Script hostmap-crtsh

Script types: hostrule
Categories: external, discovery
Download: https://svn.nmap.org/nmap/scripts/hostmap-crtsh.nse

Script Summary

Finds subdomains of a web server by querying Google's Certificate Transparency logs database (https://crt.sh).

The script will run against any target that has a name, either specified on the command line or obtained via reverse-DNS.

NSE implementation of ctfr.py (https://github.com/UnaPibaGeek/ctfr.git) by Sheila Berta.

References:

• www.certificate-transparency.org

Script Arguments

newtargets

If set, add the new hostnames to the scanning queue. This the names presumably resolve to the same IP address as the original target, this is only useful for services such as HTTP that can change their behavior based on hostname.

hostmap.prefix

If set, saves the output for each host in a file called "<prefix><target>". The file contains one entry per line.

slaxml.debug

See the documentation for the slaxml library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

max-newtargets

See the documentation for the target library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

Example Usage

• nmap --script hostmap-crtsh --script-args 'hostmap-crtsh.prefix=hostmap-' <targets>

• nmap -sn --script hostmap-crtsh <target>

Script Output

Host script results:
| hostmap-crtsh:
|   subdomains:
|     svn.nmap.org
|     www.nmap.org
|_  filename: output_nmap.org

Requires

• io
• http
• json
• stdnse
• string
• stringaux
• target
• table
• tableaux

---

Author:

• Paulino Calderon <calderon@websec.mx>

License: Same as Nmap--See https://nmap.org/book/man-legal.html