Sub-Domain Scanner Using Censys and Python

February 3, 2018 | Views: 4511

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Hey guys, After a long time I wanna post something related hunting subdomains using Censys API and Python script. I used this technique long back while I’m doing pentesting stuff against targeted client.

This script will find subdomains using Censys (Certificate Transparency logs). It will read all SSL certificates and correlate and give the particular targeted domain results.

Before running this script, you need free account. once you logged into that account, go to My Account settings it will provide you API ID and API secret. You need to put those values inside the script.

As well as you need to install few python setup modules related to censys api/sdk access. You should install below modules:

– censys (pip install censys)

import os
import sys
import time
import censys.certificates
import censys.ipv4
import censys
#finding the subdomains related to given domain
def subdomain_find(domain,censys_id,censys_secret):
        censys_cert = censys.certificates.CensysCertificates(api_id=censys_id,api_secret=censys_secret)
        cert_query = 'parsed.names: %s' % domain
        cert_search_results =, fields=['parsed.names'])
        subdomains = [] #List of subdomains
        for s in cert_search_results:
        return set(subdomains) #removes duplicate values
    except censys.base.CensysUnauthorizedException:
        sys.stderr.write('[+] Censys account details wrong. n')
    except censys.base.CensysRateLimitExceededException:
        sys.stderr.write('[+] Limit exceeded.')
def subdomain_filter(domain,subdomains): #If subdomain has * It will filter out from list of subdomains.
    return [ subdomain for subdomain in subdomains if '*' not in subdomain and subdomain.endswith(domain) ]
def subdomains_list(domain, subdomains): #Take the list and showing structured way.
    if len(subdomains) is 0:
        print('[-] Did not find any subdomain')
    print('[*] Found %d unique subdomain n' % (len(subdomains)))
    for subdomain in subdomains:
def main(domain,censys_id,censys_secret):
    print ("[+] Finding the subdomains of %s " % domain)
    subdomains = subdomain_find(domain,censys_id,censys_secret)
    subdomains = subdomain_filter(domain,subdomains)
if __name__ == "__main__":
    censys_id = "1dca12ac-xxxxx-xx....."
    censys_secret = "JEunZiMsxxxx........"
    domain = raw_input("Enter the domain:")

Above script, will give you the all subdomain details related to specific target domain.Just copy the script and change the censys_id & censys_secret values.

Result looks like below:

pythondev@pythondev-VirtualBox:~/Desktop$ python
Enter the
[+] Finding the subdomains of
[*] Found 6 unique subdomain


Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge



We recommend always using caution when following any link

Are you sure you want to continue?