-
Notifications
You must be signed in to change notification settings - Fork 74
Home
GSAN is a tool to extract subdomain names from HTTPS certificates, more exactly from an extension inside the certificate.
First it connects to a target to the port 443 by default but it can be any port that works with HTTPS. Then it requests the certificate and it analyze it looking for an extension called Subject Alternative Name (Or SAN).
After it finds the certificate, it filters the entries to find subdomain names and optionally only subdomains ending in the same domain (flag -m).
It basically automates the process that you can do all by yourself with a few clicks.
It offers more features such as Nmap integration so you can pass a XML output directly instead of a host and it will analyze all of the HTTPS services found. Also output to a file text, JSON file and even your clipboard so you can paste your hosts right in the terminal and feel like a ninja.
It also integrates with the website https://crt.sh/ and it requests more certificates from this site and starts analyzing the certificate information. You can also match the domain name so you don't get examplepage.eu when your scope attack is example.com.
It also strips wildcards like * and dots like .example.com so you have a more clean output.
It allows you to gather more information about hidden and misconfigured services under the same domain. For example if you check in example.com (obviously just an example) then you can find out about a subdomain called ftp.example.com or vulnerableservice.example.com and it will give you more attack vectors for you without being so noisy.
No. It doesn't make any requests to a DNS server, it doesn't resolve domain names or abuse any type of request such as AXFR. It only requests this domains from a HTTPS certificate.
This subdomain names might have even expired, it also doesn't gives you all of the subdomains under a domain, for that you would have to actively brute force a DNS server. But if you don't want to be noisy and get blocked then you can go ahead and give this tool a try using the -s flag to acquire more domain names from certificates found in https://crt.sh/