Gathering domains/subdomains with IPRanges of organization

Arbaz Hussain
Sep 9, 2018 · 2 min read

  • One of the major role of penetration testing is recon-asset.The more you gather information,the more you win.
  • It is possible for a organization to have one or many domains/sub-domains hosted under a certain iprange. To find out them It purely depends on hosting way they are using.
  • Many organization use services such as cloudflare,Amazon etc as there hosting-providers where scanning ipranges for them is pain,Also there are lot of organization’s which are self-hosted.
https://www.hostingchecker.com
  • I wrote a short script to gather all possible domains/subdomain under the ipranges by following steps.

IPRANGE => Takes one by one ip from range => Resolve ip’s by checking if port 443 is up using masscan python module=> Check’s SSL Certificate of ip’s to look for CNAME => Scrape Domain/Subdomain from certificate.

$ dig +short A walmart.com 
161.170.230.170
161.170.232.170
161.170.239.170
$ pip install python-masscan
$ pip install M2Crypto
python subs_cert.py 161.170.232.0/24#!/usr/bin/python
import sys,time
from socket import socket
import ssl,masscan
import M2Crypto
import OpenSSL,xml,threading,queue

q = queue.Queue()
final_res = []

try:
ip_range = sys.argv[1]
except:
print('Usage: python subs_cert.py <IPRANGE>')
subs_ssl = []

try:
mas = masscan.PortScanner()
mas.scan(ip_range,ports='443')
for host in mas.all_hosts:
subs_ssl.append(host)
except (xml.etree.ElementTree.ParseError,masscan.masscan.NetworkConnectionError) as e:
print('Probably iprange\'s is not valid/down')
pass

def process_cert_subs(i):
try:
cert = ssl.get_server_certificate((str(i), 443))
x509 = M2Crypto.X509.load_cert_string(cert)
cert_val = x509.get_subject().as_text()
cnames = cert_val.split('CN=')[1]
if len(cnames) > 0:
print(cnames)
except SSLEOFError as e:
pass

def process_queue():
while not q.empty():
current_ip = q.get()
process_cert_subs(current_ip)
q.task_done()

if len(subs_ssl) > 0:
for i in subs_ssl:
i = str(i)
i = i.strip('\n')
i = i.strip('\r')
q.put(i)
else:
print('Empty ips.. Exiting..')
sys.exit(1)

for i in range(100):
t = threading.Thread(target=process_queue)
t.start()

Idea from : https://github.com/cheetz/sslScrape

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade