random-robbie
commented
7 years ago https://censys.io/certificates?q=mozilla.org is a goldmine!
Closed random-robbie closed 7 years ago
random-robbie
commented
7 years ago https://censys.io/certificates?q=mozilla.org is a goldmine!
random-robbie
commented
7 years ago not really a dupe as only passive total was the dupe i've seen. Censys.io the certs part has helped me found some really obscure subdomains
evilsocket
commented
7 years ago So now you know better than me all the suggestions I'm getting from users? :)
I already said that, unless you can prove a given 3rd party service to give more results than the current implementation, I'm not gonna integrate it.
If you need more subdomains, improve the wordlist.
random-robbie
commented
7 years ago im not saying i know better just what i've seen from the results of xray and this.
https://censys.io/certificates?q=mozilla.org is providing useful as it's providing sub-subdomains i found this https://reviewboard-hg.mozilla.org/buildbot-configs/rev/6a53c6df2e5a
https://censys.io/certificates?q=%28mozilla.org%29+AND+tags%3A+%22self-signed%22 finds some subdomains that dont come up and thats for some mozilla security stuff
im just saying it's worth adding this as its' finding sub-subdomains to which are going to be extremely handy to have.
random-robbie
commented
7 years ago evilsocket
commented
7 years ago If you need more subdomains, improve the wordlist.
Isn't this just easier than the integration?
random-robbie
commented
7 years ago not really as this would grab more current data where as wordlists are static and you might miss something from a target.
do a private build of xray with this integrated and see if it improves your findings i am sure it will by alot
evilsocket
commented
7 years ago Do you realize those services are using wordlists as well, so the only needed thing is to add the missing subdomains to xray one?
random-robbie
commented
7 years ago are they not parsing data from https://crt.sh/? or when they do a scan like shodan does reads the SSL Cert?
if they are using wordlists i really need to find where they got theirs as the domains they are giving are impressive if they are in word list.
evilsocket
commented
7 years ago Ooooh!!!! I see what you mean now, you mean the data extracted from the HTTPS certificates? Because in that case, I can do that without even integrating with those services as I already parse the certs :D
random-robbie
commented
7 years ago maybe something like that but stuff where you can scrape this sort of information is priceless https://crt.sh/?q=%25.yahoo.com
SSL certs are now the way forward for leaking some good domains :)
evilsocket
commented
7 years ago It should be easily doable by updating this function, I'll work on it ;)
https://github.com/evilsocket/xray/blob/master/http_grabber.go#L101
random-robbie
commented
7 years ago even integrating this would be another goldmine https://crt.sh/?q=%25.yahoo.com
lol for a subdomain darkroom.bfv.yahoo.com embracespace.corp.gq1.yahoo.com jenkins.screwdriver.corp.yahoo.com tool.bds.aviate.corp.yahoo.com
it's finding all sorts inside their corp domain
evilsocket
commented
7 years ago DUDE I GOT IT, PLEASE STOP
random-robbie
commented
7 years ago will do 👍
Can you obtain more domain info via the following Google transparency report Censys virtualtotal netcraft passive total
like aquatone does :) https://github.com/michenriksen/aquatone/tree/master/lib/aquatone/collectors