CertGraph
CertGraph crawls SSL certificates to build a directed graph of certificate Alternate Names for domain enumeration. It reveals chains of trust between domains sharing certificates.
Description
CertGraph is a tool designed for host name enumeration via SSL certificates. It crawls certificates to create a directed graph where domains are nodes and alternative names in certificates form edges to other domains. New domains are printed as discovered, and in detailed mode, the graph's adjacency list is output upon completion.
The tool supports multiple drivers, defaulting to TCP connections for certificate collection, but can search Certificate Transparency logs. It helps uncover relationships between domains through shared certificates, showing chains of trust.
Use cases include reconnaissance for bug bounties, security assessments, and mapping certificate reuse across domains.
How It Works
CertGraph performs a breadth-first search (BFS) starting from given hosts, with a default maximum depth of 5. It connects over TCP by default to fetch certificates or uses Certificate Transparency log drivers. Domains from Subject Alternative Names (SANs) become graph edges. Expired certificates and subdomains can be included via specific flags, with CDN certificates optionally added.
Installation
sudo apt install certgraphFlags
Examples
certgraph -hcertgraph example.comcertgraph -depth 3 example.comcertgraph -ct-subdomains example.comcertgraph -ct-expired -ct-subdomains example.comcertgraph -cdn example.comcertgraph -cdn -depth 10 target.com sub.target.com