crtsh
is crt.sh Golang utility
go get github.com/famasoon/crtsh
crtsh
has some option.
The -q
option is to query to https://crt.sh
The result is dictionary items which looks like this:
$ crtsh -q example.com
{
Index: 1
Issuer CA ID: 1191
Issuer Name: C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA
Name: example.com
Min Cert ID: 987119772
Min Entry TimeStamp: 2018-11-29T13:44:14.118
Not Before: 2018-11-28T00:00:00
Not After: 2020-12-02T12:00:00
Donwload Pem file: https://crt.sh/?d=987119772
}
{
Index: 2
Issuer CA ID: 1191
Issuer Name: C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA
Name: example.com
Min Cert ID: 984858191
Min Entry TimeStamp: 2018-11-28T21:20:12.606
Not Before: 2018-11-28T00:00:00
Not After: 2020-12-02T12:00:00
Donwload Pem file: https://crt.sh/?d=984858191
}
{
Index: 3
Issuer CA ID: 1465
Issuer Name: C=US, O="thawte, Inc.", CN=thawte SSL CA - G2
Name: example.com
Min Cert ID: 24564717
Min Entry TimeStamp: 2016-07-14T07:55:01.55
Not Before: 2016-07-14T00:00:00
Not After: 2017-07-14T23:59:59
Donwload Pem file: https://crt.sh/?d=24564717
}
{
Index: 4
Issuer CA ID: 1465
Issuer Name: C=US, O="thawte, Inc.", CN=thawte SSL CA - G2
Name: example.com
Min Cert ID: 24560643
Min Entry TimeStamp: 2016-07-14T07:30:08.461
Not Before: 2016-07-14T00:00:00
Not After: 2018-07-14T23:59:59
Donwload Pem file: https://crt.sh/?d=24560643
}
{
Index: 5
Issuer CA ID: 1465
Issuer Name: C=US, O="thawte, Inc.", CN=thawte SSL CA - G2
Name: example.com
Min Cert ID: 24560621
Min Entry TimeStamp: 2016-07-14T07:25:01.93
Not Before: 2016-07-14T00:00:00
Not After: 2017-07-14T23:59:59
Donwload Pem file: https://crt.sh/?d=24560621
}
{
Index: 6
Issuer CA ID: 1449
Issuer Name: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4
Name: example.com
Min Cert ID: 24558997
Min Entry TimeStamp: 2016-07-14T06:40:02.4
Not Before: 2016-07-14T00:00:00
Not After: 2018-07-14T23:59:59
Donwload Pem file: https://crt.sh/?d=24558997
}
{
Index: 7
Issuer CA ID: 1397
Issuer Name: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA
Name: example.com
Min Cert ID: 10557607
Min Entry TimeStamp: 2015-11-05T14:51:33.941
Not Before: 2015-11-03T00:00:00
Not After: 2018-11-28T12:00:00
Donwload Pem file: https://crt.sh/?d=10557607
}
{
Index: 8
Issuer CA ID: 1397
Issuer Name: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA
Name: example.com
Min Cert ID: 5857507
Min Entry TimeStamp: 2014-12-11T14:36:57.201
Not Before: 2014-11-06T00:00:00
Not After: 2015-11-13T12:00:00
Donwload Pem file: https://crt.sh/?d=5857507
}
And -q
option can use -o
option.
The -o
option only enumerates domains.
$ crtsh -q example.com -o
example.com
example.com
example.com
example.com
example.com
example.com
example.com
example.com
This option can query to use wildcard (% = wildcard) and _
(_ = completing input)
For Example:
$ crtsh -q %.example.com -o
www.example.com
www.example.com
www.example.com
*.example.com
*.example.com
m.example.com
www.example.com
dev.example.com
products.example.com
support.example.com
www.example.com
www.example.com
www.example.com
We can extract unique URL.
$ crtsh -q %.example.com -o | sort | uniq
*.example.com
dev.example.com
m.example.com
products.example.com
support.example.com
www.example.com
For Example _
used:
$ crtsh -q kaspe_sky.com -o
kaspersky.com
kaspevsky.com
kaspersky.com
kaspersky.com
kaspersky.com
kaspessky.com
kaspezsky.com
kaspersky.com
kaspe2sky.com
kaspebsky.com
kaspepsky.com
kaspezsky.com
kaspevsky.com
kaspessky.com
kaspersky.com
kaspersky.com
kaspersky.com
kaspersky.com
kaspersky.com
kaspersky.com
kaspersky.com
kaspersky.com
kaspersky.com
kaspersky.com
kaspersky.com
kaspersky.com
kaspersky.com
kaspersky.com
kaspersky.com
kaspersky.com
kaspersky.com
kaspersky.com
kaspersky.com
kaspersky.com
kaspersky.com
kaspersky.com
kaspersky.com
kaspersky.com
kaspersky.com
kaspersky.com
It can find URLs for Typosquatting.
The -cn
option query CommonName.
And this option also can use -o
option.
For Example: crtsh -cn <CommonName>
$ crtsh -cn test
{
Index: 1
Issuer CA ID: 6831
Issuer Name: C=BE, O=GlobalSign nv-sa, CN=GlobalSign PersonalSign 2 CA - G2
Name: Test
Min Cert ID: 197744191
Min Entry TimeStamp: 2017-08-24T18:23:36.43
Not Before: 2014-07-31T20:44:32
Not After: 2015-08-01T20:44:32
Donwload Pem file: https://crt.sh/?d=197744191
}
{
Index: 2
Issuer CA ID: 750
Issuer Name: [email protected], L=Chacao, ST=Miranda, OU=Proveedor de Certificados PROCERT, O=Sistema Nacional de Certificacion Electronica, C=VE, CN=PSCProcert
Name: test
Min Cert ID: 197155020
Min Entry TimeStamp: 2017-08-23T22:07:22.88
Not Before: 2017-08-23T13:05:28
Not After: 2018-08-23T13:05:28
Donwload Pem file: https://crt.sh/?d=197155020
}
{
Index: 3
Issuer CA ID: 750
Issuer Name: [email protected], L=Chacao, ST=Miranda, OU=Proveedor de Certificados PROCERT, O=Sistema Nacional de Certificacion Electronica, C=VE, CN=PSCProcert
Name: test
Min Cert ID: 197073488
Min Entry TimeStamp: 2017-08-23T19:42:20.529
Not Before: 2017-08-23T13:11:13
Not After: 2018-08-23T13:11:13
Donwload Pem file: https://crt.sh/?d=197073488
}
{
Index: 4
Issuer CA ID: 1715
Issuer Name: C=CN, O=CNNIC SHA256 SSL, CN=CNNIC SHA256 SSL
Name: test
Min Cert ID: 7096879
Min Entry TimeStamp: 2015-04-08T00:24:19.637
Not Before: 2014-12-12T06:08:52
Not After: 2015-12-12T06:08:52
Donwload Pem file: https://crt.sh/?d=7096879
}
{
Index: 5
Issuer CA ID: 1715
Issuer Name: C=CN, O=CNNIC SHA256 SSL, CN=CNNIC SHA256 SSL
Name: test
Min Cert ID: 7096563
Min Entry TimeStamp: 2015-04-08T00:11:13.016
Not Before: 2014-12-14T12:00:54
Not After: 2015-12-14T12:00:54
Donwload Pem file: https://crt.sh/?d=7096563
}
{
Index: 6
Issuer CA ID: 29
Issuer Name: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance CA-3
Name: test
Min Cert ID: 4202482
Min Entry TimeStamp: 2014-05-22T23:21:36.633
Not Before: 2011-07-28T00:00:00
Not After: 2014-08-01T12:00:00
Donwload Pem file: https://crt.sh/?d=4202482
}
{
Index: 7
Issuer CA ID: 29
Issuer Name: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance CA-3
Name: test
Min Cert ID: 4202481
Min Entry TimeStamp: 2014-05-22T23:21:33.786
Not Before: 2011-07-28T00:00:00
Not After: 2014-08-01T12:00:00
Donwload Pem file: https://crt.sh/?d=4202481
}
The -i
option parse pem file.
If you set this option, you can enumerate DNS records that was implanted pem file.
I will add more features.
For Example: crtsh -i <Min Cert ID>
$ crtsh -i 5857507
CertID: 5857507
Enumrate DNS Names:
www.example.org
example.com
example.edu
example.net
example.org
www.example.com
www.example.edu
www.example.net
import (
"github.com/famasoon/crtsh/ctlog"
"github.com/famasoon/crtsh/parser"
)
For example: Finding URL for Typosquatting, and enumerate other Typosquatting URLs with CT logs(pem file)
- Find URL for Typosquatting
$ crtsh -q kaspe_sky.com
{
Index: 1
Issuer CA ID: 1191
Issuer Name: C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA
Name: kaspersky.com
Min Cert ID: 2114755056
Min Entry TimeStamp: 2019-11-15T11:51:37.847
Not Before: 2019-11-15T00:00:00
Not After: 2021-11-19T12:00:00
Donwload Pem file: https://crt.sh/?d=2114755056
}
{
Index: 2
Issuer CA ID: 9324
Issuer Name: C=US, O=Amazon, OU=Server CA 1B, CN=Amazon
Name: kaspevsky.com
Min Cert ID: 2106245075
Min Entry TimeStamp: 2019-11-13T12:16:22.861
Not Before: 2019-03-19T00:00:00
Not After: 2020-04-19T12:00:00
Donwload Pem file: https://crt.sh/?d=2106245075
}
===snip===
Min Cert ID:2106245075
looks like using URL for Typosquatting.
- Enumerate other URL with CT log
$ crtsh -i 2106245075
CertID: 2106245075
Enumrate DNS Names:
kaspevsky.com
*.kaspevsky.com
kaspursky.com
*.kaspursky.com
kasperqky.com
*.kasperqky.com
kaspgrsky.com
*.kaspgrsky.com
kasxersky.com
*.kasxersky.com
This certificate included URLs for other Typosquatting ๐ค
- This tool is using https://crt.sh
- Created by FAMASoon