【转载】通过证书情报发现子域名

证书透明度（Certificate Transparency, CT）日志提供了一个公开的证书记录，可以用来发现域名。

技术原理：通过查询与目标域名相关的SSL/TLS证书，可以找到不同子域名的信息，因为这些证书通常包含了申请证书的域名信息。

示例代码：使用crt.sh && certspotter 的API进行查询。

import requests
import concurrent.futures

def fetch_from_crtsh(domain):
    try:
        url = f"https://crt.sh/?q=%.{domain}&output=json"
        response = requests.get(url)
        if response.status_code == 200:
            return set(cert['name_value'] for cert in response.json() if 'name_value' in cert)
    except Exception as e:
        print(f"Error fetching from crt.sh: {e}")
    return set()

def fetch_from_certspotter(domain):
    try:
        url = f"https://api.certspotter.com/v1/issuances?domain={domain}&expand=dns_names"
        response = requests.get(url)
        if response.status_code == 200:
            return set(name for cert in response.json() for name in cert['dns_names'])
    except Exception as e:
        print(f"Error fetching from CertSpotter: {e}")
    return set()

def main(domain):
    with concurrent.futures.ThreadPoolExecutor() as executor:
        futures = [
            executor.submit(fetch_from_crtsh, domain),
            executor.submit(fetch_from_certspotter, domain)
        ]
        results = set().union(*[future.result() for future in concurrent.futures.as_completed(futures)])
    
    print(f"Found {len(results)} unique subdomains for {domain}:")
    for subdomain in sorted(results):
        print(subdomain)

if __name__ == "__main__":
    domain = "baidu.com"  # 替换为你感兴趣的域名
    main(domain)

转载自：https://blog.csdn.net/shldblj/article/details/136164790