Ryan Fitblip
Fitblip
/ ctl_example.json
Created
April 18, 2017 19:22
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // curl -s 'https://ct1.digicert-ct.com/log/ct/v1/get-entries?start=0&end=0' | jq . | |
| { | |
| "entries": [ | |
| { | |
| "leaf_input": "AAAAAAFIyfaldAAAAAcDMIIG/zCCBeegAwIBAgIQBnEXzRy4ia2KEDMQEa+lMjANBgkqhkiG9w0BAQsFADB1MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMTQwMgYDVQQDEytEaWdpQ2VydCBTSEEyIEV4dGVuZGVkIFZhbGlkYXRpb24gU2VydmVyIENBMB4XDTE0MDkzMDAwMDAwMFoXDTE1MTAwNTEyMDAwMFowggEOMR0wGwYDVQQPDBRQcml2YXRlIE9yZ2FuaXphdGlvbjETMBEGCysGAQQBgjc8AgEDEwJVUzEVMBMGCysGAQQBgjc8AgECEwRVdGFoMRUwEwYDVQQFEww1Mjk5NTM3LTAxNDIxEjAQBgNVBAkTCVN1aXRlIDUwMDEkMCIGA1UECRMbMjYwMCBXZXN0IEV4ZWN1dGl2ZSBQYXJrd2F5MQ4wDAYDVQQREwU4NDA0MzELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFV0YWgxDTALBgNVBAcTBExlaGkxFzAVBgNVBAoTDkRpZ2lDZXJ0LCBJbmMuMRwwGgYDVQQDExNjdDEuZGlnaWNlcnQtY3QuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyysV+OCPSn5MnCri+xQk7v+iOuA8EoSNUJqvTA95F1OEPzK0szO7seL6NlHPS4/Qkza9/l4d5AyZN7z7GHz1T955WiOmFOxlt3x5wrPUnsUJoEcv9fGfb6rjRdPKxgTJP+0EVup/jV0uvokyRkNzABhZOHi023gMkuudh75yOiYUYllUij0mQR/ZBMRg7Iigj2o9t/zKyHHY |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [ | |
| { | |
| "name": "url", | |
| "type": "STRING", | |
| "mode": "REQUIRED" | |
| }, | |
| { | |
| "mode": "REQUIRED", | |
| "name": "cert_index", | |
| "type": "INTEGER" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| SELECT | |
| all_dns_names | |
| FROM | |
| [ctl-lists:certificate_data.scan_data] | |
| WHERE | |
| (REGEXP_MATCH(all_dns_names,r'\b?xn\-\-')) | |
| AND NOT all_dns_names CONTAINS 'cloudflare' |
Fitblip
/ CoinbaseBigQuery.sql
Last active
May 17, 2017 22:26
Finding all coinbase sites using BigQuery
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| SELECT | |
| all_dns_names | |
| FROM | |
| [ctl-lists:certificate_data.scan_data] | |
| WHERE | |
| (REGEXP_MATCH(all_dns_names,r'.*\.coinbase.com[\s$]?')) |
Fitblip
/ FlowersToTheWorld.sql
Created
May 17, 2017 22:36
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| SELECT | |
| url, | |
| COUNT(*) AS total_certs | |
| FROM | |
| [ctl-lists:certificate_data.scan_data] | |
| WHERE | |
| (REGEXP_MATCH(all_dns_names,r'.*flowers-to-the-world.*')) | |
| GROUP BY | |
| url | |
| ORDER BY |
Fitblip
/ get_all_ctl_counts.py
Last active
June 9, 2017 03:02
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import requests | |
| import json | |
| import locale | |
| locale.setlocale(locale.LC_ALL, 'en_US') | |
| ctl_log = requests.get('https://www.gstatic.com/ct/log_list/log_list.json').json() | |
| total_certs = 0 | |
| human_format = lambda x: locale.format('%d', x, grouping=True) |
Fitblip
/ find_needle.py
Created
June 24, 2017 05:24
Find a specific keyword (paypal) in any certificates sent by Certstream
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import certstream | |
| import base64 | |
| NEEDLE = "paypal" | |
| # Search for domains with a keyword in them and write the corresponding certificate to a file | |
| def certstream_callback(message): | |
| if message['message_type'] == "certificate_update": | |
| all_domains = message['data']['leaf_cert']['all_domains'] | |
| if NEEDLE.lower() in " ".join(all_domains).lower(): |
Fitblip
/ gist:5218816
Last active
May 26, 2018 06:55
Clone of Corelan's PVEString stack tool. Written because perl sucks, and I'm not going to install that garbage on my computer to do one thing.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import sys | |
| string = sys.argv[-1] | |
| lines = [] | |
| print "String length : %d" % len(string) | |
| print "Opcodes to push this string onto the stack :" | |
| for i in range(0,len(string),4): | |
| line = string[:4] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| certstream --json | \ | |
| jq -r '.data | [ (.seen|floor|tostring), (.leaf_cert.all_domains[0]|split(".")|.[-1]), .chain[0].subject.CN, "200", "0" ] | join("|")' | \ | |
| logstalgia -g "Certificate Authorities,CODE=^200,0" --hide-response-code --hide-paddle --path-abbr-depth -1 --no-bounce -s 2 --address-abbr-depth -1 |
Fitblip
/ slack_notification.py
Created
June 24, 2017 06:17
An example for certstream to send a slack notification.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import certstream | |
| import json | |
| import requests | |
| # Set the webhook_url to the one provided by Slack when you create the webhook at https://my.slack.com/services/new/incoming-webhook/ | |
| WEBHOOK_URL = os.environ["SLACK_WEBHOOK_URL"] | |
| NEEDLE = "coinbase" | |
| # Search for domains with a keyword in them and write the corresponding certificate to a file |