
By: P3t3rp4rk3r
February 3, 2018
Sub-Domain Scanner Using Censys and Python

By: P3t3rp4rk3r
February 3, 2018
Hey guys, After a long time I wanna post something related hunting subdomains using Censys API and Python script. I used this technique long back while I’m doing pentesting stuff against targeted client. This script will find subdomains using Censys (Certificate Transparency logs). It will read all SSL certificates and correlate and give the particular targeted domain results.Before running this script, you need https://censys.io/register free account.
Once you logged into that account, go to My Account settings it will provide you API ID and API secret. You need to put those values inside the script.As well as you need to install few python setup modules related to censys api/sdk access. You should install below modules:– censys (pip install censys)
import os import sys import time import censys.certificates import censys.ipv4 import censys #finding the subdomains related to given domain def subdomain_find (domain,censys_id,censys_secret): try: censys_cert = censys.certificates.CensysCertificates(api_id=censys_id,api_secret=censys_secret) cert_query = 'parsed.names: %s' % domain cert_search_results = censys_cert.search(cert_query, fields=['parsed.names']) subdomains = [] #List of subdomains for s in cert_search_results: subdomains.extend(s['parsed.names']) return set(subdomains) #removes duplicate values except censys.base.CensysUnauthorizedException: sys.stderr.write('[+] Censys account details wrong. n') exit(1) except censys.base.CensysRateLimitExceededException: sys.stderr.write('[+] Limit exceeded.') exit(1)def subdomain_filter(domain,subdomains): #If subdomain has *.domain.com It will filter out from list of subdomains. return [ subdomain for subdomain in subdomains if '*' not in subdomain and subdomain.endswith(domain) ] def subdomains_list(domain, subdomains): #Take the list and showing structured way. if len(subdomains) is 0: print('[-] Did not find any subdomain') return print('[*] Found %d unique subdomain n' % (len(subdomains))) for subdomain in subdomains: print(subdomain) print('')def main(domain,censys_id,censys_secret): print ("[+] Finding the subdomains of %s " % domain) subdomains = subdomain_find(domain,censys_id,censys_secret) subdomains = subdomain_filter(domain,subdomains) subdomains_list(domain,subdomains) if __name__ == "__main__": censys_id = "1dca12ac-xxxxx-xx....." censys_secret = "JEunZiMsxxxx........" domain = raw_input("Enter the domain:") main(domain,censys_id,censys_secret)
Above script, will give you the all subdomain details related to specific target domain. Just copy the script and change the censys_id & censys_secret values.
Result looks like below:
pythondev@pythondev-VirtualBox:~/Desktop$ python censyspoc.pyEnter the domain:example.com[+] Finding the subdomains of example.com[*] Found 6 unique subdomain dev.example.comgit.example.comweb.example.comblog.example.commarketing.example.cominfo.example.com
Ref: https://www.linkedin.com/pulse/sub-domain-scanner-using-censys-python-santhosh-baswa/