Censys Subdomain Finder – Perform Subdomain Enumeration Using The Certificate Transparency Logs From Censys

Censys Subdomain Finder - Perform Subdomain Enumeration Using The Certificate Transparency Logs From Censys

This is a device to enumerate subdomains utilizing the Certificate Transparency logs saved by Censys. It ought to return any subdomain who has ever been issued a SSL certificates by a public CA.

See it in motion:

$ python censys_subdomain_finder.py github.com

[*] Searching Censys for subdomains of github.com
[*] Found 42 distinctive subdomains of github.com in ~1.7 seconds

  - hq.github.com
  - talks.github.com
  - cla.github.com
  - github.com
  - cloud.github.com
  - enterprise.github.com
  - assist.github.com
  - collector-cdn.github.com
  - central.github.com
  - smtp.github.com
  - cas.octodemo.github.com
  - schrauger.github.com
  - jobs.github.com
  - classroom.github.com
  - dodgeball.github.com
  - visualstudio.github.com
  - department.github.com
  - www.github.com
  - edu.github.com
  - schooling.github.com
  - import.github.com
  - styleguide.github.com
  - neighborhood.github.com
  - server.github.com
  - mac-installer.github.com
  - registry.github.com
  - f.cloud.github.com
  - provide.github.com
  - helpnext.github.com
  - foo.github.com
  - porter.github.com
  - id.github.com
  - atom-installer.github.com
  - assessment-lab.github.com
  - vpn-ca.iad.github.com
  - maintainers.github.com
  - uncooked.github.com
  - standing.github.com
  - camo.github.com
  - help.enterprise.github.com
  - stg.github.com
  - rs.github.com


  1. Register an account (free) on https://censys.io/register
  2. Browse to https://censys.io/account, and set two setting variables together with your API ID and API secret
$ export CENSYS_API_ID=...
$ export CENSYS_API_SECRET=...
  1. Clone the repository
$ git clone https://github.com/christophetd/censys-subdomain-finder.git
  1. Install the dependencies
$ cd censys-subdomain-finder
$ pip set up -r necessities.txt
  1. Run the script on instance.com to ensure the whole lot works as anticipated.
$ python censys_subdomain_finder.py instance.com

[*] Searching Censys for subdomains of instance.com
[*] Found 5 distinctive subdomains of instance.com

  - merchandise.instance.com
  - www.instance.com
  - dev.instance.com
  - instance.com
  - help.instance.com


utilization: censys_subdomain_finder.py [-h] [-o OUTPUT_FILE]
                                  [--censys-api-id CENSYS_API_ID]
                                  [--censys-api-secret CENSYS_API_SECRET]

positional arguments:
  area                The area to scan

non-obligatory arguments:
  -h, --help            present this assist message and exit
                        A file to output the listing of subdomains to (default:
  --censys-api-id CENSYS_API_ID
                        Censys API ID. Can even be outlined utilizing the
                        CENSYS_API_ID setting variable (default: None)
  --censys-api-secret CENSYS_API_SECRET
                        Censys API secret. Can even be outlined utilizing the
                        CENSYS_API_SECRET setting variable (default: None)

Should run on Python 2.7 and three.5.

The Censys API has a restrict price of 120 queries per 5 minutes window. Each invocation of this device makes precisely one API name to Censys.
Feel free to open an issue or to tweet @christophetd for strategies or remarks.

MoreTip.com MoreTip.com


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.