Option to include / list unique hostname from certificate response #345

ehsandeep · 2023-09-09T10:50:07Z

Please describe your feature request:

Option to list all the unique hostnames from the certificate that can be used for multiple purposes, including

Increase/improve asset discovery
Use this unique list to chain with other processes like vhost enumeration

   -dns    display unique hostname from SSL certificate response

Describe the use case of this feature:

CLI Output

echo google.com | tlsx -dns

2mdn-cn.net
admob-cn.com
ampproject.net.cn
ampproject.org.cn
android.clients.google.com
android.com
app-measurement-cn.com
appengine.google.com
bdn.dev
cloud.google.com
crowdsource.google.com
dartsearch-cn.net
datacompute.google.com
developer.android.google.cn
developers.android.google.cn
doubleclick-cn.net
doubleclick.cn
flash.android.com
fls.doubleclick-cn.net
fls.doubleclick.cn
g.cn
g.co
g.doubleclick-cn.net
g.doubleclick.cn
gcp.gvt2.com
gcpcdn.gvt1.com
ggpht.cn
gkecnapps.cn
goo.gl
google-analytics-cn.com
google-analytics.com
google.ca
google.cl
google.co.in
google.co.jp
google.co.uk
google.com
google.com.ar
google.com.au
google.com.br
google.com.co
google.com.mx
google.com.tr
google.com.vn
google.de
google.es
google.fr
google.hu
google.it
google.nl
google.pl
google.pt
googleadapis.com
googleadservices-cn.com
googleapis-cn.com
googleapis.cn
googleapps-cn.com
googlecnapps.cn
googlecommerce.com
googledownloads.cn
googleflights-cn.net
googleoptimize-cn.com
googlesandbox-cn.com
googlesyndication-cn.com
googletagmanager-cn.com
googletagservices-cn.com
googletraveladservices-cn.com
googlevads-cn.com
googlevideo.com
gstatic-cn.com
gstatic.cn
gstatic.com
gvt1-cn.com
gvt1.com
gvt2-cn.com
gvt2.com
metric.gstatic.com
origin-test.bdn.dev
recaptcha-cn.net
recaptcha.net.cn
safeframe.googlesyndication-cn.com
safenup.googlesandbox-cn.com
source.android.google.cn
urchin.com
url.google.com
widevine.cn
www.goo.gl
youtu.be
youtube-nocookie.com
youtube.com
youtubeeducation.com
youtubekids.com
yt.be
ytimg.com

JSONL Output

echo google.com | tlsx -dns -j

{
  "timestamp": "2023-09-09T15:47:41.667758+05:30",
  "host": "google.com",
  "ip": "142.250.207.206",
  "port": "443",
  "probe_status": true,
  "tls_version": "tls13",
  "cipher": "TLS_AES_128_GCM_SHA256",
  "not_before": "2023-08-14T08:16:28Z",
  "not_after": "2023-11-06T08:16:27Z",
  "subject_dn": "CN=*.google.com",
  "subject_cn": "*.google.com",
  "subject_an": [
    "*.google.com",
    "*.appengine.google.com",
    "*.bdn.dev",
    "*.origin-test.bdn.dev",
    "*.cloud.google.com",
    "*.crowdsource.google.com",
    "*.datacompute.google.com",
    "*.google.ca",
    "*.google.cl",
    "*.google.co.in",
    "*.google.co.jp",
    "*.google.co.uk",
    "*.google.com.ar",
    "*.google.com.au",
    "*.google.com.br",
    "*.google.com.co",
    "*.google.com.mx",
    "*.google.com.tr",
    "*.google.com.vn",
    "*.google.de",
    "*.google.es",
    "*.google.fr",
    "*.google.hu",
    "*.google.it",
    "*.google.nl",
    "*.google.pl",
    "*.google.pt",
    "*.googleadapis.com",
    "*.googleapis.cn",
    "*.googlevideo.com",
    "*.gstatic.cn",
    "*.gstatic-cn.com",
    "googlecnapps.cn",
    "*.googlecnapps.cn",
    "googleapps-cn.com",
    "*.googleapps-cn.com",
    "gkecnapps.cn",
    "*.gkecnapps.cn",
    "googledownloads.cn",
    "*.googledownloads.cn",
    "recaptcha.net.cn",
    "*.recaptcha.net.cn",
    "recaptcha-cn.net",
    "*.recaptcha-cn.net",
    "widevine.cn",
    "*.widevine.cn",
    "ampproject.org.cn",
    "*.ampproject.org.cn",
    "ampproject.net.cn",
    "*.ampproject.net.cn",
    "google-analytics-cn.com",
    "*.google-analytics-cn.com",
    "googleadservices-cn.com",
    "*.googleadservices-cn.com",
    "googlevads-cn.com",
    "*.googlevads-cn.com",
    "googleapis-cn.com",
    "*.googleapis-cn.com",
    "googleoptimize-cn.com",
    "*.googleoptimize-cn.com",
    "doubleclick-cn.net",
    "*.doubleclick-cn.net",
    "*.fls.doubleclick-cn.net",
    "*.g.doubleclick-cn.net",
    "doubleclick.cn",
    "*.doubleclick.cn",
    "*.fls.doubleclick.cn",
    "*.g.doubleclick.cn",
    "dartsearch-cn.net",
    "*.dartsearch-cn.net",
    "googletraveladservices-cn.com",
    "*.googletraveladservices-cn.com",
    "googletagservices-cn.com",
    "*.googletagservices-cn.com",
    "googletagmanager-cn.com",
    "*.googletagmanager-cn.com",
    "googlesyndication-cn.com",
    "*.googlesyndication-cn.com",
    "*.safeframe.googlesyndication-cn.com",
    "app-measurement-cn.com",
    "*.app-measurement-cn.com",
    "gvt1-cn.com",
    "*.gvt1-cn.com",
    "gvt2-cn.com",
    "*.gvt2-cn.com",
    "2mdn-cn.net",
    "*.2mdn-cn.net",
    "googleflights-cn.net",
    "*.googleflights-cn.net",
    "admob-cn.com",
    "*.admob-cn.com",
    "googlesandbox-cn.com",
    "*.googlesandbox-cn.com",
    "*.safenup.googlesandbox-cn.com",
    "*.gstatic.com",
    "*.metric.gstatic.com",
    "*.gvt1.com",
    "*.gcpcdn.gvt1.com",
    "*.gvt2.com",
    "*.gcp.gvt2.com",
    "*.url.google.com",
    "*.youtube-nocookie.com",
    "*.ytimg.com",
    "android.com",
    "*.android.com",
    "*.flash.android.com",
    "g.cn",
    "*.g.cn",
    "g.co",
    "*.g.co",
    "goo.gl",
    "www.goo.gl",
    "google-analytics.com",
    "*.google-analytics.com",
    "google.com",
    "googlecommerce.com",
    "*.googlecommerce.com",
    "ggpht.cn",
    "*.ggpht.cn",
    "urchin.com",
    "*.urchin.com",
    "youtu.be",
    "youtube.com",
    "*.youtube.com",
    "youtubeeducation.com",
    "*.youtubeeducation.com",
    "youtubekids.com",
    "*.youtubekids.com",
    "yt.be",
    "*.yt.be",
    "android.clients.google.com",
    "developer.android.google.cn",
    "developers.android.google.cn",
    "source.android.google.cn"
  ],
  "hostname": [
    "2mdn-cn.net",
    "admob-cn.com",
    "ampproject.net.cn",
    "ampproject.org.cn",
    "android.clients.google.com",
    "android.com",
    "app-measurement-cn.com",
    "appengine.google.com",
    "bdn.dev",
    "cloud.google.com",
    "crowdsource.google.com",
    "dartsearch-cn.net",
    "datacompute.google.com",
    "developer.android.google.cn",
    "developers.android.google.cn",
    "doubleclick-cn.net",
    "doubleclick.cn",
    "flash.android.com",
    "fls.doubleclick-cn.net",
    "fls.doubleclick.cn",
    "g.cn",
    "g.co",
    "g.doubleclick-cn.net",
    "g.doubleclick.cn",
    "gcp.gvt2.com",
    "gcpcdn.gvt1.com",
    "ggpht.cn",
    "gkecnapps.cn",
    "goo.gl",
    "google-analytics-cn.com",
    "google-analytics.com",
    "google.ca",
    "google.cl",
    "google.co.in",
    "google.co.jp",
    "google.co.uk",
    "google.com",
    "google.com.ar",
    "google.com.au",
    "google.com.br",
    "google.com.co",
    "google.com.mx",
    "google.com.tr",
    "google.com.vn",
    "google.de",
    "google.es",
    "google.fr",
    "google.hu",
    "google.it",
    "google.nl",
    "google.pl",
    "google.pt",
    "googleadapis.com",
    "googleadservices-cn.com",
    "googleapis-cn.com",
    "googleapis.cn",
    "googleapps-cn.com",
    "googlecnapps.cn",
    "googlecommerce.com",
    "googledownloads.cn",
    "googleflights-cn.net",
    "googleoptimize-cn.com",
    "googlesandbox-cn.com",
    "googlesyndication-cn.com",
    "googletagmanager-cn.com",
    "googletagservices-cn.com",
    "googletraveladservices-cn.com",
    "googlevads-cn.com",
    "googlevideo.com",
    "gstatic-cn.com",
    "gstatic.cn",
    "gstatic.com",
    "gvt1-cn.com",
    "gvt1.com",
    "gvt2-cn.com",
    "gvt2.com",
    "metric.gstatic.com",
    "origin-test.bdn.dev",
    "recaptcha-cn.net",
    "recaptcha.net.cn",
    "safeframe.googlesyndication-cn.com",
    "safenup.googlesandbox-cn.com",
    "source.android.google.cn",
    "urchin.com",
    "url.google.com",
    "widevine.cn",
    "www.goo.gl",
    "youtu.be",
    "youtube-nocookie.com",
    "youtube.com",
    "youtubeeducation.com",
    "youtubekids.com",
    "yt.be",
    "ytimg.com"
  ],
  "serial": "37:E9:82:7A:AE:D7:7B:A2:10:C2:A3:FB:D8:57:94:A4",
  "issuer_dn": "CN=GTS CA 1C3, O=Google Trust Services LLC, C=US",
  "issuer_cn": "GTS CA 1C3",
  "issuer_org": [
    "Google Trust Services LLC"
  ],
  "fingerprint_hash": {
    "md5": "9efe46135dafacc1d99786107afe7dba",
    "sha1": "5a485b27a7fb0bd663838e8e80db29b72c72a88e",
    "sha256": "440c58514c737c67daa272298168cdfc51b5796566f055fa55c44530bbdd0982"
  },
  "wildcard_certificate": true,
  "tls_connection": "ctls",
  "sni": "google.com"
}

This unique hostname list can be obtained by following -

Reading certificate response values from subject_cn + subject_an field.
Remove *. prefix from wildcard hostname
Deduplidate the list to get the final list.

The text was updated successfully, but these errors were encountered:

ehsandeep added Type: Enhancement Most issues will probably ask for additions or changes. Priority: Medium This issue may be useful, and needs some attention. labels Sep 9, 2023

dogancanbakir self-assigned this Sep 13, 2023

dogancanbakir mentioned this issue Sep 14, 2023

add dns flag #350

Merged

tarunKoyalwar linked a pull request Sep 18, 2023 that will close this issue

add dns flag #350

Merged

ehsandeep added the Status: Completed Nothing further to be done with this issue. Awaiting to be closed. label Sep 19, 2023

ehsandeep closed this as completed Sep 28, 2023

ehsandeep added this to the tlsx v1.1.5 milestone Sep 28, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Option to include / list unique hostname from certificate response #345

Option to include / list unique hostname from certificate response #345

ehsandeep commented Sep 9, 2023

Option to include / list unique hostname from certificate response #345

Option to include / list unique hostname from certificate response #345

Comments

ehsandeep commented Sep 9, 2023

Please describe your feature request:

Describe the use case of this feature: