A tool to crawl the graph of certificate Alternate Names
CertGraph crawls SSL certificates creating a directed graph where each domain is a node and the certificate alternative names for that domain's certificate are the edges to other domain nodes. New domains are printed as they are found. In Detailed mode upon completion the Graph's adjacency list is printed.
Crawling defaults to collectng certificate by connecting over TCP, however there are multiple drivers that can search Certificate Transparency logs.
This tool was designed to be used for host name enumeration via SSL certificates, but it can also show you a "chain" of trust between domains and the certificates that re-used between them.
Usage of ./certgraph: [OPTION]... HOST... https://github.com/lanrat/certgraph OPTIONS: -cdn include certificates from CDNs -ct-expired include expired certificates in certificate transparancy search -ct-subdomains include sub-domains in certificate transparancy search -depth uint maximum BFS depth to go (default 5) -details print details about the domains crawled -driver string driver to use [http, smtp, google, crtsh] (default "http") -json print the graph as json, can be used for graph in web UI -parallel uint number of certificates to retrieve in parallel (default 10) -save string save certs to folder in PEM formate -timeout uint tcp timeout in seconds (default 10) -verbose verbose logging -version print version and exit
CertGraph has multiple options for querying SSL certificates. The driver is responsible for retrieving the certificates for a given domain. Currently there are the following drivers:
http this is the default driver which works by connecting to the hosts over HTTPS and retrieving the certificates from the SSL connection
smtp like the http driver, but connects over port 25 and issues the starttls command to retrieve the certificates from the SSL connection
crtsh this driver searches Certificate Transparency logs via crt.sh. No packets are sent to any of the domains when using this driver
google this is another Certificate Transparency driver that behaves like crtsh but uses the Googe Certificate Transparency Lookup Tool
$ ./certgraph -details eff.org eff.org 0 Good 42E3E4605D8BB4608EB64936E2176A98B97EBF2E0F8F93A64A6640713C7D4325 maps.eff.org 1 Good 42E3E4605D8BB4608EB64936E2176A98B97EBF2E0F8F93A64A6640713C7D4325 https-everywhere-atlas.eff.org 1 Good 42E3E4605D8BB4608EB64936E2176A98B97EBF2E0F8F93A64A6640713C7D4325 httpse-atlas.eff.org 1 Good 42E3E4605D8BB4608EB64936E2176A98B97EBF2E0F8F93A64A6640713C7D4325 atlas.eff.org 1 Good 42E3E4605D8BB4608EB64936E2176A98B97EBF2E0F8F93A64A6640713C7D4325 kittens.eff.org 1 Good 42E3E4605D8BB4608EB64936E2176A98B97EBF2E0F8F93A64A6640713C7D4325
The above output represents the adjacency list for the graph for the root domain
eff.org. The adjacency list is in the form:
Node Depth Status Cert-Fingerprint
To compile certgraph you must have a working go 1.9 or newer compiler on your system, as well as the golang dep dependency management tool. To compile for the running system compilation is as easy as running make
certgraph$ make dep dep ensure certgraph$ make go build -o certgraph certgraph.go
Alternatively you can use
go get to install with this one-liner:
go get -u github.com/lanrat/certgraph
A web UI is provided in the docs folder and is accessable at the github pages url https://lanrat.github.io/certgraph/.
The web UI takes the output provided with the
-json flag. The JSON graph can be sent to the web interface as an uploaded file, remote URL, or as the query string using the data variable.