Open in app

Sign in

Write

Sign in

Gathering domains/subdomains with IPRanges of organization

Arbaz Hussain
2 min readSep 9, 2018
  • One of the major role of penetration testing is recon-asset.The more you gather information,the more you win.
  • It is possible for a organization to have one or many domains/sub-domains hosted under a certain iprange. To find out them It purely depends on hosting way they are using.
  • Many organization use services such as cloudflare,Amazon etc as there hosting-providers where scanning ipranges for them is pain,Also there are lot of organization’s which are self-hosted.
https://www.hostingchecker.com
  • I wrote a short script to gather all possible domains/subdomain under the ipranges by following steps.

IPRANGE => Takes one by one ip from range => Resolve ip’s by checking if port 443 is up using masscan python module=> Check’s SSL Certificate of ip’s to look for CNAME => Scrape Domain/Subdomain from certificate.

$ dig +short A walmart.com 
161.170.230.170
161.170.232.170
161.170.239.170$ pip install python-masscan
$ pip install M2Cryptopython subs_cert.py 161.170.232.0/24#!/usr/bin/python
import sys,time
from socket import socket
import ssl,masscan
import M2Crypto
import OpenSSL,xml,threading,queue

q = queue.Queue()
final_res = []

try:
    ip_range = sys.argv[1]
except:
    print('Usage: python subs_cert.py <IPRANGE>')
subs_ssl = []

try:
    mas = masscan.PortScanner()
    mas.scan(ip_range,ports='443')
    for host in mas.all_hosts:
        subs_ssl.append(host)
except (xml.etree.ElementTree.ParseError,masscan.masscan.NetworkConnectionError) as e:
    print('Probably iprange\'s is not valid/down')
    pass

def process_cert_subs(i):
    try:
        cert = ssl.get_server_certificate((str(i), 443))
        x509 = M2Crypto.X509.load_cert_string(cert)
        cert_val = x509.get_subject().as_text()
        cnames = cert_val.split('CN=')[1]
        if len(cnames) > 0:
            print(cnames)
    except SSLEOFError as e:
        pass

def process_queue():
    while not q.empty():
        current_ip = q.get()
        process_cert_subs(current_ip)
        q.task_done()

if len(subs_ssl) > 0:
    for i in subs_ssl:
        i = str(i)
        i = i.strip('\n')
        i = i.strip('\r')
        q.put(i)
else:
    print('Empty ips.. Exiting..')
    sys.exit(1)

for i in range(100):
    t = threading.Thread(target=process_queue)
    t.start()

arbazkiraak/certasset

Takes ip range, Scan all open SSL Certs, Grab Cnames - arbazkiraak/certasset

github.com

Idea from : https://github.com/cheetz/sslScrape

Bug Bounty
Bug Hunting
Bug Report
Bug Blog
Security

--

--

Arbaz Hussain

Written by Arbaz Hussain

1.99K Followers

Security Analyst

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams