BOOL(WINAPI* WinHttpSendRequest_t)( 62 | IN HINTERNET hRequest, 63 | IN LPCWSTR lpszHeaders, 64 | IN DWORD dwHeadersLength, 65 | IN LPVOID lpOptional, 66 | IN DWORD dwOptionalLength, 67 | IN DWORD dwTotalLength, 68 | IN DWORD_PTR dwContext 69 | ); 70 | 71 | typedef BOOL(WINAPI* WinHttpQueryOption_t)( 72 | IN HINTERNET hInternet, 73 | IN DWORD dwOption, 74 | OUT LPVOID lpBuffer, 75 | OUT LPDWORD lpdwBufferLength 76 | ); 77 | 78 | typedef BOOL(WINAPI* WinHttpCloseHandle_t)( 79 | IN HINTERNET hInternet 80 | ); 81 | 82 | //Crypt32.dll 83 | typedef DWORD(WINAPI* CertNameToStrA_t)( 84 | IN DWORD dwCertEncodingType, 85 | IN PCERT_NAME_BLOB pName, 86 | IN DWORD dwStrType, 87 | OUT LPSTR psz, 88 | IN DWORD csz 89 | ); 90 | 91 | //Kernel32.dll 92 | typedef BOOL(WINAPI* FileTimeToSystemTime_t)( 93 | IN const FILETIME* lpFileTime, 94 | OUT LPSYSTEMTIME lpSystemTime 95 | ); -------------------------------------------------------------------------------- /CheckCert_BOF/src/beacon.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Beacon Object Files (BOF) 3 | * ------------------------- 4 | * A Beacon Object File is a light-weight post exploitation tool that runs 5 | * with Beacon's inline-execute command. 6 | * 7 | * Cobalt Strike 4.1. 8 | */ 9 | 10 | /* data API */ 11 | typedef struct { 12 | char* original; /* the original buffer [so we can free it] */ 13 | char* buffer; /* current pointer into our buffer */ 14 | int length; /* remaining length of data */ 15 | int size; /* total size of this buffer */ 16 | } datap; 17 | 18 | DECLSPEC_IMPORT void BeaconDataParse(datap* parser, char* buffer, int size); 19 | DECLSPEC_IMPORT int BeaconDataInt(datap* parser); 20 | DECLSPEC_IMPORT short BeaconDataShort(datap* parser); 21 | DECLSPEC_IMPORT int BeaconDataLength(datap* parser); 22 | DECLSPEC_IMPORT char* BeaconDataExtract(datap* parser, int* size); 23 | 24 | /* format API */ 25 | typedef struct { 26 | char* original; /* the original buffer [so we can free it] */ 27 | char* buffer; /* current pointer into our buffer */ 28 | int length; /* remaining length of data */ 29 | int size; /* total size of this buffer */ 30 | } formatp; 31 | 32 | DECLSPEC_IMPORT void BeaconFormatAlloc(formatp* format, int maxsz); 33 | DECLSPEC_IMPORT void BeaconFormatReset(formatp* format); 34 | DECLSPEC_IMPORT void BeaconFormatFree(formatp* format); 35 | DECLSPEC_IMPORT void BeaconFormatAppend(formatp* format, char* text, int len); 36 | DECLSPEC_IMPORT void BeaconFormatPrintf(formatp* format, char* fmt, ...); 37 | DECLSPEC_IMPORT char* BeaconFormatToString(formatp* format, int* size); 38 | DECLSPEC_IMPORT void BeaconFormatInt(formatp* format, int value); 39 | 40 | /* Output Functions */ 41 | #define CALLBACK_OUTPUT 0x0 42 | #define CALLBACK_OUTPUT_OEM 0x1e 43 | #define CALLBACK_ERROR 0x0d 44 | #define CALLBACK_OUTPUT_UTF8 0x20 45 | 46 | DECLSPEC_IMPORT void BeaconPrintf(int type, char* fmt, ...); 47 | DECLSPEC_IMPORT void BeaconOutput(int type, char* data, int len); 48 | 49 | /* Token Functions */ 50 | DECLSPEC_IMPORT BOOL BeaconUseToken(HANDLE token); 51 | DECLSPEC_IMPORT void BeaconRevertToken(); 52 | DECLSPEC_IMPORT BOOL BeaconIsAdmin(); 53 | 54 | /* Spawn+Inject Functions */ 55 | DECLSPEC_IMPORT void BeaconGetSpawnTo(BOOL x86, char* buffer, int length); 56 | DECLSPEC_IMPORT void BeaconInjectProcess(HANDLE hProc, int pid, char* payload, int p_len, int p_offset, char* arg, int a_len); 57 | DECLSPEC_IMPORT void BeaconInjectTemporaryProcess(PROCESS_INFORMATION* pInfo, char* payload, int p_len, int p_offset, char* arg, int a_len); 58 | DECLSPEC_IMPORT void BeaconCleanupProcess(PROCESS_INFORMATION* pInfo); 59 | 60 | /* Utility Functions */ 61 | DECLSPEC_IMPORT BOOL toWideChar(char* src, wchar_t* dst, int max); -------------------------------------------------------------------------------- /CheckCert_DotNet/CheckCert.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.31829.152 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "CheckCert", "CheckCert\CheckCert.csproj", "{7A816E69-D79F-4C04-A3AC-55FD3E1E6758}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Any CPU = Debug|Any CPU 11 | Debug|x64 = Debug|x64 12 | Release|Any CPU = Release|Any CPU 13 | Release|x64 = Release|x64 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {7A816E69-D79F-4C04-A3AC-55FD3E1E6758}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 17 | {7A816E69-D79F-4C04-A3AC-55FD3E1E6758}.Debug|Any CPU.Build.0 = Debug|Any CPU 18 | {7A816E69-D79F-4C04-A3AC-55FD3E1E6758}.Debug|x64.ActiveCfg = Debug|x64 19 | {7A816E69-D79F-4C04-A3AC-55FD3E1E6758}.Debug|x64.Build.0 = Debug|x64 20 | {7A816E69-D79F-4C04-A3AC-55FD3E1E6758}.Release|Any CPU.ActiveCfg = Release|Any CPU 21 | {7A816E69-D79F-4C04-A3AC-55FD3E1E6758}.Release|Any CPU.Build.0 = Release|Any CPU 22 | {7A816E69-D79F-4C04-A3AC-55FD3E1E6758}.Release|x64.ActiveCfg = Release|x64 23 | {7A816E69-D79F-4C04-A3AC-55FD3E1E6758}.Release|x64.Build.0 = Release|x64 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {568CF4E7-EC4C-4B78-8B12-8A419A520DC3} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /CheckCert_DotNet/CheckCert/App.config: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /CheckCert_DotNet/CheckCert/CheckCert.csproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {7A816E69-D79F-4C04-A3AC-55FD3E1E6758} 8 | Exe 9 | CheckCert 10 | CheckCert 11 | v4.7.2 12 | 512 13 | true 14 | true 15 | 16 | 17 | AnyCPU 18 | true 19 | full 20 | false 21 | bin\Debug\ 22 | DEBUG;TRACE 23 | prompt 24 | 4 25 | 26 | 27 | AnyCPU 28 | pdbonly 29 | true 30 | bin\Release\ 31 | TRACE 32 | prompt 33 | 4 34 | 35 | 36 | true 37 | bin\x64\Debug\ 38 | DEBUG;TRACE 39 | full 40 | x64 41 | 7.3 42 | prompt 43 | true 44 | 45 | 46 | bin\x64\Release\ 47 | TRACE 48 | true 49 | pdbonly 50 | x64 51 | 7.3 52 | prompt 53 | true 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | -------------------------------------------------------------------------------- /CheckCert_DotNet/CheckCert/Program.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Net; 3 | using System.Security.Cryptography.X509Certificates; 4 | 5 | namespace CheckCert 6 | { 7 | class Program 8 | { 9 | static void Main(string[] args) 10 | { 11 | if (args.Length < 1) 12 | { 13 | Console.WriteLine("CheckCert.exe https://www.nytimes.com"); 14 | Environment.Exit(0); 15 | } 16 | 17 | string url = args[0]; 18 | 19 | HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url); 20 | HttpWebResponse response = null; 21 | X509Certificate2 cert = null; 22 | request.Timeout = 2000; 23 | 24 | try 25 | { 26 | response = (HttpWebResponse)request.GetResponse(); 27 | response.Close(); 28 | 29 | //retrieve the ssl cert and assign it to an X509Certificate object 30 | X509Certificate c = request.ServicePoint.Certificate; 31 | 32 | //convert the X509Certificate to an X509Certificate2 object by passing it into the constructor - https://stackoverflow.com/questions/15270764/get-ssl-certificate-in-net 33 | cert = new X509Certificate2(c); 34 | } 35 | catch 36 | { 37 | Console.WriteLine("[!] Unable to check SSL certificate on: " + url); 38 | Environment.Exit(1); 39 | } 40 | 41 | if (cert != null) 42 | { 43 | Console.WriteLine("[+] Certificate for: " + url + "\n"); 44 | Console.WriteLine("Name: " + cert.Subject); 45 | Console.WriteLine("Issuer: " + cert.Issuer); 46 | Console.WriteLine("Expiration: " + cert.GetExpirationDateString()); 47 | Console.WriteLine("Effective Date: " + cert.GetEffectiveDateString()); 48 | Console.WriteLine("Thumbprint: " + cert.GetCertHashString()); 49 | Console.WriteLine("Serial Number: " + cert.GetSerialNumberString()); 50 | Console.WriteLine("Public Key String: " + cert.GetPublicKeyString()); 51 | } 52 | else 53 | { 54 | Console.WriteLine("[!] Unable to check SSL certificate on: " + url); 55 | } 56 | } 57 | } 58 | } 59 | -------------------------------------------------------------------------------- /CheckCert_DotNet/CheckCert/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.CompilerServices; 3 | using System.Runtime.InteropServices; 4 | 5 | // General Information about an assembly is controlled through the following 6 | // set of attributes. Change these attribute values to modify the information 7 | // associated with an assembly. 8 | [assembly: AssemblyTitle("CheckCert")] 9 | [assembly: AssemblyDescription("")] 10 | [assembly: AssemblyConfiguration("")] 11 | [assembly: AssemblyCompany("")] 12 | [assembly: AssemblyProduct("CheckCert")] 13 | [assembly: AssemblyCopyright("Copyright © 2021")] 14 | [assembly: AssemblyTrademark("")] 15 | [assembly: AssemblyCulture("")] 16 | 17 | // Setting ComVisible to false makes the types in this assembly not visible 18 | // to COM components. If you need to access a type in this assembly from 19 | // COM, set the ComVisible attribute to true on that type. 20 | [assembly: ComVisible(false)] 21 | 22 | // The following GUID is for the ID of the typelib if this project is exposed to COM 23 | [assembly: Guid("7a816e69-d79f-4c04-a3ac-55fd3e1e6758")] 24 | 25 | // Version information for an assembly consists of the following four values: 26 | // 27 | // Major Version 28 | // Minor Version 29 | // Build Number 30 | // Revision 31 | // 32 | // You can specify all the values or you can default the Build and Revision Numbers 33 | // by using the '*' as shown below: 34 | // [assembly: AssemblyVersion("1.0.*")] 35 | [assembly: AssemblyVersion("1.0.0.0")] 36 | [assembly: AssemblyFileVersion("1.0.0.0")] 37 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # CheckCert 2 | A small utility to request the SSL certificate from a public or private web application. CheckCert helps operators in the following ways: 3 | 1. It validates whether or not a webserver can be reached. 4 | 2. The `Issuer` field can help determine if SSL/TLS inspection is in place. 5 | 3. Hostnames can be obtained via the `Name` field in cases where IP addresses don't have associated PTR records. 6 | 7 | Both a C# and BOF version of CheckCert are included. The BOF version was created to overcome an operational issue in an environment with tight egress rules. It was possible to establish DNS C2, however, it was difficult to find a suitable domain that was allowed outbound via HTTPS. The CheckCert BOF was created in an effort to minimize the amount of traffic sent via DNS, while providing the ability to request SSL certificates from publicly accessible domains. 8 | 9 | ## C# Usage 10 | You can grab a copy of CheckCert from the [releases](https://github.com/skahwah/CheckCert/releases) page. Alternatively, feel free to compile the solution yourself. 11 | 12 | ``` 13 | CheckCert.exe https://nytimes.com 14 | [+] Certificate for: https://nytimes.com 15 | 16 | Name: CN=nytimes.com 17 | Issuer: CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB 18 | Expiration: 4/5/2022 8:00:00 PM 19 | Effective Date: 1/2/2020 7:00:00 PM 20 | Thumbprint: CB29785052F1B91E530CBE546C11DFE62994D76E 21 | Serial Number: 00B947803967139F666A54B56C27B852B5 22 | Public Key String: 3082010A0282010100DAF21805C1248D18F129104486B7882B99DBC30948B3691A7383075DEBA1FD054173E0FDB31432BAE4924F311CA2D1312541A85C08F8B0D0FAF7F35454C1E0D3C1ADC679E274A39124A5A4BCA93B7DB3D4E682591D6CA363A26D350CD06951089BD249148A33DD46174B0112B42786E312A878D5A8EC6B181A2DEFC4384558597081D596B2711CB9728ED423FED2FDD4DF315BE3F278C37A36CBE7BB4788447FD54EC5598D446CFA17EDA8D4C18FE5067B9263FCF0FD768BFE24D59BDFA89719E53F26937E1D526F9A71938D7F099BFE85077AA278F5B98F1E4081FB47E22313E0D588956A058DDA7AF7DED0B68F0F1DE662D594D31CED164C94B16C7D0D34A70203010001 23 | ``` 24 | 25 | ## BOF Usage 26 | The BOF can take a comma-separated list of domains. Several assumptions have been made, which can easily be changed by editing the source file and recompiling: 27 | 1. The connect port has been set to 443. 28 | 2. The HTTP referrer has been set to `/`. 29 | 3. The `User-Agent` string has been has been set to `Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36`. 30 | 31 | You can grab a copy of the CheckCert BOF [here](https://github.com/skahwah/CheckCert/blob/main/CheckCert_BOF/CheckCertx64.o). Alternatively, feel free to compile yourself using either the x86 or x64 Developer Command Prompt for VS: 32 | `cl.exe /c /GS- CheckCert.c /FoCheckCertx64.o` 33 | 34 | ``` 35 | inline-execute C:\Users\skawa\Desktop\CheckCertx64.o www.ft.com,www.cnn.com 36 | [*] Tasked beacon to inline-execute C:\Users\skawa\Desktop\CheckCertx64.o 37 | [+] host called home, sent: 3704 bytes 38 | [+] received output: 39 | 40 | [+] Getting SSL certificate details for https://www.ft.com:443/ 41 | 42 | [+] received output: 43 | 44 | Name: CN=*.ft.com 45 | Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign Atlas R3 DV TLS CA 2020 46 | Expiration: 06/28/2022 47 | Effective Date: 05/27/2021 48 | 49 | [+] received output: 50 | 51 | [+] Getting SSL certificate details for https://www.cnn.com:443/ 52 | 53 | [+] received output: 54 | 55 | Name: CN=*.api.cnn.com 56 | Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign Atlas R3 DV TLS CA 2020 57 | Expiration: 05/22/2022 58 | Effective Date: 04/20/2021 59 | ``` 60 | 61 | ## Credits / References 62 | - Having been a [PoshC2](https://github.com/nettitude/PoshC2) user for many years, a module I frequently used was [SSLInspectionCheck](https://github.com/nettitude/PoshC2/blob/master/resources/modules/SSLInspectionCheck.ps1). 63 | - [@anthemtotheego](https://twitter.com/anthemtotheego) and [@0xBoku](https://twitter.com/0xBoku) spent many hours answering the pedestrian questions I had about C and BOF development. Thank you both. 64 | --------------------------------------------------------------------------------