[FEATURE REQUEST]
random-robbie opened this issue ยท 15 comments
Can you obtain more domain info via the following
Google transparency report
Censys
virtualtotal
netcraft
passive total
like aquatone does :) https://github.com/michenriksen/aquatone/tree/master/lib/aquatone/collectors
https://censys.io/certificates?q=mozilla.org is a goldmine!
not really a dupe as only passive total was the dupe i've seen.
Censys.io the certs part has helped me found some really obscure subdomains
So now you know better than me all the suggestions I'm getting from users? :)
I already said that, unless you can prove a given 3rd party service to give more results than the current implementation, I'm not gonna integrate it.
If you need more subdomains, improve the wordlist.
im not saying i know better just what i've seen from the results of xray and this.
https://censys.io/certificates?q=mozilla.org is providing useful as it's providing sub-subdomains
i found this
https://reviewboard-hg.mozilla.org/buildbot-configs/rev/6a53c6df2e5a
https://censys.io/certificates?q=%28mozilla.org%29+AND+tags%3A+%22self-signed%22
finds some subdomains that dont come up and thats for some mozilla security stuff
im just saying it's worth adding this as its' finding sub-subdomains to which are going to be extremely handy to have.
If you need more subdomains, improve the wordlist.
Isn't this just easier than the integration?
not really as this would grab more current data where as wordlists are static and you might miss something from a target.
do a private build of xray with this integrated and see if it improves your findings i am sure it will by alot
Do you realize those services are using wordlists as well, so the only needed thing is to add the missing subdomains to xray one?
are they not parsing data from https://crt.sh/? or when they do a scan like shodan does reads the SSL Cert?
if they are using wordlists i really need to find where they got theirs as the domains they are giving are impressive if they are in word list.
Ooooh!!!! I see what you mean now, you mean the data extracted from the HTTPS certificates? Because in that case, I can do that without even integrating with those services as I already parse the certs :D
maybe something like that but stuff where you can scrape this sort of information is priceless
https://crt.sh/?q=%25.yahoo.com
SSL certs are now the way forward for leaking some good domains :)
It should be easily doable by updating this function, I'll work on it ;)
https://github.com/evilsocket/xray/blob/master/http_grabber.go#L101
even integrating this would be another goldmine
https://crt.sh/?q=%25.yahoo.com
lol for a subdomain
darkroom.bfv.yahoo.com
embracespace.corp.gq1.yahoo.com
jenkins.screwdriver.corp.yahoo.com
tool.bds.aviate.corp.yahoo.com
it's finding all sorts inside their corp domain
DUDE I GOT IT, PLEASE STOP
will do ๐