大佬们在日常刷洞过程中,或者批量扫某个POC时,总会扫到很多未知资产或者结果量太大一个个去验证资产归属太费时费力。而一些https站点的证书中能看到证书归属,一般通过证书定位的资产都比较准确。
练习三天半python写了个小脚本,批量获取网站的SSL证书里的域名,方便资产定位,批量刷洞!
#!/usr/bin/env python3
# -*- encoding: utf-8 -*-
#Date: 09/09/2021
#Author: Crane
import ssl
import OpenSSL
import argparse
import sys
import os
def usage():
print("Eg: \n python3 getcert.py -u 127.0.0.1")
print(" python3 getcert.py -f ip.txt")
def getcert(server, port = 443):
try:
cert = ssl.get_server_certificate((server, port))
except Exception:
return None
if not cert:
return None
result = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, cert)
subject = result.get_subject()
issued_to = subject.CN #只取域名,其他都不要了
return {"issued_to":issued_to}
if __name__ == '__main__':
port = '443'
parser = argparse.ArgumentParser( description="获取网站证书,可以单个获取和批量获取,不要带http头和端口号,如127.0.0.1或www.xxx.com")
parser.add_argument('-u', '--url', type = str, help = "单个地址获取")
parser.add_argument('-f', '--file', type = str, help = "批量获取证书,结果输入到当前目录result.txt")
args = parser.parse_args()
if len(sys.argv) == 3:
if sys.argv[1] in ['-u', '--url']:
issuedDic = getcert(args.url,port)
if issuedDic == None:
print("未找到ssl信息")
else:
print(issuedDic['issued_to'])
elif sys.argv[1] in ['-f', '--file']:
if os.path.isfile(args.file) == True:
with open(args.file) as target:
hosts = []
hosts = target.read().splitlines()
for host in hosts:
issuedDic = getcert(host,port)
if issuedDic == None:
print(host + ":" + "未找到ssl信息")
else:
with open("result.txt", "a+") as f:
f.write(host + ":" + issuedDic['issued_to'] + "\n")
else:
parser.print_help()
usage()
记得先安装好相应的库。看看效果
然后就可以根据结果进行分类了。
但是不知道为什么获取火线的会是这样的结果,表哥们能解答下吗。
大佬们求赞求评论!!!
