Edit

Registrants & Certificates

Generate a TLS Certificate

With the CA private key

Verify Client Certificate Requirements:
openssl s_client -connect 10.10.10.131:443
Generate the client's private key:
openssl genrsa -out client.key 4096
Create a certificate signing request (CSR) , ensure the fields match the server's expectations:
openssl req -new -key client.key -out client.req
Sign the CSR with the CA’s private key to issue a client certificate :
openssl x509 -req -in client.req -CA lacasadepapel-htb.pem -CAkey ca.key -set_serial 101 -extensions client -days 365 -outform PEM -out client.cer
Convert the private key and certificate into a PKCS#12 (.p12) format file for easy import:
openssl pkcs12 -export -inkey client.key -in client.cer -out client.p12
Enumeration
Use openssl to get the certificate's info:
echo | openssl s_client -showcerts -servername 10.10.10.124 -connect 10.10.10.124:443 2>/dev/null | openssl x509 -inform pem -noout -text
Grep for subdomains
echo | openssl s_client -showcerts -servername 10.10.10.124 -connect 10.10.10.124:443 2>/dev/null | openssl x509 -inform pem -noout -text | grep DNS | tr "," "\n" | cut -d: -f2

Create a custom wordlist with the subdomains to fuzz for response codes and gain a general idea of the content:

 ffuf -c -w domains -u https://FUZZ
When working with HTTPS is good practice to validate the SSL/TLS version and ciphers in use:
openssl s_client -connect 10.10.10.124:443 -servername 10.10.10.124 -showcerts
You can follow up with the -cipher flag to specify the cipher suites you're interested in:
openssl s_client -connect 10.10.10.124:443 -servername 10.10.10.124 -cipher ECDHE-RSA-AES256-GCM-SHA384
Check if the server implements HSTS by looking for it's header:
curl -I https://10.10.10.124
Certificate Transparency Logs
You can search certificate logs for the domain name:
https://crt.sh/?q=DOMAIN
PreviousShodanNextIdentifying Application Constraints

Last updated