CertGraph

A tool to crawl the graph of certificate Alternate Names

CertGraph crawls SSL certificates creating a directed graph where each domain is a node and the certificate alternative names for that domain’s certificate are the edges to other domain nodes. New domains are printed as they are found. Detailed mode upon completion, the Graph’s adjacency list is printed.

Crawling defaults to collecting certificate by connecting over TCP, however, there are multiple drivers that can search Certificate Transparency logs.

This tool was designed to be used for hostname enumeration via SSL certificates, but it can also show you a “chain” of trust between domains and the certificates that re-used between them.

Changelog v20220513

• fixed crt.sh driver
• added censys.io driver

Download

Usage

Usage of ./certgraph: [OPTION]... HOST...

	https://github.com/lanrat/certgraph

OPTIONS:

  -cdn

    	include certificates from CDNs

  -ct-expired

    	include expired certificates in certificate transparency search

  -ct-subdomains

    	include sub-domains in certificate transparency search

  -depth uint

    	maximum BFS depth to go (default 5)

  -details

    	print details about the domains crawled

  -driver string

    	driver to use [crtsh, google, http, smtp] (default "http")

  -json

    	print the graph as json, can be used for graph in web UI

  -ns

    	check for NS records to determine if domain is registered

  -parallel uint

    	number of certificates to retrieve in parallel (default 10)

  -sanscap int

    	maximum number of uniq TLD+1 domains in certificate to include, 0 has no limit (default 80)

  -save string

    	save certs to folder in PEM format

  -timeout uint

    	tcp timeout in seconds (default 10)

  -tldplus1

    	for every domain found, add tldPlus1 of the domain's parent

  -verbose

    	verbose logging

  -version

    	print version and exit

Drivers

CertGraph has multiple options for querying SSL certificates. The driver is responsible for retrieving the certificates for a given domain. Currently, there are the following drivers:

• http this is the default driver which works by connecting to the hosts over HTTPS and retrieving the certificates from the SSL connection
• smtp like the http driver, but connects over port 25 and issues the starttls command to retrieve the certificates from the SSL connection
• crtsh this driver searches Certificate Transparency logs via crt.sh. No packets are sent to any of the domains when using this driver
• google this is another Certificate Transparency driver that behaves like crtsh but uses the Google Certificate Transparency Lookup Tool

Copyright (C) 2017 lanrat

Source: https://github.com/lanrat/