I wanted a script to scan all the IP addresses in the network range using NMAP and report on any ports that have a certificate attached, including the certificate details and health:
Scan a single host
nmap -sV -p 443 -Pn -script=ssl-cert,ssl-enum-ciphers,ssl-heartbleed <ip address>/32
nmap -sV -p 1-65535 -Pn -script=ssl-cert,ssl-enum-ciphers,ssl-heartbleed <x.x.x.x/xx>
Scan a network address range with a report
nmap -sV -p 1-65535 -Pn -oG report.txt -script=ssl-cert,ssl-enum-ciphers,ssl-heartbleed <x.x.x.x/xx>
The report will look like this:
# Nmap 7.92 scan initiated Fri Aug 4 14:28:46 2023 as: nmap -sV -p 443 -Pn -oG report.txt -script=ssl-cert,ssl-enum-ciphers,ssl-heartbleed <IP>
Host: 10.854.8.777 (victim.bear.local) Status: Up
Host: 10.854.8.777 (victim.bear.local) Ports: 443/open/tcp//ssl|http//Microsoft IIS httpd 17.0/
# Nmap done at Fri Aug 4 14:28:59 2023 -- 1 IP address (1 host up) scanned in 12.61 seconds