├── requirements.txt ├── README.md ├── .gitignore └── crtHunter.py /requirements.txt: -------------------------------------------------------------------------------- 1 | requests 2 | beautifulsoup4 3 | colorama 4 | argparse 5 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # crtHunter.py V 2.0 2 | there was previous version but i modify it to be petter 3 | A Python script to extract subdomains for a given domain using the crt.sh website. This script utilizes `requests`, `BeautifulSoup`, `argparse`, and `colorama` libraries to fetch and parse the data and provide a user-friendly command-line interface with colored output. 4 | 5 | ## Features 6 | 7 | - Extract subdomains for a given domain using crt.sh 8 | 9 | - Save extracted subdomains to a text file (optional) 10 | 11 | - Colored terminal output for better readability 12 | 13 | ## Prerequisites 14 | 15 | Before running the script, you need to install the required libraries. You can do this by running: 16 | 17 | ```bash 18 | pip install requests beautifulsoup4 colorama 19 | ``` 20 | ## Usage 21 | 22 | To use the script, run the following command in your terminal: 23 | 24 | ```bash 25 | python crtHunter.py -d DOMAIN [-o OUTPUT_FILE] 26 | ``` 27 | 28 | Or you can add list : 29 | 30 | ```bash 31 | 32 | python crtHunter.py -l DOMAINS_LIST [-o OUTPUT_FILE] 33 | 34 | ``` 35 | 36 | - Replace `DOMAIN` with the domain you want to search for subdomains. 37 | 38 | - The `-o OUTPUT_FILE` flag is optional. If provided, the script will save the extracted subdomains to the specified `OUTPUT_FILE`. 39 | ### Example 40 | 41 | ```bash 42 | 43 | python crtHunter.py -d example.com -o subdomains.txt 44 | 45 | ``` 46 | 47 | Or use list of domains: 48 | 49 | ```bash 50 | 51 | python crtHunter.py -l domains_lit.txt -o subdomains.txt 52 | 53 | ``` 54 | 55 | This command will extract subdomains for `example.com` and save them to a file named `subdomains.txt`. 56 | Or extract all the subdomains for each domain in the `domains_list.txt` ... 57 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | *.py[cod] 4 | *$py.class 5 | 6 | # C extensions 7 | *.so 8 | 9 | # Distribution / packaging 10 | .Python 11 | build/ 12 | develop-eggs/ 13 | dist/ 14 | downloads/ 15 | eggs/ 16 | .eggs/ 17 | lib/ 18 | lib64/ 19 | parts/ 20 | sdist/ 21 | var/ 22 | wheels/ 23 | share/python-wheels/ 24 | *.egg-info/ 25 | .installed.cfg 26 | *.egg 27 | MANIFEST 28 | 29 | # PyInstaller 30 | # Usually these files are written by a python script from a template 31 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 32 | *.manifest 33 | *.spec 34 | 35 | # Installer logs 36 | pip-log.txt 37 | pip-delete-this-directory.txt 38 | 39 | # Unit test / coverage reports 40 | htmlcov/ 41 | .tox/ 42 | .nox/ 43 | .coverage 44 | .coverage.* 45 | .cache 46 | nosetests.xml 47 | coverage.xml 48 | *.cover 49 | *.py,cover 50 | .hypothesis/ 51 | .pytest_cache/ 52 | cover/ 53 | 54 | # Translations 55 | *.mo 56 | *.pot 57 | 58 | # Django stuff: 59 | *.log 60 | local_settings.py 61 | db.sqlite3 62 | db.sqlite3-journal 63 | 64 | # Flask stuff: 65 | instance/ 66 | .webassets-cache 67 | 68 | # Scrapy stuff: 69 | .scrapy 70 | 71 | # Sphinx documentation 72 | docs/_build/ 73 | 74 | # PyBuilder 75 | .pybuilder/ 76 | target/ 77 | 78 | # Jupyter Notebook 79 | .ipynb_checkpoints 80 | 81 | # IPython 82 | profile_default/ 83 | ipython_config.py 84 | 85 | # pyenv 86 | # For a library or package, you might want to ignore these files since the code is 87 | # intended to run in multiple environments; otherwise, check them in: 88 | # .python-version 89 | 90 | # pipenv 91 | # According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. 92 | # However, in case of collaboration, if having platform-specific dependencies or dependencies 93 | # having no cross-platform support, pipenv may install dependencies that don't work, or not 94 | # install all needed dependencies. 95 | #Pipfile.lock 96 | 97 | # poetry 98 | # Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control. 99 | # This is especially recommended for binary packages to ensure reproducibility, and is more 100 | # commonly ignored for libraries. 101 | # https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control 102 | #poetry.lock 103 | 104 | # pdm 105 | # Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control. 106 | #pdm.lock 107 | # pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it 108 | # in version control. 109 | # https://pdm.fming.dev/#use-with-ide 110 | .pdm.toml 111 | 112 | # PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm 113 | __pypackages__/ 114 | 115 | # Celery stuff 116 | celerybeat-schedule 117 | celerybeat.pid 118 | 119 | # SageMath parsed files 120 | *.sage.py 121 | 122 | # Environments 123 | .env 124 | .venv 125 | env/ 126 | venv/ 127 | ENV/ 128 | env.bak/ 129 | venv.bak/ 130 | 131 | # Spyder project settings 132 | .spyderproject 133 | .spyproject 134 | 135 | # Rope project settings 136 | .ropeproject 137 | 138 | # mkdocs documentation 139 | /site 140 | 141 | # mypy 142 | .mypy_cache/ 143 | .dmypy.json 144 | dmypy.json 145 | 146 | # Pyre type checker 147 | .pyre/ 148 | 149 | # pytype static type analyzer 150 | .pytype/ 151 | 152 | # Cython debug symbols 153 | cython_debug/ 154 | 155 | # PyCharm 156 | # JetBrains specific template is maintained in a separate JetBrains.gitignore that can 157 | # be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore 158 | # and can be added to the global gitignore or merged into this file. For a more nuclear 159 | # option (not recommended) you can uncomment the following to ignore the entire idea folder. 160 | #.idea/ 161 | -------------------------------------------------------------------------------- /crtHunter.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # crtHunter v2.0 3 | 4 | # By Hazem El-Sayed - twitter.com/ZomaSec 5 | # Import required libraries 6 | import re 7 | import requests 8 | from bs4 import BeautifulSoup 9 | import argparse 10 | import sys 11 | from colorama import init, Fore, Style 12 | 13 | # Initialize colorama for colored terminal output 14 | init(autoreset=True) 15 | 16 | # Define the banner to be displayed when the script is run 17 | BANNER = r''' 18 | 19 | _ _ 20 | _ | | | | _ 21 | ____ ____| |_ | |__ | |_ _ ____ | |_ ____ ____ 22 | / ___)/ ___| _)| __)| | | | | _ \| _)/ _ )/ ___) 23 | ( (___| | | |__| | | | |_| | | | | |_( (/ /| | 24 | \____|_| \___|_| |_|\____|_| |_|\___\____|_| 25 | 26 | 27 | Coded by : Hazem Elsayed 28 | Contributor : Yousef Mohamed 29 | @ZomaSec && @bug4you 30 | ''' 31 | 32 | # Function to extract subdomains using RegEx 33 | def extract_subdomains(text, domain): 34 | subdomains = set() 35 | regex = re.compile(r'\b(?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+' + re.escape(domain) + r'\b') 36 | matches = regex.findall(text) 37 | for match in matches: 38 | subdomains.add(match) 39 | return subdomains 40 | 41 | # Function to get subdomains from crt.sh 42 | def get_subdomains_crtsh(domain): 43 | subdomains = set() 44 | url = f"https://crt.sh/?q={domain}" 45 | 46 | try: 47 | response = requests.get(url) 48 | response.raise_for_status() 49 | except requests.exceptions.RequestException as e: 50 | print(Fore.RED + f"Error: {str(e)}") 51 | return subdomains 52 | 53 | subdomains.update(extract_subdomains(response.text, domain)) 54 | return subdomains 55 | 56 | # Function to save subdomains to a file 57 | def save_subdomains(subdomains, output_file): 58 | with open(output_file, "a") as f: 59 | for subdomain in subdomains: 60 | f.write(subdomain + "\n") 61 | 62 | # Function to process multiple domains from a file 63 | def process_domains_from_file(domain_file, output_file): 64 | with open(domain_file, "r") as f: 65 | domains = f.readlines() 66 | 67 | for domain in domains: 68 | domain = domain.strip() 69 | subdomains = get_subdomains_crtsh(domain) 70 | 71 | subdomain_count = len(subdomains) 72 | 73 | if subdomain_count > 0: 74 | print(Fore.GREEN + f"[§]Found {subdomain_count} unique subdomains for {domain}") 75 | 76 | if output_file: 77 | save_subdomains(subdomains, output_file) 78 | print(Fore.GREEN + f"[§]Subdomains saved to {output_file}") 79 | else: 80 | print(Fore.RED + "Subdomains:") 81 | for subdomain in subdomains: 82 | print(Fore.GREEN + subdomain) 83 | else: 84 | print(Fore.RED + f"No subdomains found for {domain}") 85 | 86 | print(Fore.CYAN + f"Total number of subdomains: {subdomain_count}") 87 | print() 88 | 89 | # Main function that runs the script 90 | def main(domain, output_file, domain_file): 91 | if domain_file: 92 | print(Fore.CYAN + f"Processing domains from file {domain_file}...") 93 | process_domains_from_file(domain_file, output_file) 94 | return 95 | 96 | print(Fore.CYAN + "Extracting subdomains from crt.sh now...") 97 | subdomains = get_subdomains_crtsh(domain) 98 | 99 | subdomain_count = len(subdomains) 100 | 101 | if subdomain_count > 0: 102 | print(Fore.GREEN + f"[§]Found {subdomain_count} unique subdomains for {domain}") 103 | 104 | if output_file: 105 | save_subdomains(subdomains, output_file) 106 | print(Fore.GREEN + f"[§]Subdomains saved to {output_file}") 107 | else: 108 | print(Fore.RED + "Subdomains:") 109 | for subdomain in subdomains: 110 | print(Fore.GREEN + subdomain) 111 | else: 112 | print(Fore.RED + f"No subdomains found for {domain}") 113 | 114 | print(Fore.CYAN + f"Total number of subdomains: {subdomain_count}") 115 | 116 | # The entry point of the script 117 | if __name__ == "__main__": 118 | print(Fore.CYAN + BANNER) 119 | 120 | # Define command-line argument parser 121 | parser = argparse.ArgumentParser(description=Fore.YELLOW + Style.BRIGHT + "Find subdomains of a domain.") 122 | parser.add_argument("-d", "--domain", required=not bool(sys.stdin.isatty()), help=Fore.YELLOW + "The target domain.") 123 | parser.add_argument("-l", "--domain_file", required=False, help=Fore.YELLOW + "A file containing a list of domains to process (optional).") 124 | parser.add_argument("-o", "--output_file", required=False, help=Fore.RED + "The file to store subdomains into (optional).") 125 | 126 | 127 | # Check if there are any arguments provided 128 | if len(sys.argv) == 1 and sys.stdin.isatty(): 129 | print(Fore.YELLOW + parser.description) 130 | print(Fore.CYAN + "Usage: python crtHunter.py -d DOMAIN OR -l DOMAINS_LIST [-o OUTPUT_FILE] ") 131 | sys.exit(1) 132 | 133 | # Parse the command-line arguments and run the main function 134 | args = parser.parse_args() 135 | 136 | if not args.domain and not args.domain_file: 137 | print(Fore.RED + "Error: you must provide either a target domain (-d) or a file containing a list of domains (-l)") 138 | sys.exit(1) 139 | 140 | main(args.domain, args.output_file, args.domain_file) 141 | --------------------------------------------------------------------------------