def grab_domains(domain):
# We're using the certificates python API instead of making REST API calls to the certificates endpoint
certificates = censys.certificates.CensysCertificates(
CENSYS_API_KEY, CENSYS_SECRET)
# Iterate over certs that match a specific search; we're going to match on the Names field
# Could look at Subject Alternate Name (SAN) on cert, which allows multiple hostnames to be protected by a single cert
fields = ["parsed.names"]
# Declare empty set to hold subdomains
subdomains = set()
# initiate a search for any certs associated with the domain
try:
for certificate in certificates.search("parsed.names: " + domain,
fields=fields):
# Add contents of parsed names list to our set of domains
subdomains.update(certificate["parsed.names"])
return subdomains
# we're not permissive of exceptions here; if there's an API issue we'll quit right away
except censys.base.CensysRateLimitExceededException as e:
print(e)
exit(1)
except censys.base.CensysNotFoundException as e:
print(e)
exit(1)
except censys.base.CensysUnauthorizedException as e:
print(e)
exit(1)
except censys.base.CensysJSONDecodeException as e:
print(e)
exit(1)
# we've caught the most critical faults, but the one below is if you've hit maximum free results in one search
except Exception as e:
print(e)
return subdomains
def get_subdomains(domain, certificates):
logging.info("[+] Extracting sub-domains for {} from certificates".format(domain))
subdomains = []
certificate_query = 'parsed.names: {}'.format(domain)
certificates_search_results = certificates.search(certificate_query, fields=['parsed.names'])
for search_result in certificates_search_results:
subdomains.extend(search_result['parsed.names'])
return set(subdomains)
def get_subdomains(domain, certificates):
subdomains = []
certificate_query = 'parsed.names: {}'.format(domain)
certificates_search_results = certificates.search(certificate_query,
fields=['parsed.names'])
for search_result in certificates_search_results:
subdomains.extend(search_result['parsed.names'])
return set(subdomains)
def cert2iplis(cert):
import config
import censys.certificates
query_str = cert
UID = config.censys_uid
SECRET = config.censys_secret
certificates = censys.certificates.CensysCertificates(UID, SECRET)
for result in certificates.search(query_str):
print(result)
def find_certificates(target):
print("Certificates:")
certificates = censys.certificates.CensysCertificates(UID, SECRET)
fingerprints = []
fields = ["parsed.names", "parsed.extensions.subject_alt_name.dns_names",
"parsed.fingerprint_sha256", "parsed.subject_dn"]
for cert in certificates.search("%s and tags: trusted" % target, fields=fields):
if not is_cloudflare(cert["parsed.subject_dn"]) and target in cert["parsed.names"]:
fingerprints.append(cert["parsed.fingerprint_sha256"])
print("\tHost: %s\n\tFingerprint: %s" % (' '.join(cert["parsed.names"]), cert["parsed.fingerprint_sha256"]))
return fingerprints
def call_censys(domain: str, censys_uid: str, censys_secret: str):
domain = f'{domain}*'
certificates = censys.certificates.CensysCertificates(censys_uid, censys_secret)
fields = ["parsed.subject_dn", "parsed.names"]
censys_list = []
try:
for c in certificates.search(f"parsed.names:({domain})", fields=fields):
censys_list.append(c)
except:
print('Max limit of certs reached for this account')
with open('out_censys.json', 'w') as f:
json.dump(censys_list, f, ensure_ascii=False, indent=4)
def get_emails(domain, certificates):
del emails_found[:]
logging.info("[+] Extracting emails belonging to {} from SSL/TLS certificates".format(domain.rstrip()))
certificate_query = 'parsed.names: {}'.format(domain)
try:
certificates_search_results = certificates.search(certificate_query, fields=['parsed.subject.email_address'])
except KeyError:
pass
for search_result in certificates_search_results:
try:
emails_found.extend(search_result['parsed.subject.email_address'])
except KeyError:
pass
return set(emails_found)
def main():
certificates = censys.certificates.CensysCertificates(uid, api_key)
fields = [
"parsed.subject.common_name",
"parsed.extensions.subject_alt_name.dns_names"
]
query = "parsed.subject.common_name:%s or parsed.extensions.subject_alt_name.dns_names:%s" % (suffix, suffix)
print("Censys query:\n%s\n" % query)
current_page = start_page
print("Fetching up to %i records, starting at page %i." % (max_records, start_page))
while current_page <= end_page:
if current_page > start_page:
print("(Waiting %is before fetching page %i.)" % (delay, current_page))
time.sleep(delay)
print("Fetching page %i." % current_page)
for cert in certificates.search(query, fields=fields, page=current_page, max_records=page_size):
# Common name + SANs
names = cert['parsed.subject.common_name'] + cert['parsed.extensions.subject_alt_name.dns_names']
if debug:
print(names)
for name in names:
name = re.sub(wildcard_pattern, '', name).lower().strip()
if suffix_pattern.search(name):
hostnames_map[name] = None
current_page += 1
print("Done fetching from API.")
hostnames = list(hostnames_map.keys())
hostnames.sort()
print("Writing out CSV.")
for hostname in hostnames:
out_writer.writerow([hostname])
print("Done.")
def get_subdomains(domain, certificates):
unique_subdomains = []
logging.info("[+] Extracting sub-domains for {} from certificates".format(domain.rstrip()))
try:
certificate_query = 'parsed.names: {}'.format(domain)
certificates_search_results = certificates.search(certificate_query, fields=['parsed.names'])
except CensysException:
logging.info('\033[93m[!] Error while fetching results from Censys.\n\033[1;m')
sys.exit(1)
for search_result in certificates_search_results:
subdomains_found.extend(search_result['parsed.names'])
for subdomain in subdomains_found:
if '*' not in subdomain and subdomain.endswith(domain):
unique_subdomains.append(subdomain)
return set(unique_subdomains)
def show_censys_data(domain, uid, secret):
logger.info("Looking up {} on censys".format(domain))
domains = set()
domain_array = domain.split(".")
domain_array.pop()
certificates = censys.certificates.CensysCertificates(uid, secret)
fields = ["parsed.names"]
for c in certificates.search("parsed.names: %s" % domain, fields=fields):
for d in c["parsed.names"]:
if close_to_domain(d, domain, domain_array):
domains.add(d)
logger.info("Found {} unique domains".format(len(domains)))
for d in domains:
print(d)
def censys_search_certs(host):
try:
certificates = censys.certificates.CensysCertificates(api_id=UID,
api_secret=TOKEN)
cert_query = certificates.search(
"parsed.names: {0} AND tags.raw: trusted AND NOT parsed.names: cloudflaressl.com"
.format(host))
result = set(
[cert['parsed.fingerprint_sha256'] for cert in cert_query])
hosts_query = censys.ipv4.CensysIPv4(api_id=UID, api_secret=TOKEN)
hosts = ' OR '.join(result)
if hosts:
searching = hosts_query.search(hosts)
host_result = set(
[search_result['ip'] for search_result in searching])
return host_result
except:
print("[-] We got an error here, maybe with your credentials!")
exit(1)
def investigate(domain, vt_api, api_id, api_secret):
certificates = censys.certificates.CensysCertificates(api_id, api_secret)
certificate_query = 'parsed.names: {}'.format(domain)
certificates_search_results = certificates.search(certificate_query,
fields=['parsed.names'])
#print(certificates_search_results)
subdomains = []
for search_result in certificates_search_results:
subdomains.extend(search_result['parsed.names'])
for subs in subdomains:
print(subs)
result_A = dns.resolver.query(domain, 'A')
for ipadd in result_A:
print('[+] A RECORDS :', ipadd)
result_TXT = dns.resolver.query(domain, 'TXT')
print('[+] TXT : ', result_TXT)
url = 'https://www.virustotal.com/vtapi/v2/domain/report'
params = {'apikey': vt_api, 'domain': domain}
response = requests.get(url, params=params)
for i in response.json()['detected_urls']:
print("RELATED URL : {} POSITIVES {}".format(i['url'], i['positives']))
def get_emails(domain, certificates):
del emails_found[:]
logging.info(
"[+] Extracting emails belonging to {} from SSL/TLS certificates".
format(domain.rstrip()))
try:
certificate_query = 'parsed.names: {}'.format(domain)
except CensysException:
logging.info(
'\033[93m[!] Error while fetching results from Censys.\n\033[1;m')
sys.exit(1)
try:
certificates_search_results = certificates.search(
certificate_query, fields=['parsed.subject.email_address'])
except KeyError:
pass
for search_result in certificates_search_results:
try:
emails_found.extend(search_result['parsed.subject.email_address'])
except KeyError:
pass
return set(emails_found)
def censys_search_certs(host):
if not API_ID or not SECRET:
return False
try:
certificates = censys.certificates.CensysCertificates(
api_id=API_ID, api_secret=SECRET)
cert_query = certificates.search(
"parsed.names: {0} AND tags.raw: trusted AND NOT parsed.names: cloudflaressl.com".format(host))
result = set([cert['parsed.fingerprint_sha256']
for cert in cert_query])
hosts_query = censys.ipv4.CensysIPv4(api_id=API_ID, api_secret=SECRET)
hosts = ' OR '.join(result)
if hosts:
searching = hosts_query.search(hosts)
host_result = set([search_result['ip']
for search_result in searching])
return host_result
else:
return []
except:
return False
def investigate(domain, vt_api, api_id, api_secret):
certificates = censys.certificates.CensysCertificates(api_id, api_secret)
certificate_query = 'parsed.names: {}'.format(domain)
certificates_search_results = certificates.search(certificate_query,
fields=['parsed.names'])
#print(certificates_search_results)
subdomains = [] # use
for search_result in certificates_search_results:
subdomains.extend(search_result['parsed.names'])
for subs in subdomains:
print(subs)
result_A = dns.resolver.query(domain, 'A')
ip = '' # use
for ipadd in result_A:
ip = str(ipadd)
print('[+] A RECORDS :', ipadd)
#result_TXT = dns.resolver.query(domain, 'TXT')
#print('[+] TXT : ', result_TXT.qname)
url = 'https://www.virustotal.com/vtapi/v2/domain/report'
params = {'apikey': vt_api, 'domain': domain}
response = requests.get(url, params=params)
for dnsres in response.json()['dns_records']:
print(dnsres)
dnsresponse = response.json()['dns_records'] # use
dnsurls = response.json()['detected_urls'] # use
for i in response.json()['detected_urls']:
print("RELATED URL : {} POSITIVES {}".format(i['url'], i['positives']))
print('[+] Finding Geo-location of the Domain:')
handler = ipinfo.getHandler(access_token='b5239b01d8abc5')
print('\n')
details = handler.getDetails(ip) # use
pprint.pprint(details.all)
return details
import censys.certificates
UID = "78d24978-4024-45ce-97a0-913fa26b4cdc"
SECRET = "Ee0SBxl9XelzvS6C0RHaBsSCPDTgMpvl"
certificates = censys.certificates.CensysCertificates(UID, SECRET)
fields = [
"parsed.subject_dn", "parsed.fingerprint_sha256", "parsed.fingerprint_sha1"
]
for c in certificates.search("validation.nss.valid: true", fields=fields):
print(c["parsed.subject_dn"])
print("""
+++ Menu +++
1.Check Subdomain with Censys
2.Check Subdomain with list keyword
3.Check Subdomain with Censys and list keyword
4.Exit/Quit
""")
ans = input("What would you like to do? ")
if ans == "1":
domain = input("Enter Domain: ")
UID = "83f1de21-5e60-4c6a-8bb1-6afb3617aa6d"
SECRET = "WVHec4SvOQTBuBZMZpQwVHrjSHABSiS1"
certificates = censys.certificates.CensysCertificates(UID, SECRET)
sub = 'parsed.names: %s' % domain
cert_search_results = certificates.search(sub, fields=['parsed.names'])
subdomains = []
for c in cert_search_results:
subdomains.extend(c['parsed.names'])
def RemoveDuplication(subdomains):
final_list = []
for text in subdomains:
if text not in final_list:
final_list.append(text)
return final_list
print("=" * 60)
for dns in RemoveDuplication(subdomains):
if domain in dns:
print(dns)
print("╚═════╝░░╚═════╝░╚═════╝░╚═════╝░░╚════╝░╚═╝░░░░░╚═╝╚═╝░░╚═╝╚═╝╚═╝░░╚══╝╚═════╝░")
import censys.certificates
import socket
print("[SYNTAX]: google.com")
searchDomain = input("[DOMAIN NAME]: ")
updomains = {}
downdomains = {}
UID = ""
SECRET = ""
certificates = censys.certificates.CensysCertificates(UID, SECRET)
fields = ["parsed.names"]
for c in certificates.search(searchDomain, fields=fields, max_records=1000):
try:
domain = c["parsed.names"][0].replace("*.", "").replace("www.", "")
except:
continue
if not updomains.get(domain) and not downdomains.get(domain) and domain.endswith(searchDomain) and (("."+searchDomain in domain) or searchDomain == domain):
try:
ip = socket.gethostbyname(domain)
updomains[domain] = ip
except:
downdomains[domain] = True
if updomains:
print("--------------------------")
print("-=-=-=- DOMAINS UP -=-=-=-")
#!/usr/bin/env python # -*- coding: utf-8 -*- # author = [email protected] # project = https://github.com/Xyntax/POC-T import censys.certificates UID = "login for API key" SECRET = "login for API secret" certificates = censys.certificates.CensysCertificates(UID, SECRET) fields = [ "parsed.subject_dn", "parsed.fingerprint_sha256", "parsed.fingerprint_sha1" ] for c in certificates.search("current_valid_nss: true"): print c["parsed.subject_dn"]
import censys.certificates
import csv
from settings import UID, SECRET
certificates = censys.certificates.CensysCertificates(UID, SECRET)
fields = [
"parsed.fingerprint_sha256", "parsed.validity.start", "parsed.validity.end"
]
with open('results.csv', 'w', newline='') as file:
writer = csv.writer(file)
writer.writerow(
["SHA256 fingerprint", "validity start date", "validity end date"])
for c in certificates.search("parsed.names: censys.io, tags: trusted",
fields=fields):
writer.writerow([
c["parsed.fingerprint_sha256"], c["parsed.validity.start"],
c["parsed.validity.end"]
])
# for c in certificates.search("parsed.names: censys.io, tags: trusted", fields=fields):
# print(c["parsed.validity.start"] + " " + c["parsed.fingerprint_sha256"] + " " + str(c["parsed.validity.end"]))
#!/usr/bin/env python # -*- coding: utf-8 -*- # author = [email protected] # project = https://github.com/Xyntax/POC-T import censys.certificates UID = "login for API key" SECRET = "login for API secret" certificates = censys.certificates.CensysCertificates(UID, SECRET) fields = ["parsed.subject_dn", "parsed.fingerprint_sha256", "parsed.fingerprint_sha1"] for c in certificates.search("current_valid_nss: true"): print c["parsed.subject_dn"]
