{"id":13438475,"url":"https://github.com/lanrat/certgraph","last_synced_at":"2026-02-21T19:34:37.972Z","repository":{"id":41432263,"uuid":"66890297","full_name":"lanrat/certgraph","owner":"lanrat","description":"An open source intelligence tool to crawl the graph of certificate Alternate Names","archived":false,"fork":false,"pushed_at":"2024-02-21T02:00:47.000Z","size":202,"stargazers_count":347,"open_issues_count":2,"forks_count":42,"subscribers_count":19,"default_branch":"master","last_synced_at":"2025-03-20T03:43:13.561Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://lanrat.github.io/certgraph","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/lanrat.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2016-08-30T00:09:45.000Z","updated_at":"2025-02-22T21:04:30.000Z","dependencies_parsed_at":"2024-06-18T20:11:20.814Z","dependency_job_id":"3009a1ca-328f-4a90-bf0f-259b72b3da0b","html_url":"https://github.com/lanrat/certgraph","commit_stats":null,"previous_names":[],"tags_count":12,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lanrat%2Fcertgraph","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lanrat%2Fcertgraph/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lanrat%2Fcertgraph/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lanrat%2Fcertgraph/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/lanrat","download_url":"https://codeload.github.com/lanrat/certgraph/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244564790,"owners_count":20473130,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-07-31T03:01:05.826Z","updated_at":"2025-10-21T04:03:50.718Z","avatar_url":"https://github.com/lanrat.png","language":"Go","readme":"# CertGraph\n\n## A tool to crawl the graph of certificate Alternate Names\n\nCertGraph crawls SSL certificates creating a directed graph where each domain is a node and the certificate alternative names for that domain's certificate are the edges to other domain nodes. New domains are printed as they are found. In Detailed mode upon completion the Graph's adjacency list is printed.\n\nCrawling defaults to collecting certificate by connecting over TCP, however there are multiple drivers that can search [Certificate Transparency](https://www.certificate-transparency.org/) logs.\n\nThis tool was designed to be used for host name enumeration via SSL certificates, but it can also show you a \"chain\" of trust between domains and the certificates that re-used between them.\n\n[Blog post with more information](https://lanrat.com/certgraph/)\n\n## Usage\n\n```console\nUsage of ./certgraph: [OPTION]... HOST...\n        https://github.com/lanrat/certgraph\nOPTIONS:\n  -apex\n     for every domain found, add the apex domain of the domain's parent\n  -cdn\n     include certificates from CDNs\n  -censys-appid string\n     censys API AppID\n  -censys-secret string\n     censys API Secret\n  -ct-expired\n     include expired certificates in certificate transparency search\n  -ct-subdomains\n     include sub-domains in certificate transparency search\n  -depth uint\n     maximum BFS depth to go (default 5)\n  -details\n     print details about the domains crawled\n  -dns\n     check for DNS records to determine if domain is registered\n  -driver string\n     driver(s) to use [censys, crtsh, http, smtp] (default \"http\")\n  -json\n     print the graph as json, can be used for graph in web UI\n  -parallel uint\n     number of certificates to retrieve in parallel (default 10)\n  -regex string\n     regex domains must match to be part of the graph\n  -sanscap int\n     maximum number of uniq apex domains in certificate to include, 0 has no limit (default 80)\n  -save string\n     save certs to folder in PEM format\n  -serve string\n     address:port to serve html UI on\n  -timeout uint\n     tcp timeout in seconds (default 10)\n  -updatepsl\n     Update the default Public Suffix List\n  -verbose\n     verbose logging\n  -version\n     print version and exit\n```\n\n## Drivers\n\nCertGraph has multiple options for querying SSL certificates. The driver is responsible for retrieving the certificates for a given domain. Currently there are the following drivers:\n\n* **http** this is the default driver which works by connecting to the hosts over HTTPS and retrieving the certificates from the SSL connection\n\n* **smtp** like the *http* driver, but connects over port 25 and issues the *starttls* command to retrieve the certificates from the SSL connection\n\n* **censys** this driver searches Certificate Transparency logs via [censys.io](https://search.censys.io/certificates). No packets are sent to any of the domains when using this driver. Requires Censys API keys\n\n* **crtsh** this driver searches Certificate Transparency logs via [crt.sh](https://crt.sh/). No packets are sent to any of the domains when using this driver\n\n\n## Example\n\n```console\n$ ./certgraph -details eff.org\neff.org 0       Good    42E3E4605D8BB4608EB64936E2176A98B97EBF2E0F8F93A64A6640713C7D4325\nmaps.eff.org    1       Good    42E3E4605D8BB4608EB64936E2176A98B97EBF2E0F8F93A64A6640713C7D4325\nhttps-everywhere-atlas.eff.org  1       Good    42E3E4605D8BB4608EB64936E2176A98B97EBF2E0F8F93A64A6640713C7D4325\nhttpse-atlas.eff.org    1       Good    42E3E4605D8BB4608EB64936E2176A98B97EBF2E0F8F93A64A6640713C7D4325\natlas.eff.org   1       Good    42E3E4605D8BB4608EB64936E2176A98B97EBF2E0F8F93A64A6640713C7D4325\nkittens.eff.org 1       Good    42E3E4605D8BB4608EB64936E2176A98B97EBF2E0F8F93A64A6640713C7D4325\n```\n\nThe above output represents the adjacency list for the graph for the root domain `eff.org`. The adjacency list is in the form:\n`Node    Depth    Status    Cert-Fingerprint`\n\n## [Releases](https://github.com/lanrat/certgraph/releases)\n\nPre-compiled releases will occasionally be uploaded to the [releases github page](https://github.com/lanrat/certgraph/releases). [https://github.com/lanrat/certgraph/releases](https://github.com/lanrat/certgraph/releases)\n\n### [Docker](https://hub.docker.com/r/lanrat/certgraph/)\n\nCertGraph is an automated build on the Docker Hub!\n\n```console\n$ docker run --rm -it lanrat/certgraph example.com\nexample.com\nwww.example.net\nwww.example.org\nwww.example.com\nexample.org\nexample.net\nexample.edu\nwww.example.edu\n```\n\n### Linux Distributions\n\n* [BlackArch](https://blackarch.org)\n* [Kali Linux](https://www.kali.org/)\n\n## Compiling\n\nTo compile certgraph you must have a working go 1.16 or newer compiler on your system.\nTo compile for the running system compilation is as easy as running make\n\n```console\ncertgraph$ make\ngo build -o certgraph certgraph.go\n```\n\nAlternatively you can use `go get` to install with this one-liner:\n\n```console\ngo install github.com/lanrat/certgraph@latest\n```\n\n## [Web UI](https://lanrat.github.io/certgraph/)\n\nA web UI is provided in the docs folder and is accessible at the github pages url [https://lanrat.github.io/certgraph/](https://lanrat.github.io/certgraph/), or can be run from the embedded web server by calling `certgraph --serve 127.0.0.1:8080`.\n\nThe web UI takes the output provided with the `-json` flag.\nThe JSON graph can be sent to the web interface as an uploaded file, remote URL, or as the query string using the data variable.\n\n### [Example 1: eff.org](https://lanrat.github.io/certgraph/?data=https://gist.githubusercontent.com/lanrat/8187d01793bf3e578d76495182654206/raw/c49741b5206d81935febdf563452cc4346381e52/eff.json)\n\n[![eff.org graph](https://cloud.githubusercontent.com/assets/164192/20861413/6ba0fcca-b944-11e6-857f-ddd613130ea3.png)](https://lanrat.github.io/certgraph/?data=https://gist.githubusercontent.com/lanrat/8187d01793bf3e578d76495182654206/raw/c49741b5206d81935febdf563452cc4346381e52/eff.json)\n\n### [Example 2: google.com](https://lanrat.github.io/certgraph/?data=https://gist.githubusercontent.com/lanrat/1ab1e78aaf5798049650d8d8ad7b58a1/raw/426d3a2498626014cb5ba2856ad0899787e4103f/google.json)\n\n[![google.com graph](https://cloud.githubusercontent.com/assets/164192/19752837/16cb8302-9bb5-11e6-810d-ea34594a63ef.png)](https://lanrat.github.io/certgraph/?data=https://gist.githubusercontent.com/lanrat/1ab1e78aaf5798049650d8d8ad7b58a1/raw/426d3a2498626014cb5ba2856ad0899787e4103f/google.json)\n\n### [Example 3: whitehouse.gov](https://lanrat.github.io/certgraph/?data=https://gist.githubusercontent.com/lanrat/96c47dfee0faaaad633cc830b7e3b997/raw/3c79fed837cb3202e220de21d2a8eb128f4bbd9f/whitehouse.json)\n\n[![whitehouse.gov graph](https://cloud.githubusercontent.com/assets/164192/20861407/4775ff26-b944-11e6-888c-4d93e3333494.png)](https://lanrat.github.io/certgraph/?data=https://gist.githubusercontent.com/lanrat/96c47dfee0faaaad633cc830b7e3b997/raw/3c79fed837cb3202e220de21d2a8eb128f4bbd9f/whitehouse.json)\n\n## BygoneSSL detection\n\n### Self Detection\n\nCertGraph can be used to detect [BygoneSSL](https://insecure.design) DoS with the following options. CT-DRIVER can be any Certificate Transparency capable driver.\nProvide all known input domains you own. If any domains you do not own are printed, then you are vulnerable.\n\n```console\ncertgraph -depth 1 -driver CT-DRIVER -ct-subdomains -cdn -apex [DOMAIN]...\n```\n\n### Bug Bounty\n\nIf you want to find a vulnerable site that has a bug bounty, certgraph can be used with the following options and any driver. But you will have better luck with a non Certificate Transparency driver to ensure that the certificates in question are actually in use\n\n```console\ncertgraph -cdn -dns -apex [DOMAIN]...\n```\n\nAnd domains that print `* Missing DNS for` have vulnerable certificates that should be rotated.\n","funding_links":[],"categories":["Asset Discovery","Online Resources","Open Sources Intelligence (OSINT)","Tools by Category","Go","[↑](#contents)Domain / Subdomain Discovery"],"sub_categories":["Domain / Subdomain Discovery","Open Sources Intelligence (OSINT) Resources","OSINT Online Resources","👤 Username \u0026 Identity Research","Online Open Sources Intelligence (OSINT) Resources"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flanrat%2Fcertgraph","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flanrat%2Fcertgraph","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flanrat%2Fcertgraph/lists"}