- One of the major role of penetration testing is recon-asset.The more you gather information,the more you win.
- It is possible for a organization to have one or many domains/sub-domains hosted under a certain iprange. To find out them It purely depends on hosting way they are using.
- Many organization use services such as cloudflare,Amazon etc as there hosting-providers where scanning ipranges for them is pain,Also there are lot of organization’s which are self-hosted.
- I wrote a short script to gather all possible domains/subdomain under the ipranges by following steps.
IPRANGE => Takes one by one ip from range => Resolve ip’s by checking if port 443 is up using masscan python module=> Check’s SSL Certificate of ip’s to look for CNAME => Scrape Domain/Subdomain from certificate.
$ dig +short A walmart.com
188.8.131.52$ pip install python-masscan
$ pip install M2Cryptopython subs_cert.py 184.108.40.206/24#!/usr/bin/python
from socket import socket
q = queue.Queue()
final_res = 
ip_range = sys.argv
print('Usage: python subs_cert.py <IPRANGE>')
subs_ssl = 
mas = masscan.PortScanner()
for host in mas.all_hosts:
except (xml.etree.ElementTree.ParseError,masscan.masscan.NetworkConnectionError) as e:
print('Probably iprange\'s is not valid/down')
cert = ssl.get_server_certificate((str(i), 443))
x509 = M2Crypto.X509.load_cert_string(cert)
cert_val = x509.get_subject().as_text()
cnames = cert_val.split('CN=')
if len(cnames) > 0:
except SSLEOFError as e:
while not q.empty():
current_ip = q.get()
if len(subs_ssl) > 0:
for i in subs_ssl:
i = str(i)
i = i.strip('\n')
i = i.strip('\r')
print('Empty ips.. Exiting..')
for i in range(100):
t = threading.Thread(target=process_queue)
Takes ip range, Scan all open SSL Certs, Grab Cnames - arbazkiraak/certasset
Idea from : https://github.com/cheetz/sslScrape