├── data └── .gitignore ├── rawdata └── .gitignore ├── README.md └── crtndstry.sh /data/.gitignore: -------------------------------------------------------------------------------- 1 | *.txt 2 | -------------------------------------------------------------------------------- /rawdata/.gitignore: -------------------------------------------------------------------------------- 1 | certspotter.txt 2 | crtsh.txt 3 | digicert.json 4 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ``` 2 | 3 | ██████╗██████╗ ████████╗███╗ ██╗██████╗ ███████╗████████╗██████╗ ██╗ ██╗ 4 | ██╔════╝██╔══██╗╚══██╔══╝████╗ ██║██╔══██╗██╔════╝╚══██╔══╝██╔══██╗╚██╗ ██╔╝ 5 | ██║ ██████╔╝ ██║ ██╔██╗ ██║██║ ██║███████╗ ██║ ██████╔╝ ╚████╔╝ 6 | ██║ ██╔══██╗ ██║ ██║╚██╗██║██║ ██║╚════██║ ██║ ██╔══██╗ ╚██╔╝ 7 | ╚██████╗██║ ██║ ██║ ██║ ╚████║██████╔╝███████║ ██║ ██║ ██║ ██║ 8 | ╚═════╝╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═══╝╚═════╝ ╚══════╝ ╚═╝ ╚═╝ ╚═╝ ╚═╝ 9 | 10 | ``` 11 | 12 | # Description 13 | crtndtry uses a number of different sources to create a list of root subdomains (i.e.: corp.example.com) 14 | 15 | # Usage 16 | ``` 17 | ./crtndstry example.com 18 | ``` 19 | 20 | # Sources 21 | - [crt.sh](https://crt.sh) - requires using different patterns as shown in the source 22 | - [digiCert](https://ssltools.digicert.com) 23 | - [certspotter](https://certspotter.com) 24 | 25 | # Video 26 | Here's the VOD of me writing this tool during one of my streams 27 | https://youtu.be/o37L5n6w9BQ 28 | 29 | 30 | # Credits 31 | - nukedx 32 | - dmfroberson 33 | 34 | -------------------------------------------------------------------------------- /crtndstry.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # This was created during a live stream on 11/16/2019 4 | # twitch.tv/nahamsec 5 | # Thank you to nukedx and dmfroberson for helping debug/improve 6 | 7 | if [ ! -x "$(command -v jq)" ]; then 8 | echo "[-] This script requires jq. Exiting." 9 | exit 1 10 | fi 11 | 12 | certdata(){ 13 | #give it patterns to look for within crt.sh for example %api%.site.com 14 | declare -a arr=("api" "corp" "dev" "uat" "test" "stag" "sandbox" "prod" "internal") 15 | for i in "${arr[@]}" 16 | do 17 | #get a list of domains based on our patterns in the array 18 | crtsh=$(curl -s https://crt.sh/\?q\=%25$i%25.$1\&output\=json | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u | tee -a rawdata/$1-crtsh.txt ) 19 | done 20 | #get a list of domains from certspotter 21 | certspotter=$(curl -s https://certspotter.com/api/v0/certs\?domain\=$1 | jq '.[].dns_names[]' | sed 's/\"//g' | sed 's/\*\.//g' | sort -u | grep -w $1\$ | tee rawdata/$1-certspotter.txt) 22 | #get a list of domains from digicert 23 | digicert=$(curl -s https://ssltools.digicert.com/chainTester/webservice/ctsearch/search?keyword=$1 -o rawdata/$1-digicert.json) 24 | #echo "$crtsh" 25 | #echo "$certspotter" 26 | #echo "$digicert" 27 | } 28 | 29 | 30 | rootdomains() { #this creates a list of all unique root sub domains 31 | cat rawdata/$1-crtsh.txt | rev | cut -d "." -f 1,2,3 | sort -u | rev > ./$1-temp.txt 32 | cat rawdata/$1-certspotter.txt | rev | cut -d "." -f 1,2,3 | sort -u | rev >> ./$1-temp.txt 33 | domain=$1 34 | jq -r '.data.certificateDetail[].commonName,.data.certificateDetail[].subjectAlternativeNames[]' rawdata/$1-digicert.json | sed 's/"//g' | grep -w "$domain$" | grep -v '^*.' | rev | cut -d "." -f 1,2,3 | sort -u | rev >> ./$1-temp.txt 35 | cat $1-temp.txt | tr '[:upper:]' '[:lower:]' | sort -u | tee ./data/$1-$(date "+%Y.%m.%d-%H.%M").txt; rm $1-temp.txt 36 | echo "[+] Number of domains found: $(cat ./data/$1-$(date "+%Y.%m.%d-%H.%M").txt | wc -l)" 37 | } 38 | 39 | 40 | certdata $1 41 | rootdomains $1 42 | --------------------------------------------------------------------------------