Discover related domains and subdomains by iterating over all the certificates associated to a domain

get_certs_crtsh.py

# pip3 install pycrtsh validators tqdm
# @author: @aetsu

import sys
from tqdm import tqdm
import validators
from pycrtsh import Crtsh

DEBUG = False

def get_cert(crt, c):
    l_name = c['name'].split('\n')
    l_targets = l_name
    try:
        details = crt.get(c["id"], type="id")
        if 'extensions' in details:
            if 'alternative_names' in details['extensions']:
                l_targets += details['extensions']['alternative_names']
    except Exception as e:
        if DEBUG:
            print('<get_cert> -<cert_id:' + str(c["id"]) + '> - ' + str(e))
    return l_targets



def search_certs(target):
    crt = Crtsh()
    cert_l = crt.search(target)
    l_targets = []
    for c in tqdm(cert_l):
        l_targets+=get_cert(crt, c)
    l_res = [d for d in l_targets if validators.domain(d)]
    return l_res

if __name__ == '__main__':
    if len(sys.argv) != 2:
        print(" Usage: " + sys.argv[0] + " domain")
        sys.exit()
    target = sys.argv[1]
    res = search_certs(target)
    res = list(set(res)) # sort unique
    r_text = "Target: " + target + " -> " + str(len(res)) + " elements"
    print(r_text)
    print("-"*len(r_text))
    for elem in res:
        print(elem)