While many certificates are publicly trusted and added to certificate transparency logs, many large organizations also manage an internal PKI that issues certificates for critical internal resources. EZMonitor enterprise plans include scanning of private networks to also monitor private certificates. In this page we will go over how to set up our scanning tool to scan your network and report the finding to your EZMonitor account.
EZMonitor allows you to monitor all your SSL certificates across all your networks. To give you an organized view, we break it down per network, then each network has one or more agents and those agents have a list or range of endpoints assigned. First we must start by creating a private network.
EZScan (download) is the tool that helps EZMonitor gain visibility into your private network. This tool must run on a Windows computer in your network and have 443 out to EZMonitor.
If you would like EZMonitor to connect to your ADCS certificate authority to inventory the certificates issued by your CA follow the steps below to gather the inventory, while this is a great way to get started with certificate discovery, it is not required.
.\EZScan.exe -a AGENTNAME -n NETWORKNAME -ca "CA.HOSTNAME.DOMAIN\CA NAME" -t 1.3.6.1.4.1.311.21.8.60601.4814192.14238359.2561337.13409557.15.15002822.720910 -azt YOURAZURETENANTID -sub YOUREZMONITORSUBSCRIPTIONID
If you assigned your agents a range of DNS names, EZScan can query your Active Directory DNS server and get all the DNS entries in the range and add them to EZMonitor.
.\EZScan.exe -a AGENTNAME -n NETWORKNAME -dns HOSTNAME -domain YOURDOMAIN -azt YOURAZURETENANTID -sub YOUREZMONITORSUBSCRIPTIONID
To scan the network to detect detect SSL certificates, EZScan will download the list of domains and IP addresses gathered in the previous steps and will scan each one of them and will record the SSL status of the endpoint. To start the scan, run EZScan with the following parameters:
-a the name of the agent you are running.
-n the name of the network you are scanning.
-azt your Azure tenant ID
-sub your EZMonitor subscription ID
(Optional) -p Ports to scan, by default EZscan will scan port the ports in the table below, if you want to scan a custom port range, enter the port numbers in a comma separated list.
Port | Protocol | Usage |
---|---|---|
25 | SMTP | Email relay |
80 | HTTP | Web browsing |
110 | POP3 | Retrieving email from a mail server to an email client |
443 | HTTPS | Secure web browsing |
465 | SMTPS | Email submission from an email client to an email server |
563 | NNTPS | Secure news server access |
587 | SMTP | Email submission from an email client to an email server |
636 | LDAPS | Secure access to LDAP directories |
990, 989 | FTPS | Secure file transfers |
992 | Telnet over SSL/TLS | Secure terminal access |
993 | IMAPS | Secure mail retrieval |
995 | POP3 over SSL/TLS | Secure mail retrieval |
1433 | Microsoft SQL Server | Secure database connections |
2484 | Oracle DB | Secure database connections |
27017 | MongoDB | Secure database connections |
3306 | MySQL | Secure database connections |
3389 | RDP over SSL/TLS | Secure remote desktop access |
5432 | PostgreSQL | Secure database connections |
6514 | Secure Syslog | Secure system logging |
6697 | IRC over SSL/TLS | Secure Internet Relay Chat connections |
8080 | HTTP | Web browsing (often over SSL/TLS) |
8443 | HTTPS | Secure web browsing (alternate port) |
8883 | MQTT over SSL/TLS | Secure IoT messaging |
9200 | Elasticsearch | Secure connections to Elasticsearch clusters |
9999 | IRC over SSL/TLS | Secure Internet Relay Chat connections (alternate port) |
EZMonitor can use your MSI or Azure CLI token to authenticate EZMonitor. However, if you prefer using an Azure Service principal, you must pass the following parameters:
(Optional) -ai an application insights connection string were EZScan can send run telemetry, this enables you to create alerts and detect issues with EZScan.
.\EZScan.exe -a AGENTNAME -n NETWORKNAME -azt YOURAZURETENANTID -sub YOUREZMONITORSUBSCRIPTIONID