← Back to search

OpenSSL — Inspect TLS Service

enumerationtool

Summary

Pull certificates from TLS services to leak hostnames, domain names, and internal CN/SAN values useful for AD enumeration.

Walkthrough

Connecting with openssl s_client dumps the server certificate, which often leaks the internal hostname, domain, and CA name — handy when a box only exposes LDAPS (3269/636) or another TLS service.

Look in the certificate Subject / Subject Alternative Name for the real FQDN, then add it to /etc/hosts and re-enumerate.

Commands

bash

# Grab the cert off a TLS-wrapped port (e.g. LDAPS 3269/636)
openssl s_client -connect <IP>:3269