tips tools reconnaissance

SecurityTrails Blog · Sep 12 · SecurityTrails team

How to extract SSL data from any website

Reading time: 14 minutes

With the rise of SSL certificates, markets and tools, new threats have also emerged from the Internet. Today, talking about SSL certificates and SSL encryption has become somewhat normal among web designers, web developers and even simple IT users from other digital markets.

Having an SSL is a must for all types of projects, especially those dependent on having an online website, such as portals and ecommerce stores. Here at SecurityTrails we’ve been discussing SSL security a lot, as well as trends regarding new network threats caused by stale DNS records and free SSL certificates.

With this background in mind, it makes sense to get familiar with the SSL domain tools that help us understand how SSL works, the data behind SSL certificates, and how this information can be used in a wide range of markets and businesses.

Today we’re going to show you how to extract SSL data from any website, using both command line and web-based tools. Let’s begin by analyzing the reasons why this is needed.

Why would anyone need to grab SSL information from a website?

  • Intel reconnaissance: This process is used in infosec and cybersecurity investigations performed by security researchers and penetration testers in order to grab the biggest amount of data from their targets in common OSINT tasks.
  • Attack surface analysis: As part of common attack surface reduction measures, getting critical information about your SSL infrastructure is essential when you need to reduce your attack surface. This process is often used by blue teams when looking for ways to harden their exposed digital areas.
  • SSL expiration monitoring: One of the biggest problems people face after SSL adoption is that, in the same manner as domain names, SSL certificates have an expiration date too. It’s never a surprise to browse a popular website and find that their digital certificate has expired, leading to a non-functional website, and even worse, leaving the information tunnel between browser and server unencrypted.

Now that you know the importance of SSL data extraction, let’s look at the tools you’ll need to reach your goal.

Extracting SSL data using command-based tools

For those who love the terminal as much as we do, there’s always magic in the air when we come face-to-face with a Linux/Unix console. You can do practically anything from that terrific interface, and that also includes playing with SSL certificates.

Let’s explore the best commands for extracting SSL data from your own local certificate file, your website, or from a third-party website.

First things first, let’s assume you don’t want to inspect a remote server, but instead, you just want to read your local .crt certificate file. For this, you should simply use the OpenSSL utility, as shown here:

openssl x509 -text -noout -in securitytrails.crt

This will show you the SSL certificate details, including common name, issuer, expiration dates, etc.

That’s only for local certificates. But what happens if you want to inspect a remote SSL-based website? That’s where the fun begins—here are your options.

Curl

One of the oldest and most classic Unix tools available for retrieving information from any website is the curl command¹, which can also be used to extract data from any SSL certificate. In this case, there are a few ways to use it:

curl -vvI https://securitytrails.com

This will show you some basic SSL certificate details such as ALPN/HTTP2 support, TLS handshake, server certificate data, issuer, and more, as you can see in the output:

[research@securitytrails.com ~]$ curl -vvI https://securitytrails.com
* Trying 151.139.243.5:443...
* TCP_NODELAY set
* Connected to securitytrails.com (151.139.243.5) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: OU=Domain Control Validated; OU=PositiveSSL Wildcard; CN=*.securitytrails.com
* start date: Jan 8 00:00:00 2018 GMT
* expire date: Jan 7 23:59:59 2021 GMT
* subjectAltName: host "securitytrails.com" matched cert's "securitytrails.com"
* issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO RSA Domain Validation Secure Server CA
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55cbbc1a8940)
> HEAD / HTTP/2
> Host: securitytrails.com
> User-Agent: curl/7.65.3

Here’s another syntax using curl that involves the use of the almighty AWK programming language:

curl --insecure -v https://securitytrails.com 2>&1 | awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }'

Expected output:

[research@securitytrails.com ~]$ curl --insecure -v https://securitytrails.com 2>&1 | awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }'
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: OU=Domain Control Validated; OU=PositiveSSL Wildcard; CN=*.securitytrails.com
* start date: Jan 8 00:00:00 2018 GMT
* expire date: Jan 7 23:59:59 2021 GMT
* issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO RSA Domain Validation Secure Server CA
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55cd030a4940)
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
* Connection #0 to host securitytrails.com left intact

Keytool

Keytool² is another excellent tool used to analyze and extract data from a remote SSL certificate. Only make sure you have Java 7 or higher installed, otherwise it may not work as expected.

The syntax of this tool is super simple:

keytool -printcert -sslserver securitytrails.com:443

Sample output:

Keytool sample output

As you can see, the keytool command was able to read the remote SSL certificate successfully and display the information on the screen, including a nerdy full verbose result.

OpenSSL

OpenSSL is an SSL hacker’s best friend. It’s a powerful command created to interact with everything that involves SSL certificates, from generation to reading keys and certificate files.

In this case, we can use the following syntax:

echo | openssl s_client -showcerts -servername securitytrails.com -connect securitytrails.com:443 2>/dev/null | openssl x509 -inform pem -noout -text

Sample output:

[research@securitytrails.com ~]$ echo | openssl s_client -showcerts -servername securitytrails.com -connect securitytrails.com:443 2>/dev/null | openssl x509 -inform pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
7e:0b:3e:52:94:f4:d9:e4:eb:a2:aa:28:9c:8a:f6:74
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
Validity
Not Before: Jan 8 00:00:00 2018 GMT
Not After : Jan 7 23:59:59 2021 GMT
Subject: OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.securitytrails.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)

This works if you’re using SNI (sharing an IP address with multiple certificates), as it sends the correct hostname to get the correct SSL certificate.

If you aren’t using SNI, then you can use this without the -servername argument:

openssl s_client -showcerts -connect securitytrails.com:443 </dev/null

Nmap

Yes, Nmap again—we love it and can’t live without it! As you may have gathered, Nmap is not only one of the best port scanners around, it can also be used to grab valuable data from any SSL certificate.

The syntax for SSL data extraction is pretty simple:

nmap -p 443 --script ssl-cert securitytrails.com

Expected output:

[research@securitytrails.com ~]$ nmap -p 443 --script ssl-cert securitytrails.com
Starting Nmap 7.70 ( https://nmap.org ) at 2019-09-10 13:34 -03
Nmap scan report for securitytrails.com (151.139.243.5)
Host is up (0.049s latency).
PORT STATE SERVICE
443/tcp open https
| ssl-cert: Subject: commonName=*.securitytrails.com
| Subject Alternative Name: DNS:*.securitytrails.com, DNS:securitytrails.com
| Issuer: commonName=COMODO RSA Domain Validation Secure Server CA/organizationName=COMODO CA Limited/stateOrProvinceName=Greater Manchester/countryName=GB
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2018-01-08T00:00:00
| Not valid after: 2021-01-07T23:59:59
| MD5: 9b0d 0197 5f64 a9bd 7e1b 59bc e868 6eb5
|_SHA-1: a806 5c55 de8c cc1f bbc7 e274 7c8f 13a2 58bb e1e4
Nmap done: 1 IP address (1 host up) scanned in 3.78 seconds
[research@securitytrails.com ~]$

The previous nmap command will perform a port scan against 443 port, but won’t print any port information on the output, instead it will only show the SSL certificate details by using the –script ssl-cert script³.

Adding the -v parameter at the end will print even more information such as NVE scan progress, DNS resolution, the current certificate, etc., as you see below:

[research@securitytrails.com ~]$ nmap -p 443 --script ssl-cert securitytrails.com -v
Starting Nmap 7.70 ( https://nmap.org ) at 2019-09-10 13:42 -03
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 13:42
Completed NSE at 13:42, 0.00s elapsed
Initiating Ping Scan at 13:42
Scanning securitytrails.com (151.139.243.5) [2 ports]
Completed Ping Scan at 13:42, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 13:42
Completed Parallel DNS resolution of 1 host. at 13:42, 0.34s elapsed
Initiating Connect Scan at 13:42
Scanning securitytrails.com (151.139.243.5) [1 port]
Discovered open port 443/tcp on 151.139.243.5
Completed Connect Scan at 13:42, 0.08s elapsed (1 total ports)
NSE: Script scanning 151.139.243.5.
Initiating NSE at 13:42
Completed NSE at 13:42, 0.22s elapsed
Nmap scan report for securitytrails.com (151.139.243.5)
Host is up (0.061s latency).
PORT STATE SERVICE
443/tcp open https
| ssl-cert: Subject: commonName=*.securitytrails.com/organizationalUnitName=PositiveSSL Wildcard
| Subject Alternative Name: DNS:*.securitytrails.com, DNS:securitytrails.com
| Issuer: commonName=COMODO RSA Domain Validation Secure Server CA/organizationName=COMODO CA Limited/stateOrProvinceName=Greater Manchester/countryName=GB/localityName=Salford
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2018-01-08T00:00:00
| Not valid after: 2021-01-07T23:59:59
| MD5: 9b0d 0197 5f64 a9bd 7e1b 59bc e868 6eb5
| SHA-1: a806 5c55 de8c cc1f bbc7 e274 7c8f 13a2 58bb e1e4
| -----BEGIN CERTIFICATE-----
| MIIFYzCCBEugAwIBAgIQfgs+UpT02eTroqoonIr2dDANBgkqhkiG9w0BAQsFADCB
| kDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
| A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxNjA0BgNV
| BAMTLUNPTU9ETyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD
| QTAeFw0xODAxMDgwMDAwMDBaFw0yMTAxMDcyMzU5NTlaMGExITAfBgNVBAsTGERv
| bWFpbiBDb250cm9sIFZhbGlkYXRlZDEdMBsGA1UECxMUUG9zaXRpdmVTU0wgV2ls
| ZGNhcmQxHTAbBgNVBAMMFCouc2VjdXJpdHl0cmFpbHMuY29tMIIBIjANBgkqhkiG
| 9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzvN+w/el4/jPbLdFQ/yh9OW7tOr+Zl3EUffj
| geQ4snclVT5OXWmef7WO/MEy09XGJ2E1HHVk/dG79EWIDR5GPxSpP1T5tEC2lLn+
| r2qt8DnQphh3JW7LxHUEQAYwfAOWyA6Q37QZHYpP3AHXA/JJF41YvYOn4QwwxzaQ
| 3E9tQo++9FFpeufAfFq9CQBdBjg+d+nbVurXA6QLvycP4K/QEIMm3UiHQ58tGv6a
| M6DM6v2JcBtqxERuoZo6hG86NrGwG0PYjLvUPy205I0nB+erNnDtHVasaVA4qAgF
| m0zgvn2wHkD3RlGmF9B267h2BSHjrMJwE8XVp6ynZFyfuIhwVwIDAQABo4IB5TCC
| AeEwHwYDVR0jBBgwFoAUkK9qOpRaC9iQ6hJWc99DtDoo2ucwHQYDVR0OBBYEFGO5
| x48/2W26ePVabCRAjYfChLEJMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAA
| MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysG
| AQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5j
| b20vQ1BTMAgGBmeBDAECATBUBgNVHR8ETTBLMEmgR6BFhkNodHRwOi8vY3JsLmNv
| bW9kb2NhLmNvbS9DT01PRE9SU0FEb21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVy
| Q0EuY3JsMIGFBggrBgEFBQcBAQR5MHcwTwYIKwYBBQUHMAKGQ2h0dHA6Ly9jcnQu
| Y29tb2RvY2EuY29tL0NPTU9ET1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2
| ZXJDQS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTAz
| BgNVHREELDAqghQqLnNlY3VyaXR5dHJhaWxzLmNvbYISc2VjdXJpdHl0cmFpbHMu
| Y29tMA0GCSqGSIb3DQEBCwUAA4IBAQB1F4/RRfFpZkDOUs4bEvUgHW4RAjNUTP/g
| TWF+XXWzY+pMf5VqZzvhQSTvMgmt7ZXLdqp/eiHmAlkbKEkERFYaypkQh7YoztYm
| zx7aty4xwMnaxvpA+qb57VGWynb5vs1KT03CZz54pbGAJ5m89SlvB7a4qsBbmJlA
| zOomGNoXcUp1t+kHigMx5RC1+LcjsyASIQXOEdRG5l/idTiAIuYcMShuNDyjkP0t
| NxX4NxnTXVbuDVFUBvFPsGEZdFkogGJzpShVpmWfeVflN6eLIZfLwOK8iZLVsFzl
| JjcrsUA6Al+ZaUVEbmUVmAi4H2AcT+3F5d1sDDAGrm9whbl0HwMt
|_-----END CERTIFICATE-----
NSE: Script Post-scanning.
Initiating NSE at 13:42
Completed NSE at 13:42, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 2.47 seconds

While there are a few other command-line-based tools that may help to retrieve SSL information, these are the most common and traditional ones.

Web-based tools for extracting SSL information

A good alternative for IT users who aren’t close to a terminal are SSL web-based tools. These tools can help you extract and analyze SSL information within seconds, and don’t involve Linux/Unix command knowledge.

For this reason, these types of tools are useful for all kinds of digital users, including graphic designers marketing analysts, IT experts like penetration testers, and ethical hacking researchers.

Web browser SSL information

One of the most traditional ways to extract SSL data from a certificate is by using your web browser. In this case we performed the test with Google Chrome and as expected, it was kind enough to give us the right information about our SSL certificate.

Follow these steps:

  1. Click the “Secure” padlock in the URL address bar.
  2. Click the “Certificate” link at the bottom.
  3. Click the “Details” tab.
Web browser SSL information

As shown above, details such as common name, organization validity period (creation and expiry date) and fingerprints were displayed without a problem. If you require more details, you can click the “Details” tab on the right.

Web browser SSL information details

That’s how you can fetch SSL data without commands if you’re using Google Chrome. If you’re working with Mozilla Firefox however, you should follow these steps:

  • Open any HTTPS-based web page
  • Click on the grey/green padlock at the URL bar
  • Click on the arrow at the right
Mozilla Firefox SSL
  • Click on “More Information” to view basic SSL information
  • Then click on the “View Certificate” button to grab the full SSL details
Mozilla Firefox SSL details

These methods from the two most popular browsers will work; however, they require you to click a lot and jump across different windows to get all the details you need. Without creating screenshots, using them can be unwieldy.

Qualys SSL Test

This analysis wouldn’t be complete if we didn’t include one of the most popular SSL analysis tools around: the Qualys SSL Test.

This tool offers a deep analysis of your SSL certificate and SSL server configuration variables at your backend hosting infrastructure.

Once you’ve launched the test, it will show you a few details such as the IPv4 and IPv6 addresses score, as shown in this screenshot:

Qualys SSL Test

Server key and certificate information include many details such as validity period, expiration date, common name, etc.

You’ll also find additional certificates (if supplied), SSL server configuration analysis, supported protocols (TLS 1.0 to 1.3, and the old SSL 2 and SSL3) current cipher suite configuration, HTTP requests, full header information and a handshake simulation to see which operating systems can load the SSL certificate successfully, or not, as well as most protocol details:

Qualys SSL Test protocol details

This is indeed one of the most complete tools available for analyzing an SSL certificate but its usefulness can be limited—it doesn’t focus on massive SSL intel information but rather on most server-side configuration stuff.

SurfaceBrowser SSL Analyzer

Here at SecurityTrails we’ve developed SurfaceBrowser™ as an all-in-one enterprise-grade solution for all who need to reduce their attack surface area, as well as those who need to investigate any surface IT assets from any remote company in the world. That includes IP addresses, domain names, DNS zones and their records, open ports and of course, SSL certificates.

Let’s see how SurfaceBrowser™ can be used to extract critical information about the SSL certificates from any company:

  • Login into the SurfaceBrowser interface by going to: https://securitytrails.com/app/sb
  • Enter the domain name you want to analyze
  • Click on “Certificates” in the left menu
  • SSL data will be displayed in front of you

SurfaceBrowser™ offers unique SSL intelligence data for any organization anywhere, including private and public government agencies.

As you can see in our nasa.gov example, we were able to grab detailed SSL information that can be sorted using options such as summary by company, summary by creation and expiration year, and validity:

SurfaceBrowser SSL Analyzer

Results are displayed directly below that first interface, showing company-registered names, all domains using the SSL certificate, SSL issuer, and created and expired certificates:

SurfaceBrowser SSL Analyzer certificates

In the previous screenshot, we only showed information for the top 8 NASA SSL certificates, however, our SSL scanner was able to find up to 2,875 results.

This analysis yields interesting details, including the fact that NASA uses different company names for all their SSLs, as seen by clicking in the “Company” label:

  • NASA Jet Propulsion Laboratory
  • U.S. Government
  • NASA
  • National Aeronautics and Space Administration
  • NASA (National Aeronautics and Space Administration)
  • NASA Ames Research Center
  • Langley Research Center
  • NASA Goddard Space Flight Center
  • NASA Langley Research Center
  • NASA Johnson Space Center

Another thing we noticed is that for the SSL-issuing process, nasa.gov relies on these companies the most: CloudFlare Inc., Entrust Inc., DigiCert Inc., Amazon, GoDaddy Inc., Comodo CA Limited, and the US Government.

One more curious detail can be found by sorting the information by using the “Expiration Year” and “Validity” labels:

SurfaceBrowser SSL Analyzer validity

From this option, we found that NASA’s SSL certificates expiring soon include 1817 certificates for 2019, 2078 for 2020, and 287 for 2021.

From a blue team perspective, keeping this in mind represents a good opportunity to avoid any unexpected SSL expirations that may lead to expose unencrypted web interfaces.

On the other hand, summarizing SSL certificates by validity lets you find active SSLs and explore expired (most of the time also unknown) certificates, which can expose critical intel data about the domain you’re investigating. Ultimately, this can lead to your finding vulnerable digital assets.


Today you learned how to analyze SSL certificates and extract valuable data from them by using old-school command line tools as well as modern SSL web-based utilities like SurfaceBrowser™.

SSL certificates were never thought of as a one-time solution to install and forget. They require maintenance and monitoring to prevent unexpected expiration. And from the infosec side, SSLs offer large amounts of data to analyze and use in any cyber security investigation form both blue and red teams.

If SSL certificates are as important for you as they are for us, don’t delay: start auditing your certificates with SurfaceBrowser™, and reduce your attack surface area by exploring your own data before the bad guys do.

It’s our enterprise-grade solution, waiting to boost your SSL certificate data extraction in mere seconds. Book a demo with our Sales team today to test SurfaceBrowser™ today!

¹ https://es.wikipedia.org/wiki/CURL
² https://docs.oracle.com/cd/E37670_01/E36387/html/ol_keytool_sec.html
³ https://nmap.org/nsedoc/scripts/ssl-cert.html
https://support.google.com/chrome/answer/95617?hl=en