https://github.com/christophetd/censys-subdomain-finder

⚡ Perform subdomain enumeration using the certificate transparency logs from Censys.
https://github.com/christophetd/censys-subdomain-finder

bugbounty certificate-transparency-logs enumerate-subdomains osint pentest-tool pentesting recon subdomain-enumeration subdomain-scanner subdomains

Last synced: 7 days ago
JSON representation

⚡ Perform subdomain enumeration using the certificate transparency logs from Censys.

• Host: GitHub
• URL: https://github.com/christophetd/censys-subdomain-finder
• Owner: christophetd
• Created: 2018-01-15T11:29:42.000Z (almost 7 years ago)
• Default Branch: main
• Last Pushed: 2023-06-13T19:25:41.000Z (over 1 year ago)
• Last Synced: 2024-10-16T01:48:38.236Z (24 days ago)
• Topics: bugbounty, certificate-transparency-logs, enumerate-subdomains, osint, pentest-tool, pentesting, recon, subdomain-enumeration, subdomain-scanner, subdomains
• Language: Python
• Homepage:
• Size: 26.4 KB
• Stars: 733
• Watchers: 14
• Forks: 127
• Open Issues: 2
• Metadata Files:
  • Readme: README.md
  • Funding: .github/FUNDING.yml

Awesome Lists containing this project

• awesome-bugbounty-tools - censys-subdomain-finder - Perform subdomain enumeration using the certificate transparency logs from Censys. (Recon / Subdomain Enumeration)

README

        
# Censys subdomain finder

This is a tool to enumerate subdomains using the Certificate Transparency logs stored in [Censys Search](https://search.censys.io). It should return any subdomain who has ever been issued a SSL certificate by a public CA.

See it in action:

```shell

$ python censys-subdomain-finder.py github.com

[*] Searching Censys for subdomains of github.com

[*] Found 42 unique subdomains of github.com in ~1.7 seconds

  - hq.github.com

  - talks.github.com

  - cla.github.com

  - github.com

  - cloud.github.com

  - enterprise.github.com

  - help.github.com

  - collector-cdn.github.com

  - central.github.com

  - smtp.github.com

  - cas.octodemo.github.com

  - schrauger.github.com

  - jobs.github.com

  - classroom.github.com

  - dodgeball.github.com

  - visualstudio.github.com

  - branch.github.com

  - www.github.com

  - edu.github.com

  - education.github.com

  - import.github.com

  - styleguide.github.com

  - community.github.com

  - server.github.com

  - mac-installer.github.com

  - registry.github.com

  - f.cloud.github.com

  - offer.github.com

  - helpnext.github.com

  - foo.github.com

  - porter.github.com

  - id.github.com

  - atom-installer.github.com

  - review-lab.github.com

  - vpn-ca.iad.github.com

  - maintainers.github.com

  - raw.github.com

  - status.github.com

  - camo.github.com

  - support.enterprise.github.com

  - stg.github.com

  - rs.github.com

```

## Setup

1. Register an account (free) on 

2. Browse to , and set two environment variables with your API ID and API secret:

    ```shell

    export CENSYS_API_ID=...

    export CENSYS_API_SECRET=...

    ```

    Alternatively, you can use a `.env` file to store these values for persistence across uses:

    ```shell

    cp .env.template .env

    ```

    Then edit the `.env` file and set the values for `CENSYS_API_ID` and `CENSYS_API_SECRET`.

3. Clone the repository:

    ```shell

    git clone https://github.com/christophetd/censys-subdomain-finder.git

    ```

4. Install the dependencies in a virtualenv:

    ```shell

    cd censys-subdomain-finder

    python3 -m venv venv

    source venv/bin/activate

    pip install -r requirements.txt

    ```

## Usage

Sample usage:

```shell

python censys-subdomain-finder.py example.com

```

Output the list of subdomains to a text file:

```shell

python censys-subdomain-finder.py example.com -o subdomains.txt

```

```shell

usage: censys-subdomain-finder.py [-h] [-o OUTPUT_FILE]

                                  [--censys-api-id CENSYS_API_ID]

                                  [--censys-api-secret CENSYS_API_SECRET]

                                  domain

positional arguments:

  domain                The domain to scan

optional arguments:

  -h, --help            show this help message and exit

  -o OUTPUT_FILE, --output OUTPUT_FILE

                        A file to output the list of subdomains to (default:

                        None)

  --censys-api-id CENSYS_API_ID

                        Censys API ID. Can also be defined using the

                        CENSYS_API_ID environment variable (default: None)

  --censys-api-secret CENSYS_API_SECRET

                        Censys API secret. Can also be defined using the

                        CENSYS_API_SECRET environment variable (default: None)

```

## Compatibility

Should run on Python 3.7+.

## Notes

The Censys API has a limit rate of 120 queries per 5 minutes window. Each invocation of this tool makes exactly one API call to Censys.

Feel free to [open an issue](https://github.com/christophetd/censys-subdomain-finder/issues/new) or to [tweet @christophetd](https://twitter.com/christophetd/) for suggestions or remarks.