[FEATURE REQUEST]

[random-robbie]

Can you obtain more domain info via the following
Google transparency report
Censys
virtualtotal
netcraft
passive total

like aquatone does :) https://github.com/michenriksen/aquatone/tree/master/lib/aquatone/collectors

[random-robbie]

https://censys.io/certificates?q=mozilla.org is a goldmine!

[random-robbie]

not really a dupe as only passive total was the dupe i've seen.
Censys.io the certs part has helped me found some really obscure subdomains

[evilsocket]

So now you know better than me all the suggestions I'm getting from users? :)

I already said that, unless you can prove a given 3rd party service to give more results than the current implementation, I'm not gonna integrate it.

If you need more subdomains, improve the wordlist.

[random-robbie]

im not saying i know better just what i've seen from the results of xray and this.

https://censys.io/certificates?q=mozilla.org is providing useful as it's providing sub-subdomains
i found this
https://reviewboard-hg.mozilla.org/buildbot-configs/rev/6a53c6df2e5a

https://censys.io/certificates?q=%28mozilla.org%29+AND+tags%3A+%22self-signed%22
finds some subdomains that dont come up and thats for some mozilla security stuff

im just saying it's worth adding this as its' finding sub-subdomains to which are going to be extremely handy to have.

[random-robbie]

another example...
https://censys.io/certificates?q=%28yahoo.com%29+AND+tags%3A+%22self-signed%22

[evilsocket]

If you need more subdomains, improve the wordlist.

Isn't this just easier than the integration?

[random-robbie]

not really as this would grab more current data where as wordlists are static and you might miss something from a target.

do a private build of xray with this integrated and see if it improves your findings i am sure it will by alot

[evilsocket]

Do you realize those services are using wordlists as well, so the only needed thing is to add the missing subdomains to xray one?

[random-robbie]

are they not parsing data from https://crt.sh/? or when they do a scan like shodan does reads the SSL Cert?

if they are using wordlists i really need to find where they got theirs as the domains they are giving are impressive if they are in word list.

[evilsocket]

Ooooh!!!! I see what you mean now, you mean the data extracted from the HTTPS certificates? Because in that case, I can do that without even integrating with those services as I already parse the certs :D

[random-robbie]

maybe something like that but stuff where you can scrape this sort of information is priceless
https://crt.sh/?q=%25.yahoo.com

SSL certs are now the way forward for leaking some good domains :)

[evilsocket]

It should be easily doable by updating this function, I'll work on it ;)

https://github.com/evilsocket/xray/blob/master/http_grabber.go#L101

[random-robbie]

even integrating this would be another goldmine
https://crt.sh/?q=%25.yahoo.com

lol for a subdomain
darkroom.bfv.yahoo.com
embracespace.corp.gq1.yahoo.com
jenkins.screwdriver.corp.yahoo.com
tool.bds.aviate.corp.yahoo.com

it's finding all sorts inside their corp domain

[evilsocket]

DUDE I GOT IT, PLEASE STOP

[random-robbie]

will do 👍