Search for Remote Management Systems Expsoed to Attack Surface using SSL Certificate Search Feature

How to Use ssl_issuer_organization Filter Through Asset Search

Among the filters of Asset Search provided by Criminal IP (hereinafter referred to as CIP) is ssl_issuer_organization. Using this filter, you can check which institution’s certificate was signed by an SSL protocol such as https. When we look at the SSL certificate of criminalip.io below, for example, “Verfieid by” is noted as “Sectigo Limited(formerly Comodo CA)” which implies that Comodo SSL certificate was used.

If you want to find certificates signed by Sectigo, you can search for it on Asset Search as follows. Here, we can see that hundreds of IP addresses are found since Sectigo is a prestigious certificate institution.

ssl_issuer_organization:sectigo

Criminal IP's SSL Certificate : "Verfieid by" is noted as "Sectigo Limited"
A result when searched IP address signed with "sectigo" certificate on Criminal IP's Asset Search

How to Use ssl_issuer_organization Filter to Search for “Red Hat Satellite”

Using the same logic, let’s search for Red Had Satellite, a remote management system that distributes, organizes, and maintains systems across physical, virtual, and cloud environments. Satellite is a simple and convenient system as it provides provisioning, remote management and monitoring for multiple Red Hat Enterprise Linux distribution, using a single centralized tool. However, it is also the system that causes the most serious problem if exposed to the attack surface because it can be controlled externally. To search for Red Hat Satellite, you can input a certificate named “Katello.”

ssl_issuer_organization:Katello

Search for Remote Management Systems Exposed to Attack Surface Using SSL Certificate Search Feature (ssl_issuer_organization)

Here, you can check the SSL Certificate reflected in the https 443 port and Katello from Issuer Organization . If you open a browser and access it with the corresponding IP address, you will see the following the Red Hat Satellite’s remote management system. If an authentication attack is launched, attackers can penetrate inside the system and execute remote commands to the servers: this can be an especially dangerous misconfiguration in terms of attack surface management.

Red Hat Satellite's management system page

In some cases, Foreman (as shown below) appears instead of Red Hat Satellite. Because Foreman is also an open source application used for provisioning and lifecycle management in physical and virtual systems, it is considered a front-end system used in conjunction with the Red Hat family: Foreman is also in a dangerous state of being exposed to the attack surface like Red Hat Satellite.

A front system used with the Red Hat family Foreman's administrator page
Screenshot of the certificate signed by Katello
Screenshot of the certificate signed by Katello

Reference : ExploitWareLabs

2 Likes

Keep going, thanks!

Quite helpful, I want other search query or user guide thanks

Nice work!