Skip to content

franccesco/getaltname

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

316 Commits
docs
docs
 
 
src/gsan
src/gsan
 
 
.gitignore
.gitignore
 
 
Dockerfile
Dockerfile
 
 
LICENSE.md
LICENSE.md
 
 
README.md
README.md
 
 
pyproject.toml
pyproject.toml
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

GSAN - Get Subject Alternative Names

GSAN is a tool that can extract Subject Alternative Names (SAN) found in SSL Certificates directly from https servers which can provide you with DNS names (subdomains) or virtual servers.

It doesn't rely on Certificate Transparency logs, it connects directly to the server and extracts the SANs from the certificate, which can be specially useful when you're analyzing internal servers or self-signed certificates.

Installation

Use pip (or pipx - recommended) to avoid contaminating your system with a bunch of dependencies.

$ pipx install --user gsan

You can also install and run it using Docker.

$ docker run --rm -i francc3sco/gsan <DOMAIN>

Usage

Basic usage is just passing the domain of an HTTPS server to the tool, and it will return a list of subdomains found in the certificate.

$ gsan microsoft.com

microsoft.com [126]:
- microsoft.com
- successionplanning.microsoft.com
- explore-security.microsoft.com
...
- wwwbeta.microsoft.com
- gigjam.microsoft.com
- mspartnerira.microsoft.com
...

Alternatively, you can pass a text file with a list of domains to scan by using the xargs command.

$ cat domains.txt | xargs gsan

google.com [93]:
- google.fr
...
- google.com.au

amazon.com [37]:
- uedata.amazon.com
...
- origin-www.amazon.com.au

youtube.com [93]:
- google.fr
...
- google.com.au

If you're using the dockerized version, you can achieve the same by doing:

$ cat domains.txt | xargs docker run --rm -i francc3sco/gsan

You can combine gsan with other tools like shodan to get a list of SANs found in a list of domains or IP addresses as long as you respect the IP|DOMAIN:PORT format.

$ shodan search --fields ip_str,port --separator : --limit 100 https | cut -d : -f 1,2 | xargs gsan --timeout 1

207.21.195.58 [1]:
- orielstat.com

162.159.135.42 [4]:
- temp927.kinsta.cloud
- temp312.kinsta.cloud

34.230.178.151 [2]:
- procareltc.com
- clarest.com

20.62.53.137 [1]:
- budget.lis.virginia.gov

199.60.103.228 [3]:
- hscoscdn40.net
- sites-proxy.hscoscdn40.net
...

You can also output to a file by using the --output flag which can be useful to then pass the output to other tools such as Nmap.

$ gsan microsoft.com --output microsoft.txt | nmap -iL microsoft.txt

Or, if you have a large list of domains:

$ cat domains.txt | xargs gsan --output domains.txt | nmap -iL domains.txt

Or, if you want chaos to take the world:

$ shodan search --fields ip_str,port --separator : --limit 1000 has_ipv6:false https | \
  cut -d : -f 1,2 | \
  xargs gsan --timeout 1 --output sans.txt && \
  sudo nmap -sS -F -vvv -iL sans.txt -oX import_to_metasploit.xml

About

Extract subdomains from SSL certificates in HTTPS sites.

franccesco.github.io/getaltname/

Topics

dns ssl information-retrieval tool https certificates discovery subdomain ssl-certificate infosec pentesting pentest ssl-certificates pentest-scripts pentest-tool extract-subdomains

Resources

Readme

License

MIT license
Activity

Stars

364 stars

Watchers

12 watching

Forks

74 forks
Report repository

Releases 13

v5.0.0 Latest
Aug 25, 2024
+ 12 releases

Packages

No packages published

Contributors 5

Languages