Blackcert monitors Certificate Transparency Logs for a keyword. Blackcert collects any certificate changes for this keyword and also checks if any domain changes with that keyword look like a phishing domain.
Developed to proactively monitor for actors registering certificates for a domain for phishing purposes. Although I have found it useful/used for:
- monitoring certificate changes for your company, for example, configure keyword
splunk
- monitoring/enumerating customers for companies that use SAN, for example seeing all customers registered by fastly or medium, since they add a new domain alias to their shared certificate for new customers. configure
medium, fastly
- monitoring for fraud sites that relate to topical things, for example, all domains that have registered for a certificate with the words configure
coronavirus, covid, chloroquine
.
- clone project:
git clone https://github.com/d1vious/blackcert.git && cd blackcert
- install depencecies in virtualenvironment:
pip install virtualenv && virtualenv -p python3 venv && source venv/bin/activate && pip install -r requirements.txt
- configure keywords to monitor and slack webhook optionally by editing blackcert.conf
python blackert.py
all results will be printed and also written to results.log by default.
usage: blackcert.py [-h] [-c CONFIG] [-o OUTPUT] [-v]
starts listening for newly registered certificates and sends slack alerts when
it matches
optional arguments:
-h, --help show this help message and exit
-c CONFIG, --config CONFIG
path to the configuration file of blackcert
-o OUTPUT, --output OUTPUT
path to a JSON log file of the matches
-v, --version shows current blackcert version
I recommend creating a bot channel eg. blackcert-bot and then creating a webhook for it. Below is an example message for it. Protip inviting the SOC into a bot channel like this will help them understand how certificates are being used in the org. 😉
The score calculation is graciously borrowed from Phishing Catcher which was an inspiration for this project. It calculates the score using the following workflow:
- adds 20 points if it has a suspicios TLPs
- Add points for higher entropy
- Adds 10 points for fake .com .net .org, for example
*.com-account-management.info
- Add points for suspecios keywords.
- Adds points for too many
-
character in the domain, for example,www.paypal-datacenter.com-acccount-alert.com
- Adds points for deeply nested domains, for example,
www.paypal.com.security.accountupdate.gq
Below is an example of how objects are saved in results.json. Protip, indexing these in a system like Splunk or ES will allow you to create a nice histogram on certificate changes for your organization, a competitor, or even mine the data for enumeration purposes.
{
"timestamp": "2020-03-26T03:26:58.097680",
"fingerprint": "51635745d6b7da0914196e6015023bac67351e86",
"domain": "woodsnap.com",
"subject": "/C=US/CN=sni.cloudflaressl.com/L=San Francisco/O=Cloudflare, Inc./ST=CA",
"CA": [
"CloudFlare Inc ECC CA-2",
"Baltimore CyberTrust Root"
],
"score": 29
}