-
Notifications
You must be signed in to change notification settings - Fork 0
/
recon-ct.txt
104 lines (73 loc) · 4.03 KB
/
recon-ct.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
____ ____ _____ ____ _____ ____ ___ _ _
KawaiiPantsu / / / / ___|_ _| _ \| ____/ ___/ _ \| \ | |
(c) 2020 / / / | | | | | |_) | _|| | | | | | \| |
_ _ / / / | |___ | | | _ <| |__| |__| |_| | |\ |
_| || |_ _____ /_/_/ \____| |_| |_| \_\_____\____\___/|_| \_|
|_ .. _|_____|_____ _____ _____ _____ _____ _____ _____ _____ _____ _____
|_ _|_____|_____|_____|_____|_____|_____|_____|_____|_____|_____|_____|
|_||_|
QUICK INFORMATION
======================
CTRECON - Certificate Transparency Reconnaissance
Lookup a domain via the Certificate Transparency open framework for monitoring
and auditing SSL certificates in nearly real time and find out associated
subdomains etc.
Nice way to do fast reconnaissance on a domain and get results like the old
days with AXFR (: This is not using any brute force or dict attact vectors.
It's simply looking up the domain's identity and looking for other domains that
has the same identity in the name. Thus doing a AXFR on the top level domain
name. You can also use it to lookup detailed information on all the certificates
they have had on a singular subdomain/domain.
References:
- http://www.certificate-transparency.org/
- https://crt.sh
CTRECON USAGE
======================
Just run the problem to get the help screen. Hopefully you have done the
installation from the frontpage so that all of these scripts are included
in your system path.
./ctrecon -d linux.org
____ ____ _____ ____ _____ ____ ___ _ _
/ / / / ___|_ _| _ \| ____/ ___/ _ \| \ | | KawaiiPantsu
/ / / | | | | | |_) | _|| | | | | | \| | (c) 2020
/ / / | |__ | | | _ <| |__| |__| |_| | |\ |
/_/_/ \____| |_| |_| \_\_____\____\___/|_| \_|
{ Certificate Transparency Reconnaissance }
{ Crawling the Certificate Transparency Open-framkework }
-// Far out, i found 9 domain(s) o.O
-// Here is the list on all sub domains with a bit of extra info
% [ *.linux.org ] IP: | Seen: 15-06-2017 | CA: COMODO ECC Domain Validation Secure Server CA 2
% [ cpanel.linux.org ] IP: | Seen: 07-12-2018 | CA: Let's Encrypt Authority X3
% [ linux.org ] IP: 104.27.167.219 | Seen: 19-03-2017 | CA: "cPanel, Inc. Certification Authority"
% [ mail.linux.org ] IP: | Seen: 19-03-2017 | CA: "cPanel, Inc. Certification Authority"
% [ sendy.linux.org ] IP: | Seen: 04-04-2019 | CA: Let's Encrypt Authority X3
% [ track.linux.org ] IP: | Seen: 03-02-2018 | CA: "cPanel, Inc. Certification Authority"
% [ webdisk.linux.org ] IP: | Seen: 07-12-2018 | CA: Let's Encrypt Authority X3
% [ webmail.linux.org ] IP: | Seen: 07-12-2018 | CA: Let's Encrypt Authority X3
% [ www.linux.org ] IP: 104.27.166.219 | Seen: 19-03-2017 | CA: "cPanel, Inc. Certification Authority"
Warning you might sometimes get a error like the following:
-// Something went wrong ....
-// HTTP/502
This just means you have been throttled, try again :)
TECHNICAL STUFF
======================
If you want to scrape this information yourself, perhaps rebuild the data in
your own database or what have you. Then you should take a look at some of this
stuff here. You can also find info on participating/using the framework your-
self on your web server.
To include SCT in the handshake your web server must support the following
- X509v3 Extension
- TLS Extension
- OCSP Stapling
To use it with Apache:
- mod_ssl_ct
- https://httpd.apache.org/docs/trunk/mod/mod_ssl_ct.html
- http://www.certificate-transparency.org/resources-for-site-owners/apache
All known lists - https://www.gstatic.com/ct/log_list/v2/all_logs_list.json
THE IDEA, SOURCE?
======================
So this has been known for ages ... but the scripts out there just don't suit
my needs, sorry :() So i had to create my own little quick and dirty version
of ctfr that i previously used!
Original CTFR by UnaPibaGeek
- https://github.com/UnaPibaGeek/ctfr