GSAN is a tool that can extract Subject Alternative Names found in SSL Certificates directly from https web sites which can provide you with DNS names (subdomains) or virtual servers.
This tool extract subdomain names from https sites and return a list or CSV/JSON output of its findings. It is not a subdomain brute-force tool, and you can actually find those subdomains manually, this tools is about the automation of that process, it also offers the following features:
$ pip install --user gsan
You have 2 ways of executing GSAN, getting subdomain names from CRT.SH, in which GSAN acts as a wrapper for CRT.SH, or getting subdomain names by directly connecting
Usage: gsan [OPTIONS] COMMAND [ARGS]... Get subdomain names from SSL Certificates. Options: --version Show the version and exit. --help Show this message and exit. Commands: crtsh Get domains from crt.sh scan Scan domains from input or a text file, format is HOST[:PORT].
If you prefer to get the subdomain names directly from CRT.SH you can do that by using the subcomand
$ gsan crtsh --help Usage: gsan crtsh [OPTIONS] [DOMAINS]... Get domains from crt.sh Options: -m, --match-domain Match domain name only. -o, --output TEXT Output to path/filename. -t, --timeout INTEGER Set timeout for CRT.SH --help Show this message and exit. $ gsan crtsh facebook.com [+] Getting subdomains for facebook.com [+] Getting subdomains for facebook.com [+] Results: FACEBOOK.COM ↳ newdev.facebook.com ↳ dewey.vip.facebook.com ↳ secure.trunkstable.facebook.com ↳ facebook.com ↳ secure.intern.facebook.com -- SNIP -- ↳ channel.facebook.com ↳ extools.facebook.com ↳ china--facebook.com ↳ adtools.facebook.com ↳ ak.facebook.com
Most programs that “abuse” transparency certificates are only a wrapper for crt.sh, however you can extract subdomain names directly from SSL certificates found in HTTPS services. This allows you to find subdomain names in services that have self-signed certificates or deployed services that are not found anywhere. You can do this using the subcomand
$ gsan scan --help Usage: gsan scan [OPTIONS] [HOSTNAMES]... Scan domains from input or a text file, format is HOST[:PORT]. e.g: gsan scan domain1.com domain2.com:port You can also pass a text file instead, just replace the first domain argument for a file. eg: gsan scan filename.txt If no ports are defined, then gsan assumes the port 443 is available. Options: -o, --output TEXT Output to path/filename. -m, --match-domain Match domain name only. -c, --crtsh Include results from CRT.SH -t, --timeout INTEGER Set timeout [default: 3] --help Show this message and exit. $ gsan scan facebook.com starbucks.com:443 [+] Getting subdomains for facebook.com [+] Getting subdomains for starbucks.com [+] Results: FACEBOOK.COM ↳ facebook.com ↳ facebook.net ↳ fbcdn.net ↳ fbsbx.com ↳ m.facebook.com ↳ messenger.com ↳ xx.fbcdn.net ↳ xy.fbcdn.net ↳ xz.fbcdn.net STARBUCKS.COM ↳ starbucks.com ↳ beta.starbucks.com ↳ app.starbucks.fr ↳ starbucks.fr ↳ app.starbucks.co.uk ↳ starbucks.ie ↳ app.starbucks.com ↳ fr.starbucks.ca ↳ preview.starbucks.com ↳ starbucks.ca ↳ app.starbucks.com.br ↳ app.starbucks.ie ↳ starbucks.com.br ↳ fr.app.starbucks.ca ↳ starbucks.de ↳ starbucks.co.uk ↳ app.starbucks.de ↳ app.starbucks.ca
You can also pass a list of hosts their ports, formatted as host[:port] (port is optional), and gsan will go through them trying to extract subdomain names. You can use the same subcomand
scan and pass a text file as argument instead of a domain name:
gsan scan hosts.txt -o subdomains.csv [+] Getting subdomains for facebook.com [+] Getting subdomains for starbucks.com [+] Getting subdomains for fakedomain.com [!] Unable to connect to host fakedomain.com [+] Getting subdomains for amazon.com FACEBOOK.COM ↳ facebook.com ↳ facebook.net -- SNIP -- ↳ xy.fbcdn.net ↳ xz.fbcdn.net STARBUCKS.COM ↳ starbucks.com ↳ beta.starbucks.com -- SNIP -- ↳ app.starbucks.de ↳ app.starbucks.ca AMAZON.COM ↳ amazon.co.uk ↳ uedata.amazon.co.uk -- SNIP -- ↳ bz.peg.a2z.com ↳ origin2-amazon.co.jp [+] Contents dumped into CSV file: subdomains.csv
You can save the results into a CSV or JSON file, the program will format the output based on the file extension.
Contribution is welcome, just remember:
_____ _____ _____ _____ | __| __| _ | | | | | |__ | | | | | |_____|_____|__|__|_|___| v4.2.3 Author: Franccesco Orozco Email: firstname.lastname@example.org Website: https://codingdose.info