Last active
March 12, 2019 11:36
-
-
Save yaci/b516cc04a83a769952d327e84bdc166e to your computer and use it in GitHub Desktop.
Query crt.sh (certificate transparency logs) for subdomains of a given domain and checks if these domains are available to the public
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #! /bin/bash | |
| #### | |
| # READ THIS! | |
| # You need to have jq installed to run this script. | |
| # To run, execute ./search-for-subdomains.sh facebook.com | |
| #### | |
| probeTimeoutInSeconds=10 | |
| domain=$1 | |
| crtsh=$(curl -s "https://crt.sh/?q=%25.${domain}&output=json") | |
| subdomains=$(echo $crtsh | jq .[].name_value -r | grep -v '\*' | sort -u) | |
| checkDomainStatus() { | |
| subdomain=$1 | |
| #curl opts: -k = ignore certs, -s = quiet, -I = use HEAD instead of GET, -L = follow redirects | |
| result=$(curl --connect-timeout $probeTimeoutInSeconds -ksIL $subdomain -o /dev/null -w "%{url_effective} %{http_code}") | |
| IFS=' ' read -ra splittedResult <<< "$result" | |
| statusCode=${splittedResult[1]} | |
| finalUrl=${splittedResult[0]} | |
| #statusCode === 000 means that the connection timed out, which means that the domain is not accesible | |
| if [ ! "$statusCode" == "000" ]; then | |
| echo "$statusCode $subdomain -> $finalUrl" | |
| fi | |
| } | |
| for subd in $subdomains; do | |
| checkDomainStatus $subd & #yolo and lets hope there aren't more than ~200 domains (otherwise uncomment the below) | |
| # wait if we spawned too many processes | |
| #spawnedProcessesCount=$(ps -s | grep curl | wc -l) | |
| #[ $spawnedProcessesCount -gt 200 ] && wait #if procCount > 200 then wait | |
| done | |
| wait |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment