证书透明度(Certificate Transparency, CT)日志提供了一个公开的证书记录,可以用来发现域名。
技术原理:通过查询与目标域名相关的SSL/TLS证书,可以找到不同子域名的信息,因为这些证书通常包含了申请证书的域名信息。
示例代码:使用crt.sh && certspotter 的API进行查询。
import requests
import concurrent.futures
def fetch_from_crtsh(domain):
try:
url = f"https://crt.sh/?q=%.{domain}&output=json"
response = requests.get(url)
if response.status_code == 200:
return set(cert['name_value'] for cert in response.json() if 'name_value' in cert)
except Exception as e:
print(f"Error fetching from crt.sh: {e}")
return set()
def fetch_from_certspotter(domain):
try:
url = f"https://api.certspotter.com/v1/issuances?domain={domain}&expand=dns_names"
response = requests.get(url)
if response.status_code == 200:
return set(name for cert in response.json() for name in cert['dns_names'])
except Exception as e:
print(f"Error fetching from CertSpotter: {e}")
return set()
def main(domain):
with concurrent.futures.ThreadPoolExecutor() as executor:
futures = [
executor.submit(fetch_from_crtsh, domain),
executor.submit(fetch_from_certspotter, domain)
]
results = set().union(*[future.result() for future in concurrent.futures.as_completed(futures)])
print(f"Found {len(results)} unique subdomains for {domain}:")
for subdomain in sorted(results):
print(subdomain)
if __name__ == "__main__":
domain = "baidu.com" # 替换为你感兴趣的域名
main(domain)
8289
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
