Codebase list certgraph / master
master

Tree @master (Download .tar.gz)

CertGraph

A tool to crawl the graph of certificate Alternate Names

CertGraph crawls SSL certificates creating a directed graph where each domain is a node and the certificate alternative names for that domain's certificate are the edges to other domain nodes. New domains are printed as they are found. In Detailed mode upon completion the Graph's adjacency list is printed.

Crawling defaults to collecting certificate by connecting over TCP, however there are multiple drivers that can search Certificate Transparency logs.

This tool was designed to be used for host name enumeration via SSL certificates, but it can also show you a "chain" of trust between domains and the certificates that re-used between them.

Blog post with more information

Usage

Usage of ./certgraph: [OPTION]... HOST...
    https://github.com/lanrat/certgraph
OPTIONS:
  -cdn
        include certificates from CDNs
  -ct-expired
        include expired certificates in certificate transparency search
  -ct-subdomains
        include sub-domains in certificate transparency search
  -depth uint
        maximum BFS depth to go (default 5)
  -details
        print details about the domains crawled
  -driver string
        driver to use [crtsh, google, http, smtp] (default "http")
  -json
        print the graph as json, can be used for graph in web UI
  -ns
        check for NS records to determine if domain is registered
  -parallel uint
        number of certificates to retrieve in parallel (default 10)
  -sanscap int
        maximum number of uniq TLD+1 domains in certificate to include, 0 has no limit (default 80)
  -save string
        save certs to folder in PEM format
  -timeout uint
        tcp timeout in seconds (default 10)
  -tldplus1
        for every domain found, add tldPlus1 of the domain's parent
  -verbose
        verbose logging
  -version
        print version and exit

Drivers

CertGraph has multiple options for querying SSL certificates. The driver is responsible for retrieving the certificates for a given domain. Currently there are the following drivers:

  • http this is the default driver which works by connecting to the hosts over HTTPS and retrieving the certificates from the SSL connection

  • smtp like the http driver, but connects over port 25 and issues the starttls command to retrieve the certificates from the SSL connection

  • crtsh this driver searches Certificate Transparency logs via crt.sh. No packets are sent to any of the domains when using this driver

  • google this is another Certificate Transparency driver that behaves like crtsh but uses the Google Certificate Transparency Lookup Tool

Example

$ ./certgraph -details eff.org
eff.org 0       Good    42E3E4605D8BB4608EB64936E2176A98B97EBF2E0F8F93A64A6640713C7D4325
maps.eff.org    1       Good    42E3E4605D8BB4608EB64936E2176A98B97EBF2E0F8F93A64A6640713C7D4325
https-everywhere-atlas.eff.org  1       Good    42E3E4605D8BB4608EB64936E2176A98B97EBF2E0F8F93A64A6640713C7D4325
httpse-atlas.eff.org    1       Good    42E3E4605D8BB4608EB64936E2176A98B97EBF2E0F8F93A64A6640713C7D4325
atlas.eff.org   1       Good    42E3E4605D8BB4608EB64936E2176A98B97EBF2E0F8F93A64A6640713C7D4325
kittens.eff.org 1       Good    42E3E4605D8BB4608EB64936E2176A98B97EBF2E0F8F93A64A6640713C7D4325

The above output represents the adjacency list for the graph for the root domain eff.org. The adjacency list is in the form: Node Depth Status Cert-Fingerprint

Releases

Precompiled releases will occasionally be uploaded to the releases github page. https://github.com/lanrat/certgraph/releases

Also available in BlackArch.

Compiling

To compile certgraph you must have a working go 1.11 or newer compiler on your system, as certgraph makes use of go's modules for dependencies. To compile for the running system compilation is as easy as running make

certgraph$ make
go build -o certgraph certgraph.go

Alternatively you can use go get to install with this one-liner:

go get -u github.com/lanrat/certgraph

Web UI

A web UI is provided in the docs folder and is accessible at the github pages url https://lanrat.github.io/certgraph/.

The web UI takes the output provided with the -json flag. The JSON graph can be sent to the web interface as an uploaded file, remote URL, or as the query string using the data variable.

Example 1: eff.org

eff.org graph

Example 2: google.com

google.com graph

Example 3: whitehouse.gov

whitehouse.gov graph

Commit History @master