{"id":17289962,"url":"https://github.com/josehelps/blackcert","last_synced_at":"2025-04-14T11:24:18.361Z","repository":{"id":50174121,"uuid":"249877463","full_name":"josehelps/blackcert","owner":"josehelps","description":"Blackcert monitors Certificate Transparency Logs for a keyword. Blackcert collects any certificate changes for this keyword and also checks if any domain changes with that keyword look like a phishing domain.","archived":false,"fork":false,"pushed_at":"2022-12-08T03:53:41.000Z","size":170,"stargazers_count":9,"open_issues_count":3,"forks_count":2,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-04-10T18:40:00.059Z","etag":null,"topics":["certificate","monitoring","security"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/josehelps.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-03-25T03:24:58.000Z","updated_at":"2023-10-13T21:36:34.000Z","dependencies_parsed_at":"2023-01-25T07:30:48.721Z","dependency_job_id":null,"html_url":"https://github.com/josehelps/blackcert","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/josehelps%2Fblackcert","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/josehelps%2Fblackcert/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/josehelps%2Fblackcert/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/josehelps%2Fblackcert/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/josehelps","download_url":"https://codeload.github.com/josehelps/blackcert/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248869777,"owners_count":21174929,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["certificate","monitoring","security"],"created_at":"2024-10-15T10:36:36.218Z","updated_at":"2025-04-14T11:24:18.330Z","avatar_url":"https://github.com/josehelps.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"![](docs/blackcert_logo.png)\n# blackcert 📓\nBlackcert monitors [Certificate Transparency Logs](https://en.wikipedia.org/wiki/Certificate_Transparency) for a keyword. Blackcert collects any certificate changes for this keyword and also checks if any domain changes with that keyword look like a phishing domain. \n\n# Purpose\nDeveloped to proactively monitor for actors registering certificates for a domain for phishing purposes. Although I have found it useful/used for:\n\n* monitoring certificate changes for your company, for example, configure keyword `splunk`\n* monitoring/enumerating customers for companies that use SAN, for example seeing all customers registered by fastly or medium, since they add a new domain alias to their shared certificate for new customers. configure `medium, fastly`\n* monitoring for fraud sites that relate to topical things, for example, all domains that have registered for a certificate with the words configure `coronavirus, covid, chloroquine`. \n\n# Installation\n\n1. clone project: `git clone https://github.com/d1vious/blackcert.git \u0026\u0026 cd blackcert`\n2. install depencecies in virtualenvironment: `pip install virtualenv \u0026\u0026 virtualenv -p python3 venv \u0026\u0026 source venv/bin/activate \u0026\u0026 pip install -r requirements.txt`\n3. configure keywords to monitor and slack webhook optionally by editing [blackcert.conf](https://github.com/d1vious/blackcert/blob/master/blackcert.conf)\n\n# Run\n\n`python blackert.py`\n\nall results will be printed and also written to [results.log](#results-log) by default.\n\n# Usage\n\n```\nusage: blackcert.py [-h] [-c CONFIG] [-o OUTPUT] [-v]\n\nstarts listening for newly registered certificates and sends slack alerts when\nit matches\n\noptional arguments:\n  -h, --help            show this help message and exit\n  -c CONFIG, --config CONFIG\n                        path to the configuration file of blackcert\n  -o OUTPUT, --output OUTPUT\n                        path to a JSON log file of the matches\n  -v, --version         shows current blackcert version\n```\n\n# Slack Alerts\nI recommend creating a bot channel eg. blackcert-bot and then creating a webhook for it. Below is an example message for it. Protip inviting the SOC into a bot channel like this will help them understand how certificates are being used in the org. 😉\n\n![](docs/blackcert_slack_alert.png)\n  \n# Phishing Score Calculation\n  The score calculation is graciously borrowed from [Phishing Catcher](phishing_catcher) which was an inspiration for this project. It calculates the score using the following workflow: \n  \n1. adds 20 points if it has a [suspicios TLPs](https://github.com/d1vious/blackcert/blob/master/suspicious.yaml#L137)\n2. Add points for [higher entropy](https://github.com/d1vious/blackcert/blob/master/blackcert.py#L79)\n3. Adds 10 points for [fake](https://github.com/d1vious/blackcert/blob/master/blackcert.py#L87) .com .net .org, for example `*.com-account-management.info`\n4. Add points for [suspecios keywords](https://github.com/d1vious/blackcert/blob/master/suspicious.yaml#L1).\n5. Adds points for [too many](https://github.com/d1vious/blackcert/blob/master/blackcert.py#L102) `-` character in the domain, for example, `www.paypal-datacenter.com-acccount-alert.com`\n6. Adds points for [deeply nested](https://github.com/d1vious/blackcert/blob/master/blackcert.py#L106) domains, for example, `www.paypal.com.security.accountupdate.gq`\n\n# Results.json\nBelow is an example of how objects are saved in results.json. Protip, indexing these in a system like Splunk or ES will allow you to create a nice histogram on certificate changes for your organization, a competitor, or even mine the data for enumeration purposes. \n\n```\n{\n  \"timestamp\": \"2020-03-26T03:26:58.097680\",\n  \"fingerprint\": \"51635745d6b7da0914196e6015023bac67351e86\",\n  \"domain\": \"woodsnap.com\",\n  \"subject\": \"/C=US/CN=sni.cloudflaressl.com/L=San Francisco/O=Cloudflare, Inc./ST=CA\",\n  \"CA\": [\n    \"CloudFlare Inc ECC CA-2\",\n    \"Baltimore CyberTrust Root\"\n  ],\n  \"score\": 29\n}\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjosehelps%2Fblackcert","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjosehelps%2Fblackcert","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjosehelps%2Fblackcert/lists"}