/getaltname

Extract subdomains from SSL certificates in HTTPS sites.

Primary LanguagePythonMIT LicenseMIT

GSAN - Get Subject Alternative Names

PyPI - Python VersionPyPIPyPI - License

GSAN is a tool that can extract Subject Alternative Names found in SSL Certificates directly from https web sites which can provide you with DNS names (subdomains) or virtual servers.

This tool extract subdomain names from https sites and return a list or CSV/JSON output of its findings. It is not a subdomain brute-force tool, and you can actually find those subdomains manually, this tools is about the automation of that process, it also offers the following features:

  • Define multiple hosts:port on your terminal or using a text file.
  • CSV or JSON output, useful if you want to export data into other tools.
  • You can optionally filter out domain names that doesn't match the domain name that you're analyzing.
  • Integration with CRT.SH so you can extract more subdomains from certificates of the same entity.
  • Also works with Self-signed certificates.

Installation

$ pip install --user gsan

Usage

You have 2 ways of executing GSAN, getting subdomain names from CRT.SH, in which GSAN acts as a wrapper for CRT.SH, or getting subdomain names by directly connecting

Usage: gsan [OPTIONS] COMMAND [ARGS]...

  Get subdomain names from SSL Certificates.

Options:
  --version  Show the version and exit.
  --help     Show this message and exit.

Commands:
  crtsh  Get domains from crt.sh
  scan   Scan domains from input or a text file, format is HOST[:PORT].

Getting subdomains from CRT.SH

If you prefer to get the subdomain names directly from CRT.SH you can do that by using the subcomand crtsh.

$ gsan crtsh --help
Usage: gsan crtsh [OPTIONS] [DOMAINS]...

  Get domains from crt.sh

Options:
  -m, --match-domain     Match domain name only.
  -o, --output TEXT      Output to path/filename.
  -t, --timeout INTEGER  Set timeout for CRT.SH
  --help                 Show this message and exit.

$ gsan crtsh facebook.com
[+] Getting subdomains for facebook.com
[+] Getting subdomains for facebook.com
[+] Results:

FACEBOOK.COM
↳ newdev.facebook.com
↳ dewey.vip.facebook.com
↳ secure.trunkstable.facebook.com
↳ facebook.com
↳ secure.intern.facebook.com
-- SNIP --
↳ channel.facebook.com
↳ extools.facebook.com
↳ china--facebook.com
↳ adtools.facebook.com
↳ ak.facebook.com

Getting subdomains directly from SSL certificates

Most programs that "abuse" transparency certificates are only a wrapper for crt.sh, however you can extract subdomain names directly from SSL certificates found in HTTPS services. This allows you to find subdomain names in services that have self-signed certificates or deployed services that are not found anywhere. You can do this using the subcomand scan.

$ gsan scan --help
Usage: gsan scan [OPTIONS] [HOSTNAMES]...

  Scan domains from input or a text file, format is HOST[:PORT].

  e.g: gsan scan domain1.com domain2.com:port

  You can also pass a text file instead, just replace the first domain
  argument for a file. eg: gsan scan filename.txt

  If no ports are defined, then gsan assumes the port 443 is available.

Options:
  -o, --output TEXT      Output to path/filename.
  -m, --match-domain     Match domain name only.
  -c, --crtsh            Include results from CRT.SH
  -t, --timeout INTEGER  Set timeout [default: 3]
  --help                 Show this message and exit.

$ gsan scan facebook.com starbucks.com:443
[+] Getting subdomains for facebook.com
[+] Getting subdomains for starbucks.com
[+] Results:

FACEBOOK.COM
↳ facebook.com
↳ facebook.net
↳ fbcdn.net
↳ fbsbx.com
↳ m.facebook.com
↳ messenger.com
↳ xx.fbcdn.net
↳ xy.fbcdn.net
↳ xz.fbcdn.net

STARBUCKS.COM
↳ starbucks.com
↳ beta.starbucks.com
↳ app.starbucks.fr
↳ starbucks.fr
↳ app.starbucks.co.uk
↳ starbucks.ie
↳ app.starbucks.com
↳ fr.starbucks.ca
↳ preview.starbucks.com
↳ starbucks.ca
↳ app.starbucks.com.br
↳ app.starbucks.ie
↳ starbucks.com.br
↳ fr.app.starbucks.ca
↳ starbucks.de
↳ starbucks.co.uk
↳ app.starbucks.de
↳ app.starbucks.ca

You can also pass a list of hosts their ports, formatted as host[:port] (port is optional), and gsan will go through them trying to extract subdomain names. You can use the same subcomand scan and pass a text file as argument instead of a domain name:

gsan scan hosts.txt -o subdomains.csv
[+] Getting subdomains for facebook.com
[+] Getting subdomains for starbucks.com
[+] Getting subdomains for fakedomain.com
[!] Unable to connect to host fakedomain.com
[+] Getting subdomains for amazon.com
FACEBOOK.COM
↳ facebook.com
↳ facebook.net
-- SNIP --
↳ xy.fbcdn.net
↳ xz.fbcdn.net

STARBUCKS.COM
↳ starbucks.com
↳ beta.starbucks.com
-- SNIP --
↳ app.starbucks.de
↳ app.starbucks.ca

AMAZON.COM
↳ amazon.co.uk
↳ uedata.amazon.co.uk
-- SNIP --
↳ bz.peg.a2z.com
↳ origin2-amazon.co.jp


[+] Contents dumped into CSV file: subdomains.csv

You can save the results into a CSV or JSON file, the program will format the output based on the file extension.

Contributors

Contribution Guidelines

Contribution is welcome, just remember:

  • Fork the repo.
  • Make changes to the develop branch.
  • Make a Pull Request.

Support this project

Buy Me A Coffee Buy Me a Coffee at ko-fi.com

More Information

 _____ _____ _____ _____
|   __|   __|  _  |   | |
|  |  |__   |     | | | |
|_____|_____|__|__|_|___| v4.2.3

Author:  Franccesco Orozco
Email:   franccesco@codingdose.info
Website: https://codingdose.info