As part of our goal to enhance cybersecurity investigations at Maltego, we are introducing a suite of new Transforms around SSL certificates, including live certificate retrieval and the integration of data from Certificate Transparency (CT) logs with the help of SSLMate Cert Spotter. To use these Transforms, simply install the new “SSL Certificate Transforms” Hub Item. Live certificate retrieval Transforms are free with unlimited usage and Cert Spotter Transforms include limited free-tier usage of 100 requests per day.
Live Certificate Retrieval 🔗︎
The first new Transform we’re introducing is live certificate retrieval. This Transform takes in a Domain or DNS Entity and attempts to pull the currently available SSL certificate from the site itself. This comes in handy in many different scenarios. For example, since a single certificate is often not only valid for a single domain, but also other specific subdomains, it could allow you to discover subdomains that you were unaware of, allowing you to further expand on Maltego’s powerful infrastructure footprinting capabilities. It can also help you discover domains with expired or nearly expired certificates in a large graph.
Live certificates are useful, but not always complete or even trustworthy. A different certificate may be visible to different clients at a given time. For this reason, we decided to make use of another valuable resource when it comes to certificate data: Certificate Transparency.
Certificate Transparency 🔗︎
The CT project is a collaboration of organizations which host publicly accessible logs to store SSL certificates. These logs are strictly append-only, and stored certificates cannot be deleted. Moreover, the correctness of the log can be audited publicly by anyone. The goal of the CT Project is to get the SSL Certificate Authorities or the certificate recipients to submit their certificates to the CT logs. Once a certificate is in the log, details of its origin become public knowledge. Anyone is able to query the log and verify the issuing authority of a certificate.
This process brings the following solutions to curb the mistrust surrounding SSL Certificate Authorities:
- Mistakes made by Certificate Authorities can be identified and rectified quickly. One example of this was Symantec having issued a fake SSL certificate for Google, whose valid certificate was issued by GeoTrust. Similarly, rogue SSL certificates issued by a Certificate Authority can be caught quickly.
- Any attacker gaining ownership of a company’s domain name could potentially hijack the company’s SSL certificates by requesting a Certificate Authority, for example, Let’s Encrypt, to sign the attacker’s certificates. Clients connecting to the services under the domain risk having their communication hijacked if they trust the Let’s Encrypt Certificate Authority within their browser. With Certificate Transparency, a company’s cybersecurity team can regularly monitor all the certificates issued for the company’s domain name. Any attempts to hijack SSL certificates become visible and the cybersecurity team can take appropriate measures.
These advantages make Certificate Transparency logs a valuable resource for cybersecurity investigations.
In addition, Certificate Transparency logs represent a historic database of SSL certificates, which will eventually allow us to query past and expired certificates for a given site, or to search the logs by other criteria such as the organization that the certificate was issued for. We hope to make these advanced features available soon.
We are excited to announce the introduction of new Transforms making use of the SSLMate Cert Spotter API to retrieve valid certificates from Certificate Transparency logs. These new Transforms allow you to pivot between Websites/Domains and SSL Certificates.
Given a Domain or DNS Entity, the “To Certificates” [Cert Spotter] Transform searches the Certificate Transparency logs for current, valid certificates that have been issued to a domain name (in this example we will use the domain “maltego.com”).
The results from this example show that both Let’s Encrypt and DigiCert have issued certificates for maltego.com. Evidently, Maltego’s name is used in services associated with midaxo.com and subscription-suite.com. This brings to our attention that success.midaxo.com and maltego.com are somehow related. Next, we will try to figure out why.
To uncover the missing link between success.midaxo.com and maltego.com, we run the “To Domains” Transform and study all the hostnames that represent those certificates:
The returned domain names are extracted from the Subject Alternative Names of the certificate. From these, we note that this is a certificate issued to a server hosting support sites for various companies. Upon further study, we note that this server is associated with FreshDesk, Maltego’s customer service omnichannel and the company hosting our online documentation, docs.maltego.com. To take this investigation a step further, we can go further and use this list of domains to derive a long list of companies who are also using FreshDesk Software!
After installing the SSL Certificate Transforms Hub Item, you can run up to 100 Cert Spotter Transforms per day for free without further authentication. After that, you will receive an alert that you have reached your daily quota. If you need to run more queries, you can simply head over to SSLMate Cert Spotter’s website, where you may sign up for a further free trial API key or a full subscription to the service.
For information about these Transforms, refer to our documentation.
For more information on SSLMate and their API pricing, check out https://sslmate.com/ and https://sslmate.com/certspotter/api/pricing.
You can find more information about the CT project here: https://www.certificate-transparency.org/.
We would love to hear more about your own investigations with Maltego. Visit our blog and follow our Twitter and LinkedIn page for more interesting use cases.
If you have any questions about our Transform Hub, reach out to us here.