Skip to main content

Overview

scan4all performs intelligent SSL/TLS certificate analysis to extract valuable reconnaissance information. It automatically parses certificates, discovers related domains, and correlates this data to expand scanning targets.

Automatic SSL Analysis

Enable/Disable

SSL analysis is controlled by the ParseSSl configuration: 
# Enable SSL parsing (default)
ParseSSl=true ./scan4all -host example.com

# Disable deep SSL analysis
ParseSSl=false ./scan4all -host example.com
In config/config.json: 
{
  "ParseSSl": true,
  "EnableSubfinder": false
}
Disabling ParseSSl stops automatic subdomain discovery from SSL certificates. Use this when scanning specific URLs without reconnaissance needs.

Certificate Information Extraction

DNS Names (SAN Entries)

The primary intelligence gathered from SSL certificates: 
func GetSSLDNS(host string) ([]string, error) {
    conf := &tls.Config{
        InsecureSkipVerify: true,
    }
    conn, err := tls.Dial("tcp", host+":443", conf)
    if err != nil {
        return nil, err
    }
    defer conn.Close()
    
    certs := conn.ConnectionState().PeerCertificates
    var dnsNames []string
    
    for _, cert := range certs {
        for _, name := range cert.DNSNames {
            dnsNames = append(dnsNames, name)
        }
    }
    
    return dnsNames, nil
}

Extracted Fields

scan4all can extract extensive certificate information:
  • DNS Names: Subject Alternative Names (SAN)
  • IP Addresses: Certificate-bound IP addresses
  • Email Addresses: Contact information
  • Subject: Primary domain/organization
  • Issuer: Certificate authority
  • Serial Number: Unique certificate identifier
  • Validity Period: NotBefore and NotAfter dates
  • Permitted DNS Domains: Allowed domains
  • Excluded DNS Domains: Restricted domains
  • URI Domains: Associated URIs
  • OCSP Server: Revocation check endpoints

Smart SSL Intelligence

Wildcard Domain Detection

Automatic handling of wildcard certificates: 
if "*." == domain[:2] {
    // Wildcard detected: *.example.com
    if EnableSubfinder {
        // Enumerate subdomains
        subdomains := doSub(domain)
    } else {
        // Use base domain
        baseDomain := domain[2:] // example.com
    }
}

Intelligent Processing

When a wildcard domain (*.example.com) is found:
  1. Extracts base domain (example.com)
  2. Triggers subfinder enumeration if enabled
  3. Adds discovered subdomains to scan queue
  4. Automatically scans all related domains

Multi-Domain Certificates

Many organizations use single certificates for multiple domains: 
Certificate:
  Subject: example.com
  SAN:
    - example.com
    - www.example.com
    - api.example.com
    - *.cdn.example.com
    - staging.example.com
All domains are automatically extracted and scanned.

Workflow Integration

Automatic Target Expansion

Example: Target Expansion

# Initial scan of single target
./scan4all -host example.com

# SSL analysis discovers:
# - www.example.com
# - api.example.com
# - *.cdn.example.com

# Automatic enumeration of *.cdn.example.com:
# - cdn1.cdn.example.com
# - cdn2.cdn.example.com
# - static.cdn.example.com

# All discovered domains automatically scanned

Configuration

TLS Configuration

scan4all uses permissive TLS settings for maximum compatibility: 
conf := &tls.Config{
    InsecureSkipVerify: true, // Accept self-signed certificates
}
This allows scanning:
  • Self-signed certificates
  • Expired certificates
  • Invalid certificate chains
  • Development/staging environments

Port Handling

host := target + ":443"
if strings.Contains(target, ":") {
    host = target // Custom port already specified
}
Automatic port detection:
  • Default: 443 for HTTPS
  • Custom: Use specified port (e.g., example.com:8443)

Caching

Result Caching

SSL analysis results are cached to avoid redundant connections: 
// Check cache
data, err := util.Cache1.Get(domain)
if err == nil {
    // Use cached data
    json.Unmarshal(data, &results)
    return results
}

// Perform analysis
results := GetSSLDNS(domain)

// Cache results
util.PutAny[[]string](domain, results)
Cached results improve performance for repeated scans and large target lists with overlapping certificates.

Advanced Features

Certificate Chain Analysis

Analyze entire certificate chains: 
certs := conn.ConnectionState().PeerCertificates
for _, cert := range certs {
    // Process each certificate in chain
    // Root CA, Intermediates, Leaf certificates
}

Protocol Version Detection

Identify supported TLS versions:
  • TLS 1.0 (deprecated)
  • TLS 1.1 (deprecated)
  • TLS 1.2
  • TLS 1.3

Cipher Suite Analysis

Detect weak or outdated cipher suites:
  • Identify weak encryption
  • Find deprecated algorithms
  • Assess security posture

Security Insights

Common Findings

Security Issues Detected via SSL Analysis:
  • Expired certificates
  • Self-signed certificates in production
  • Weak cipher suites
  • Outdated TLS versions
  • Certificate name mismatches
  • Exposed internal domains
  • Development/staging servers

Internal Domain Discovery

SSL certificates often leak internal infrastructure: 
SAN Entries:
- public.example.com (public)
- internal.example.com (internal)
- dev.internal.example.com (development)
- admin.corp.example.com (administrative)
These provide valuable reconnaissance for penetration testing.

Output and Reporting

JSON Output

{
  "target": "example.com",
  "ssl_info": {
    "subject": "example.com",
    "issuer": "Let's Encrypt",
    "valid_from": "2024-01-01T00:00:00Z",
    "valid_to": "2024-12-31T23:59:59Z",
    "dns_names": [
      "example.com",
      "www.example.com",
      "*.api.example.com"
    ],
    "discovered_targets": [
      "example.com",
      "www.example.com",
      "api1.api.example.com",
      "api2.api.example.com"
    ]
  }
}

Performance Considerations

Connection Overhead

SSL analysis adds minimal overhead:
  • Single TLS handshake per unique domain
  • Results cached for subsequent access
  • No certificate validation overhead

Network Impact

# For 100 targets:
# - ~100 TLS handshakes
# - ~5-10 KB per connection
# - Total: ~500 KB - 1 MB

# Minimal compared to port scanning

Troubleshooting

Connection Failures

# SSL not available
# Error: connection refused on port 443

# Solution: Target doesn't support HTTPS
ParseSSl=false ./scan4all -host example.com

Timeout Issues

# Increase timeout in code or
# Skip SSL for slow targets
ParseSSl=false ./scan4all -l slow_targets.txt

Certificate Validation Errors

// Already handled with InsecureSkipVerify
// Should not occur unless network issues

Use Cases

Reconnaissance

# Discover all related domains
ParseSSl=true EnableSubfinder=true ./scan4all -host target.com

Targeted Scanning

# Scan specific URLs only
ParseSSl=false ./scan4all -l specific_urls.txt

Compliance Testing

# Check certificate validity and configuration
ParseSSl=true ./scan4all -host example.com -o ssl_report.json

Bug Bounty

# Maximum reconnaissance
ParseSSl=true EnableSubfinder=true ./scan4all -host target.com

Integration with Other Features

Subdomain Enumeration

SSL analysis feeds into subdomain discovery:
  • Wildcard domains trigger enumeration
  • Base domains added to wordlists
  • Results correlated with DNS data
See: Subdomain Enumeration

Fingerprinting

SSL information aids in fingerprinting:
  • Identify web server technology
  • Detect CDN usage
  • Recognize hosting providers

Vulnerability Scanning

Discovered domains undergo full security testing:
  • Port scanning
  • Service detection
  • Vulnerability checks
  • Exploit validation

Best Practices

  1. Enable for Reconnaissance: Use ParseSSl=true for initial target discovery
  2. Disable for Speed: Use ParseSSl=false when scanning known URLs
  3. Combine with Subfinder: Maximum domain discovery
  4. Review Certificates: Check for sensitive information leakage
  5. Monitor Wildcards: Track wildcard certificate usage

See Also

Build docs developers (and LLMs) love

Get started for freeTalk to us