Gathering domains/subdomains with IPRanges of organization


  • One of the major role of penetration testing is recon-asset.The more you gather information,the more you win.
  • It is possible for a organization to have one or many domains/sub-domains hosted under a certain iprange. To find out them It purely depends on hosting way they are using.
  • Many organization use services such as cloudflare,Amazon etc as there hosting-providers where scanning ipranges for them is pain,Also there are lot of organization’s which are self-hosted.
https://www.hostingchecker.com
  • I wrote a short script to gather all possible domains/subdomain under the ipranges by following steps.

IPRANGE => Takes one by one ip from range => Resolve ip’s by checking if port 443 is up using masscan python module=> Check’s SSL Certificate of ip’s to look for CNAME => Scrape Domain/Subdomain from certificate.

$ dig +short A walmart.com 
161.170.230.170
161.170.232.170
161.170.239.170
$ pip install python-masscan
$ pip install M2Crypto
python subs_cert.py 161.170.232.0/24
#!/usr/bin/python
import sys,time
from socket import socket
import ssl,masscan
import M2Crypto
import OpenSSL,xml,threading,queue

q = queue.Queue()
final_res = []

try:
ip_range = sys.argv[1]
except:
print('Usage: python subs_cert.py <IPRANGE>')
subs_ssl = []

try:
mas = masscan.PortScanner()
mas.scan(ip_range,ports='443')
for host in mas.all_hosts:
subs_ssl.append(host)
except (xml.etree.ElementTree.ParseError,masscan.masscan.NetworkConnectionError) as e:
print('Probably iprange\'s is not valid/down')
pass

def process_cert_subs(i):
try:
cert = ssl.get_server_certificate((str(i), 443))
x509 = M2Crypto.X509.load_cert_string(cert)
cert_val = x509.get_subject().as_text()
cnames = cert_val.split('CN=')[1]
if len(cnames) > 0:
print(cnames)
except SSLEOFError as e:
pass

def process_queue():
while not q.empty():
current_ip = q.get()
process_cert_subs(current_ip)
q.task_done()

if len(subs_ssl) > 0:
for i in subs_ssl:
i = str(i)
i = i.strip('\n')
i = i.strip('\r')
q.put(i)
else:
print('Empty ips.. Exiting..')
sys.exit(1)

for i in range(100):
t = threading.Thread(target=process_queue)
t.start()

Idea from : https://github.com/cheetz/sslScrape