search

projectdiscovery / subfinder

Fast passive subdomain enumeration tool.
https://projectdiscovery.io
MIT License
9.93k stars 1.24k forks source link

Using psql for crt.sh subdomain enumeration #218

Closed mpgn closed 4 years ago

mpgn commented 4 years ago

What's the problem ?

Actually, subfinder use a simple GET request to get subdomain from crt.sh. This technique is simple but it can miss lot of subomain.

Do you have an idea for a solution?

Solution: use the progresql database of crt.sh (open to everyone). Script example :

#!/bin/sh

query="SELECT ci.NAME_VALUE NAME_VALUE FROM certificate_identity ci WHERE reverse(lower(ci.NAME_VALUE)) LIKE reverse(lower('%.$1'));"
(echo $1; echo $query | \
    psql -t -h crt.sh -p 5432 -U guest certwatch | \
    sed -e 's:^ *::g' -e 's:^*\.::g' -e '/^$/d' | \
    sed -e 's:*.::g';) | sort -u

How can we reproduce the issue?

subfinder output:

image

PSQL output image

Ice3man543 commented 4 years ago

Hey @mpgn, thanks for this issue. This is curious, i thought both had same reults. Anyway, thanks for notifying! I'll working on adding this asap.

Edu4rdSHL commented 4 years ago

@mpgn try Findomain while it's fixed. It query the crtsh database directly and if it isn't success then uses the API method.

Ice3man543 commented 4 years ago

@mpgn, @Edu4rdSHL this should be fixed as of now. If the db interface doesn't works, we fallback on http. Thanks for creating the issue and helping with this addition!

mpgn commented 4 years ago

Nice @Ice3man543 ! good work