Sub-Domain Scanner Using Censys and Python

Hey guys, After a long time I wanna post something related hunting subdomains using Censys API and Python script. I used this technique long back while I’m doing pentesting stuff against targeted client.This script will find subdomains using Censys (Certificate Transparency logs). It will read all SSL certificates and correlate and give the particular targeted domain results.Before running this script, you need https://censys.io/register free account. once you logged into that account, go to My Account settings it will provide you API ID and API secret. You need to put those values inside the script.As well as you need to install few python setup modules related to censys api/sdk access. You should install below modules:– censys (pip install censys)

import osimport sysimport timeimport censys.certificatesimport censys.ipv4import censys #finding the subdomains related to given domaindef subdomain_find(domain,censys_id,censys_secret):    try:        censys_cert = censys.certificates.CensysCertificates(api_id=censys_id,api_secret=censys_secret)        cert_query = 'parsed.names: %s' % domain        cert_search_results = censys_cert.search(cert_query, fields=['parsed.names'])         subdomains = [] #List of subdomains        for s in cert_search_results:            subdomains.extend(s['parsed.names'])         return set(subdomains) #removes duplicate values    except censys.base.CensysUnauthorizedException:        sys.stderr.write('[+] Censys account details wrong. n')        exit(1)    except censys.base.CensysRateLimitExceededException:        sys.stderr.write('[+] Limit exceeded.')        exit(1)def subdomain_filter(domain,subdomains): #If subdomain has *.domain.com It will filter out from list of subdomains.    return [ subdomain for subdomain in subdomains if '*' not in subdomain and subdomain.endswith(domain) ] def subdomains_list(domain, subdomains): #Take the list and showing structured way.    if len(subdomains) is 0:        print('[-] Did not find any subdomain')        return     print('[*] Found %d unique subdomain n' % (len(subdomains)))    for subdomain in subdomains:        print(subdomain)     print('')def main(domain,censys_id,censys_secret):    print ("[+] Finding the subdomains of %s " % domain)    subdomains = subdomain_find(domain,censys_id,censys_secret)    subdomains = subdomain_filter(domain,subdomains)    subdomains_list(domain,subdomains) if __name__ == "__main__":    censys_id = "1dca12ac-xxxxx-xx....."    censys_secret = "JEunZiMsxxxx........"    domain = raw_input("Enter the domain:")    main(domain,censys_id,censys_secret)

Above script, will give you the all subdomain details related to specific target domain.Just copy the script and change the censys_id & censys_secret values.Result looks like below:

pythondev@pythondev-VirtualBox:~/Desktop$ python censyspoc.pyEnter the domain:example.com[+] Finding the subdomains of example.com[*] Found 6 unique subdomain dev.example.comgit.example.comweb.example.comblog.example.commarketing.example.cominfo.example.com

Ref: https://www.linkedin.com/pulse/sub-domain-scanner-using-censys-python-santhosh-baswa/