A very simple certificate transparency log scraper for a very specific use case. I wanted to prove that it's easy to find out all other domains that belong to the same Cloudflare account.
The idea is that most Cloudflare accounts get two nameservers from a large pool and those don't change often. Therefore the likeliness of two domains belonging to the same account is high if they share the same nameservers. This tool tries to find out all domains that share the same nameservers as the one you specify.
- It scrapes through the entire certificate transparency log it was given and parses all leaf certificates using the help of the amazing certificate-transparency-go.
- For convenience it narrows further search down to first level domains (ie.
cloudflare.com, but notwhatever.cloudflare.com) and specific domain ending specified in config (ie..hu). Finally it filters out certificate authorities that are not used by Cloudflare. I used this as a reference. - For all domains left to try, it uses Cloudflare's DoH DNS service to determine the two nameserver records belonging to the domain. If it's a match to both nameservers set in the config, it's a match.
- Found domains are written to a file.
Docker/Podman is recommended.
- Alter config.json to your liking.
- Build the image:
docker build -t transparnsee:latest . - Run the image:
docker run -v $(pwd)/output:/app/output transparnsee:latest
For more details on this, see my article in Hungarian here.