prmt/vpn-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2 Commits 1 Branch 0 Tags
master
T
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Theodore Kaczynski 695ae50fe5 update: readme file
2026-05-15 14:37:44 +03:00
README.md
update: readme file
2026-05-15 14:37:44 +03:00
subscan.sh
addition: subscan
2026-05-15 03:43:46 +03:00

README.md

VPN TOOLS

SubScan

A Bash script that scans an IPv4 subnet for hosts with TCP port 443 open, extracts TLS certificate domains (SANs), and validates whether any SAN resolves (forward DNS) to the scanned IP. Outputs a Markdown report.

Usage

Required: bash, nmap, dig, openssl.

Basic invocation:

./subscan.sh 192.168.1.0/24

Output: a timestamped Markdown file named like subscan_192.168.1.0-24_YYYYMMDD_HHMMSS.md.

What it does (high level)

  • Verifies required tools (prompts to install on Debian/Ubuntu via apt-get if missing).
  • Runs nmap to find hosts with port 443 open.
  • Connects to each host with openssl s_client, extracts certificate subjectAltName DNS entries.
  • For each extracted domain, performs forward DNS (dig) and checks if any A record matches the host IP.
  • Produces a Markdown report grouping hosts into "Valid" (a SAN resolves back to the IP) and "Invalid" (no SANs or no matching forward DNS).
  • Cleans up temporary files.

Key behavior and defaults

  • nmap options: -Pn -p443 --open -T4 --min-rate=1000 (fast scan, treats hosts as up).
  • openssl s_client: 4s timeout per connection (using timeout command).
  • dig: +short +timeout=3 +tries=2.
  • Report file: subscan_<subnet_with_slash_replaced_by_dash>_YYYYMMDD_HHMMSS.md.
  • Exit codes:
    • 0 on success (report written),
    • 1 if usage error, missing tools and user declined install, or no hosts with 443 open.

Important notes & limitations

  • Requires network access and privileges to run nmap and install packages if chosen.
  • The script assumes IPv4 addresses and that visible A records map directly to the scanned IP.
  • TLS extraction relies on the certificate presented when connecting without using a specific SNI (the script sets SNI to dummy); some servers may require a correct SNI to present relevant certificates.
  • False negatives possible if:
    • Certificate SANs are absent or located only in the certificate presented for a different SNI.
    • DNS uses CNAMEs, load balancers, or geo/anycast addressing where the certificate domain resolves to different IPs.
    • Hosts use IPv6-only addresses.
  • Use responsibly and only on networks you are authorized to scan.

Example output (trimmed)

The generated Markdown report includes metadata and two sections:

Valid (TLS domain resolves back to IP)

  • 203.0.113.5 → example.com

Invalid (No match or no TLS domains)

  • 198.51.100.12 → No TLS domains found
  • 198.51.100.20 → site1.example.net site2.example.org

Installation (optional)

On Debian/Ubuntu, if you allow the script to auto-install it will run:

sudo apt-get update
sudo apt-get install -y nmap dnsutils openssl

License

No license specified — treat as permissive example code. Modify and use as needed.

Reference in New Issue View Git Blame Copy Permalink
S
Description
List of tools for raping RKN officials
Readme 28 KiB
Languages
Shell 100%