Using censys to find subdomains but without the APIs. Censys is a a known service offering lots of information on a variety of networks. That is what we use on our online service, only if we have hit the limit given to us. Thanks to Censys search.
Part of this code is taken from theharvester as it currently uses the none api approach.- theHarvester online
- beautifulsoup4
- censys
- dnspython
- requests
$ pip3 install -r requirements.txt$ python3 censys_subdomain_finder.py -d nmmapper.com
Searching certificates results page 2.
Searching certificates results page 3.
Searching certificates results page 4.
Searching certificates results page 5.
[
"p352931.goaccess.nmmapper.com",
"clk.nmmapper.com",
"d1.nmmapper.com",
"*.nmmapper.com",
"celery.nmmapper.com",
"www.nmmapper.com",
"a2.nmmapper.com",
"p352931.nmmapper.com",
"analytics.nmmapper.com",
"p352931-cdn.nmmapper.com",
"upstream.d.nmmapper.com",
"p0-cdn.nmmapper.com",
"upstream.nmmapper.com",
"mail.nmmapper.com",
"goaccess.nmmapper.com",
"a1.nmmapper.com",
"nmmapper.com"
]Limiting the query with
$ python3 censys_subdomain_finder.py --d nmmapper.com -l 2000