OpenSSL — Inspect TLS Service
enumerationtool
Summary
Pull certificates from TLS services to leak hostnames, domain names, and internal CN/SAN values useful for AD enumeration.
Walkthrough
Connecting with openssl s_client dumps the server certificate, which often leaks the internal hostname, domain, and CA name — handy when a box only exposes LDAPS (3269/636) or another TLS service.
Look in the certificate Subject / Subject Alternative Name for the real FQDN, then add it to /etc/hosts and re-enumerate.
Commands
bash
# Grab the cert off a TLS-wrapped port (e.g. LDAPS 3269/636) openssl s_client -connect <IP>:3269