Skip to content
/ Certificate-Transparency-to-Slack Public

Monitor your domains for newly issued certificates and alert to Slack in near-realtime

License

GPL-3.0 license
10 stars 5 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

emtunc/Certificate-Transparency-to-Slack

BranchesTags

Repository files navigation

Certificate Transparency to Slack

This is a Python script that scrapes the Cert Spotter API for newly issued certificates for domains you are monitoring and dumps them to a Slack channel.

There are a number of use cases for why you might want to do this:

  • Blue/Security teams should be pro-actively monitoring their domains for (i) misissuance of certificates and (ii) new infrastructure and services being spun up which may be inappropriately exposed to the public internet
  • Red-teamers and Bug Bounty hunters alike can also use this to be alerted when certificates have been issued which could indicate new targets to perform recon and assessments on

The script has been written, and is intended to run in AWS Lambda.

Note: Please feel free to contribute and make pull requests as I know there will be more efficient ways to do this

How does it work?

The script does the following:

  • Checks whether this is the first time the domain is being monitored (i.e., does a stored certificate ID for the domain already exist?)
  • If this domain has not been monitored before then the script will call out to the Cert Spotter API, grab the latest issued certificate ID and store it in a marker file. We start monitoring from this point on.
  • If this domain has already been monitored then the script pulls the certificate ID out of the marker file and checks to see if any certificates have been issued since that certificate ID
  • Dump any new certificates to Slack

I have compared this script with Facebook's CT monitoring service, Cert Spotter (e-mail service) and several others - this tool always alerts me the fastest.

Here's a diagram which shows both scenarios (top: new domain and bottom: subsequent runs)

how-it-works-diagram

What do I need?

You'll need the following:

  • Storage - local disk or S3 bucket - doesn't matter what you call it but it will be referenced in the script
  • Cert Spotter API Credentials - there is a free tier which allows 100 full-domain queries/hour
  • Slack Incoming Webhook - really easy to create an app and link it to a #channel of your choice
  • Domains you want to monitor!
  • Update the script with the above information
  • Update the .yml if you intend to use it

Environment variables

Variable Description
SLACK_WEBHOOK Slack URL for notifications
MONITOR_DOMAINS Comma delimited list of domains to query from API
CERTSPOTTER_API_TOKEN CertSpotter API token
FILESYSTEM_PATH volume mount target for persistence / state
SLEEP_DELAY how long to wait between each call, adjust for ratelimiting
LOG_FORMAT json or syslog for logging flavor
DEBUG true/false adjust logger level for troubleshooting

Screenshots

Alt text

Join the conversation

A public Slack Workspace exists for a previous project of mine - I'm still on there so anyone can join to discuss new features, changes, feature requests or simply ask for help. Here's the invite link:

https://join.slack.com/t/slackpirate/shared_invite/enQtNTIyNjMxNDUyMzc0LTkzY2RkNGRlYTFiNWQ4OTYxMjYyZDRjZTAxZmEyNzAwZWVkYmVmZjk2MzJmYWQ5ODI4MmYxNmQyNDk2OTQ3MTQ

About

Monitor your domains for newly issued certificates and alert to Slack in near-realtime

Resources

Readme

License

GPL-3.0 license
Activity

Stars

10 stars

Watchers

1 watching

Forks

5 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages