Very quick info about broken SSL certs you may not know (level: med)

9x Spreading Hacking Info in the new millenium — https://9x.network

Isnt that a sick logo ? I dig it ! Anyways let just talk about this screen we have all seen many times:

Most people see this almost everyday and just click advanced / proceed.

I am guilty of it, we all are. but lets just look at what it means briefly.

First of all, if we look at the URL bar, we are hitting an IP address. Incase you arent aware of this, its going to be pretty rare that any production server, or company will have you hit an IP address. The reason is — for instance my web hosting provider Hostrocket — has ONE ip for all 100 of my websites (yes i have 100 sites). The way this works, since there is actaully probably 10k sites hosted on the one IP, is through the headers, specifically the host header.

Quick example of why an IP address is rarely going to be a valid site:
the request you see in the picture above looks something like this:

GET /index.html / HTTP/1.1
Host: evilhacker.com
<snip rest of the headers>

So lets say you nslookup — walmart.com —

host walmart.com
walmart.com has address 184.84.129.227  <- Visiting this IP is unlikely to work
walmart.com mail is handled by 10 mxb-000c7201.gslb.pphosted.com.
walmart.com mail is handled by 10 mxa-000c7201.gslb.pphosted.com.

For the heck of it, I just did that, here is the curl output:
Notice this is the IP of walmart.com NOT www.walmart.com

curl -vkL 'https://184.84.129.227'
      ^ Verbose
       ^ Ignore bad / weird certs
        ^ Follow redirects

OUTPUT - 
*   Trying 184.84.129.227:443...
* Connected to 184.84.129.227 (184.84.129.227) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384
* ALPN: server accepted http/1.1
* Server certificate:
*  subject: 
  C=US; 
  ST=Arkansas; 
  L=Bentonville; 
  O=Walmart Inc.; 
  CN=www.walmart.com

*  start date: Mar  2 18:32:20 2023 GMT
*  expire date: Apr  2 18:32:19 2024 GMT
*  issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign ECC OV SSL CA 2018
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: 184.84.129.227
> User-Agent: curl/7.84.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
* HTTP 1.0, assume close after body
< HTTP/1.0 400 Bad Request
< Server: AkamaiGHost
< Mime-Version: 1.0
< Content-Type: text/html
< Content-Length: 209
< Expires: Sun, 10 Dec 2023 18:34:26 GMT
< Date: Sun, 10 Dec 2023 18:34:26 GMT
< Connection: close
< 
<HTML><HEAD>
<TITLE>Invalid URL</TITLE>
</HEAD><BODY>
<H1>Invalid URL</H1>
The requested URL "&#91;no&#32;URL&#93;", is invalid.<p>
Reference&#32;&#35;9&#46;3c34d517&#46;1702233266&#46;546a5c90
</BODY></HTML>
* Closing connection 0

So that didnt work, and the fact it allowed HTTP/1.0 is kind of concerning.

I got curious just now and checked the same thing with www.walmart.com, interestingly enuf check this out:

DNS lookups repeatedly .. on different DNS servers produced different IPs:

host www.walmart.com
www.walmart.com is an alias for www.walmart.com.edgekey.net.
www.walmart.com.edgekey.net is an alias for e4373.x.akamaiedge.net.
e4373.x.akamaiedge.net has address 184.84.129.227

( I ran this command 5 times to see if the IP changed and it did not, so, I 
tried using a different DNS server the 6th time for the same host)

host www.walmart.com 1.1.1.1    <- Forcing use of different DNS server
www.walmart.com is an alias for www.walmart.com.edgekey.net.
www.walmart.com.edgekey.net is an alias for e4373.x.akamaiedge.net.
e4373.x.akamaiedge.net has address <- Different IP

host www.walmart.com 4.2.2.2
www.walmart.com is an alias for www.walmart.com.edgekey.net.
www.walmart.com.edgekey.net is an alias for e4373.x.akamaiedge.net.
e4373.x.akamaiedge.net has address 23.219.48.144

So we just got 3 different IPs for www.walmart.com

184.84.129.227
104.122.44.48
23.219.48.144

Checking the rDNS
144.48.219.23.in-addr.arpa domain name pointer a23-219-48-144.deploy.static.akamaitechnologies.com.
48.44.122.104.in-addr.arpa domain name pointer a104-122-44-48.deploy.static.akamaitechnologies.com.
144.48.219.23.in-addr.arpa domain name pointer a23-219-48-144.deploy.static.akamaitechnologies.com.

This is getting beyond the scope of what I was getting at, so lets tie it together. Hitting https://184.84.129.227 (one of www.walmart.com ip)

Not suprising at all, because like I said this IP probably hosts lots of pages

So now, click “NET::ERR_CERT_COMMON_NAME_INVALID”

Now it expands down with info:

Always click the error and find out why

So now we can see that the certificate is for www.walmart.com in specific (not walmart.com), and we can tell when it expires. The error was thrown because the ip doesnt match the hostname.

If you check out https://osint.sh there are a bunch of tools to reverse lookup IPs to hostnames, and also https://dnsdumpster.com

I know this wasnt amazing info but hey, it interesting ;p

substance