Script hostmap-crtsh does not return just subdomains

[nnposter]

The script is described as

Finds subdomains of a web server by querying Google's Certificate Transparency logs database (https://crt.sh).

At the moment the script reports all hostname-like identities where the input/target hostname is present somewhere in the identity. Specifically, the script does not verify that a returned identity is truly a subdomain of the target hostname.

As an example, one of the returned identities for google.com is google.com.gr. An even more egregious example is that www.google.com returns www.google.com-----------------r.reflectiz.com.

I am inclined to fix this but first I am soliciting feedback whether there are users that use the script to fish out domains that are not strictly subdomains. One possibility is to control the script behavior with a script argument.

[cldrn]

The original idea was subdomains but I do see value of discovering other domains, possibly malicious used for phishing. I think the best way would be to add an argument so we support both use cases.

Ps. Thanks for updating the script! We are currently down to only 1 hostmap script, hostmap-robtex is still broken!

[Rishabh-Kumar-07]

Hi! I would like to work on it.

[loid122]

Hi, I would like to solve this.

[Sweekar-cmd]

Hi, I would like to work on this issue.
My plan:

• Add strict subdomain filtering
• Add script-arg hostmap-crtsh.all to return all identities if needed
• Use proper suffix matching to ensure only real subdomains are returned
  Let me know if this approach is okay.