• Stars
    star
    328
  • Rank 128,352 (Top 3 %)
  • Language
    Go
  • License
    GNU General Publi...
  • Created over 8 years ago
  • Updated almost 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

An open source intelligence tool to crawl the graph of certificate Alternate Names

CertGraph

A tool to crawl the graph of certificate Alternate Names

CertGraph crawls SSL certificates creating a directed graph where each domain is a node and the certificate alternative names for that domain's certificate are the edges to other domain nodes. New domains are printed as they are found. In Detailed mode upon completion the Graph's adjacency list is printed.

Crawling defaults to collecting certificate by connecting over TCP, however there are multiple drivers that can search Certificate Transparency logs.

This tool was designed to be used for host name enumeration via SSL certificates, but it can also show you a "chain" of trust between domains and the certificates that re-used between them.

Blog post with more information

Usage

Usage of ./certgraph: [OPTION]... HOST...
        https://github.com/lanrat/certgraph
OPTIONS:
  -apex
     for every domain found, add the apex domain of the domain's parent
  -cdn
     include certificates from CDNs
  -censys-appid string
     censys API AppID
  -censys-secret string
     censys API Secret
  -ct-expired
     include expired certificates in certificate transparency search
  -ct-subdomains
     include sub-domains in certificate transparency search
  -depth uint
     maximum BFS depth to go (default 5)
  -details
     print details about the domains crawled
  -dns
     check for DNS records to determine if domain is registered
  -driver string
     driver(s) to use [censys, crtsh, http, smtp] (default "http")
  -json
     print the graph as json, can be used for graph in web UI
  -parallel uint
     number of certificates to retrieve in parallel (default 10)
  -regex string
     regex domains must match to be part of the graph
  -sanscap int
     maximum number of uniq apex domains in certificate to include, 0 has no limit (default 80)
  -save string
     save certs to folder in PEM format
  -serve string
     address:port to serve html UI on
  -timeout uint
     tcp timeout in seconds (default 10)
  -updatepsl
     Update the default Public Suffix List
  -verbose
     verbose logging
  -version
     print version and exit

Drivers

CertGraph has multiple options for querying SSL certificates. The driver is responsible for retrieving the certificates for a given domain. Currently there are the following drivers:

  • http this is the default driver which works by connecting to the hosts over HTTPS and retrieving the certificates from the SSL connection

  • smtp like the http driver, but connects over port 25 and issues the starttls command to retrieve the certificates from the SSL connection

  • censys this driver searches Certificate Transparency logs via censys.io. No packets are sent to any of the domains when using this driver. Requires Censys API keys

  • crtsh this driver searches Certificate Transparency logs via crt.sh. No packets are sent to any of the domains when using this driver

Example

$ ./certgraph -details eff.org
eff.org 0       Good    42E3E4605D8BB4608EB64936E2176A98B97EBF2E0F8F93A64A6640713C7D4325
maps.eff.org    1       Good    42E3E4605D8BB4608EB64936E2176A98B97EBF2E0F8F93A64A6640713C7D4325
https-everywhere-atlas.eff.org  1       Good    42E3E4605D8BB4608EB64936E2176A98B97EBF2E0F8F93A64A6640713C7D4325
httpse-atlas.eff.org    1       Good    42E3E4605D8BB4608EB64936E2176A98B97EBF2E0F8F93A64A6640713C7D4325
atlas.eff.org   1       Good    42E3E4605D8BB4608EB64936E2176A98B97EBF2E0F8F93A64A6640713C7D4325
kittens.eff.org 1       Good    42E3E4605D8BB4608EB64936E2176A98B97EBF2E0F8F93A64A6640713C7D4325

The above output represents the adjacency list for the graph for the root domain eff.org. The adjacency list is in the form: Node Depth Status Cert-Fingerprint

Releases

Pre-compiled releases will occasionally be uploaded to the releases github page. https://github.com/lanrat/certgraph/releases

Docker

CertGraph is an automated build on the Docker Hub!

$ docker run --rm -it lanrat/certgraph example.com
example.com
www.example.net
www.example.org
www.example.com
example.org
example.net
example.edu
www.example.edu

Linux Distributions

Compiling

To compile certgraph you must have a working go 1.16 or newer compiler on your system. To compile for the running system compilation is as easy as running make

certgraph$ make
go build -o certgraph certgraph.go

Alternatively you can use go get to install with this one-liner:

go install github.com/lanrat/certgraph@latest

Web UI

A web UI is provided in the docs folder and is accessible at the github pages url https://lanrat.github.io/certgraph/, or can be run from the embedded web server by calling certgraph --serve 127.0.0.1:8080.

The web UI takes the output provided with the -json flag. The JSON graph can be sent to the web interface as an uploaded file, remote URL, or as the query string using the data variable.

Example 1: eff.org

eff.org graph

Example 2: google.com

google.com graph

Example 3: whitehouse.gov

whitehouse.gov graph

BygoneSSL detection

Self Detection

CertGraph can be used to detect BygoneSSL DoS with the following options. CT-DRIVER can be any Certificate Transparency capable driver. Provide all known input domains you own. If any domains you do not own are printed, then you are vulnerable.

certgraph -depth 1 -driver CT-DRIVER -ct-subdomains -cdn -apex [DOMAIN]...

Bug Bounty

If you want to find a vulnerable site that has a bug bounty, certgraph can be used with the following options and any driver. But you will have better luck with a non Certificate Transparency driver to ensure that the certificates in question are actually in use

certgraph -cdn -dns -apex [DOMAIN]...

And domains that print * Missing DNS for have vulnerable certificates that should be rotated.

More Repositories

1

homeplate

Home Assistant E-Ink Dashboard on the Inkplate 10
C
121
star
2

czds

simple golang API and tools to interact with czds.icann.org
Go
64
star
3

SpiderWho

A very fast whois crawler
Python
38
star
4

minimalin-watchface

Minimalin Watch Face
Java
19
star
5

allxfr

AXFR all the things!
Go
18
star
6

extsort

external sorting for golang
Go
14
star
7

tethr

Android Tethering Provisioning Check Bypass (CVE-2017-0554)
Java
13
star
8

m365-toolbox

Java
13
star
9

CHVBadge_16

Stuff for the DEFCON 24 Car Hacking Village Badge
C
10
star
10

CHVBadge_15

Stuff for the DEFCON 23 Car Hacking Village Badge
SourcePawn
9
star
11

tftp

A simple TFTP server and client
C
8
star
12

czds-request

Automatically request and renew czdap zones
Python
7
star
13

SMS-DOS

Python
6
star
14

dotfiles

A place to store my Linux configuration files
Shell
6
star
15

stargate

SOCKS for your subnet
Go
6
star
16

PacketHackVillageHitBBadge2021

Packet Hack Village Hack in the Box 2021 Badge code
C
5
star
17

CrossFitr

Derping around until we're fit!
Java
5
star
18

docker-xpra-html5

Dockerfile
5
star
19

WIFI_Recovery

A simple android application to retrieve saved WIFI passwords
Java
5
star
20

openwrt-tailscale-repo

opkg repository for Tailscale packages for openwrt devices
Shell
5
star
21

webserial-bruteforce

Brute force UART baud rates in your web browser!
TypeScript
5
star
22

docker-certspotter

Docker image for certspotter
Dockerfile
4
star
23

smtp-scanner

A fast SMTP scanner for enumerating public SMTP server security options
Python
3
star
24

badgy

A HID badge collector/replayer
C
3
star
25

dns2mdns

a DNS to mDNS bridge service
Go
3
star
26

usb-meter

Webapp data logger for Atorch power meters
TypeScript
3
star
27

DJ_Queue

A mobile app to boss Steve around
PHP
3
star
28

luxerone

A Python API client to the Luxer One Residential API
Python
3
star
29

led-clock

"smart" LED Matrix clock
C++
2
star
30

ambergris

Inside the Belly of a Whale
1
star
31

Android_Fortune

Java
1
star
32

CHVBadge_19

Stuff for the DEFCON 27 Car Hacking Village Badge
C
1
star
33

aeroSnap

Bringing Windows 7 aeroSnap shortcuts to Linux
Shell
1
star
34

k2hass

push images from home assistant to Kindle2 display
Shell
1
star
35

docker-filebot

Makefile
1
star
36

docker-certificate-transparency

Docker examples for certificate-transparency
Dockerfile
1
star