Suggestion

Question

Suggestion

attacker34 opened this issue 5 years ago · 4 comments

There is need to add some prefix keywords too while searching in crt.sh for specific domain.

Like if we see simple without using any prefix

https://crt.sh/?q=%25.yahoo.com

But what if we use prefix like api,Internal,Staging,Stag,Production,Product,dev etc.. we will get different results from above.

https://crt.sh/?q=%25.api.yahoo.com

Please add prefix in the tool to grab more subdomains related to a domain.

Sincerely,

Answer 1 · 2020-01-18T18:47:46.000Z

Hi mate!
I'm glad that you're using my tool! But I don't correctly know what you mean.
Can we talk about this in depth on Twitter or Discord?

Regards,

Answer 2 · 2020-01-19T11:30:05.000Z

@flemishhacker sorry for the confusion. Just quickly look at these two queries and their results:

https://crt.sh/?q=%25.yahoo.com

https://crt.sh/?q=%25.api.yahoo.com

You'll find difference in the results?
So i am talking about the prefixes like "api,staging,prod,dev" etc type words which can be used before "domain name" to collect more subdomains.

Like above simple domain search is yahoo.com but i used "api.yahoo.com" to collect more subdomains which you'll not got if you simply use yahoo.com in crt.sh search box.

I hope now you have got my point.

Thanks.

Answer 3 · 2020-01-19T11:33:37.000Z

Hello @attacker34
I will have a look at that, once I improved it. I will drop an update, anyway thanks for informing it!

Regards,

Answer 4 · 2020-01-19T14:57:55.000Z

Hi mate!

I have checked the script, and when I gave in the two (sub)domains the output of crt.sh is the same as in my tool. The fact that you have more results in crt.sh is because you get a lot of duplicates. In the tool itself you can clearly find the filter that removes the duplicates
curl -s https://crt.sh/\?q\=\%.$1\&output\=json | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u.

For example if you give in yahoo.com it will give you all the subdomains that it has found on crt.sh.
But if you give in api.yahoo.com you will find a lot of subdomains of yahoo.com like commsdata.api.yahoo.com. Those are all the same. In my tool it filters it and leaves all the subdomains that are unique.

So you can just put in the tool something like api.yahoo.com or any other 'prefix' [e.g. dev,staging,api,sandbox,vpn, etc.] and you will get the results. So there is no need to add an additional keyword in the script.

If you mean the depth function to search by depth, this may be available in the future!

However the tool is still not stable, many future updates will help to get more accurate results (low false positive results).

I hope this helped you, if not please try to give me more information about what you try to suggest!

Thank you!