christophetd/censys-subdomain-finder christophetd/censys-subdomain-finder

  • Stars
    star
    579
  • Rank 77,126 (Top 2 %)
  • Language
    Python
  • Created almost 7 years ago
  • Updated over 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
christophetd/censys-subdomain-finder
github

christophetd

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

⚡ Perform subdomain enumeration using the certificate transparency logs from Censys.

Censys subdomain finder

This is a tool to enumerate subdomains using the Certificate Transparency logs stored by Censys. It should return any subdomain who has ever been issued a SSL certificate by a public CA.

See it in action:

$ python censys-subdomain-finder.py github.com

[*] Searching Censys for subdomains of github.com
[*] Found 42 unique subdomains of github.com in ~1.7 seconds

  - hq.github.com
  - talks.github.com
  - cla.github.com
  - github.com
  - cloud.github.com
  - enterprise.github.com
  - help.github.com
  - collector-cdn.github.com
  - central.github.com
  - smtp.github.com
  - cas.octodemo.github.com
  - schrauger.github.com
  - jobs.github.com
  - classroom.github.com
  - dodgeball.github.com
  - visualstudio.github.com
  - branch.github.com
  - www.github.com
  - edu.github.com
  - education.github.com
  - import.github.com
  - styleguide.github.com
  - community.github.com
  - server.github.com
  - mac-installer.github.com
  - registry.github.com
  - f.cloud.github.com
  - offer.github.com
  - helpnext.github.com
  - foo.github.com
  - porter.github.com
  - id.github.com
  - atom-installer.github.com
  - review-lab.github.com
  - vpn-ca.iad.github.com
  - maintainers.github.com
  - raw.github.com
  - status.github.com
  - camo.github.com
  - support.enterprise.github.com
  - stg.github.com
  - rs.github.com

Setup

  1. Register an account (free) on https://censys.io/register

  2. Browse to https://censys.io/account, and set two environment variables with your API ID and API secret:

    export CENSYS_API_ID=...
export CENSYS_API_SECRET=...

    Alternatively, you can use a .env file to store these values for persistence across uses:

    cp .env.template .env

    Then edit the .env file and set the values for CENSYS_API_ID and CENSYS_API_SECRET.

  3. Clone the repository:

    git clone https://github.com/christophetd/censys-subdomain-finder.git

  4. Install the dependencies in a virtualenv:

    cd censys-subdomain-finder
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt

Usage

Sample usage:

python censys-subdomain-finder.py example.com

Output the list of subdomains to a text file:

python censys-subdomain-finder.py example.com -o subdomains.txt
usage: censys-subdomain-finder.py [-h] [-o OUTPUT_FILE]
                                  [--censys-api-id CENSYS_API_ID]
                                  [--censys-api-secret CENSYS_API_SECRET]
                                  domain

positional arguments:
  domain                The domain to scan

optional arguments:
  -h, --help            show this help message and exit
  -o OUTPUT_FILE, --output OUTPUT_FILE
                        A file to output the list of subdomains to (default:
                        None)
  --censys-api-id CENSYS_API_ID
                        Censys API ID. Can also be defined using the
                        CENSYS_API_ID environment variable (default: None)
  --censys-api-secret CENSYS_API_SECRET
                        Censys API secret. Can also be defined using the
                        CENSYS_API_SECRET environment variable (default: None)

Compatibility

Should run on Python 2.7 and 3.5.

Notes

The Censys API has a limit rate of 120 queries per 5 minutes window. Each invocation of this tool makes exactly one API call to Censys.

Feel free to open an issue or to tweet @christophetd for suggestions or remarks.

More Repositories

1

CloudFlair

🔎 Find origin servers of websites behind CloudFlare by using Internet-wide scan data from Censys.
Python
1,880
star
2

log4shell-vulnerable-app

Spring Boot web application vulnerable to Log4Shell (CVE-2021-44228).
Java
1,055
star
3

Adaz

🔧 Deploy customizable Active Directory labs in Azure - automatically.
HCL
368
star
4

spoofing-office-macro

🐟 PoC of a VBA macro spawning a process with a spoofed parent and command line.
VBA
364
star
5

duplicacy-autobackup

💾 Painless automated backups to multiple storage providers with Docker and duplicacy.
Shell
246
star
6

mindmaps

🔍 Mindmaps for threat hunting - work in progress.
148
star
7

IPv6teal

👋 Stealthy data exfiltration via IPv6 covert channel
Python
91
star
8

firepwned

🙏 Checks Firefox saved passwords against known data leaks using the Have I Been Pwned API.
Python
81
star
9

nextcloud-docker-compose

☁️ Spin up a Nextcloud instance with automatied backups and SSL certificate issuance.
75
star
10

docker-python-sandbox

A Docker-powered NodeJS sandbox to execute untrusted python code.
JavaScript
62
star
11

nmap-nse-info

Browse and search through nmap's NSE scripts.
Lua
58
star
12

code-execution-api-demo

JavaScript
17
star
13

aws-sso-device-code-authentication

Python
16
star
14

fun-with-vpc-endpoints

HCL
14
star
15

geolocate-ips

Batch IP geolocation script.
Python
12
star
16

abusing-cloudflare-workers

Abusing Cloudflare Workers to establish persistence and exfiltrate sensitive data at the edge.
JavaScript
10
star
17

telegram-downbot

A Telegram bot to monitor websites
CoffeeScript
6
star
18

polybot

CoffeeScript
5
star
19

unix-commands

Some useful UNIX commands
4
star
20

falias

Shell
2
star
21

powercoders-docker

Repository for Powercoders Docker presentation and workshop
Python
2
star
22

filezilla-passwords-revealer

JavaScript
1
star
23

hackathon

JavaScript
1
star
24

flame-maker

Java
1
star
25

fos2015.github.io

Website for the Foundations of Software course at EPFL in the Fall 2015 semester
CSS
1
star
26

Rails-app

Ruby
1
star