User Guide

Synapse-Crtsh User Guide

Synapse-Crtsh adds new Storm commands to allow you to query the crt.sh API.

Getting Started

Check with your Admin to enable permissions.

Examples

Discover subdomains for a domain

> inet:fqdn=vertex.link | crtsh.subdomains --size 3 --yield
inet:fqdn=www.vertex.link
        .created = 2024/04/17 17:03:24.296
        :domain = vertex.link
        :host = www
        :issuffix = false
        :iszone = false
        :zone = vertex.link
inet:fqdn=dev.vertex.link
        .created = 2024/04/17 17:03:24.331
        :domain = vertex.link
        :host = dev
        :issuffix = false
        :iszone = false
        :zone = vertex.link
inet:fqdn=drone.vertex.link
        .created = 2024/04/17 17:03:24.365
        :domain = vertex.link
        :host = drone
        :issuffix = false
        :iszone = false
        :zone = vertex.link

Ingest certificates for a domain and all subdomains

> inet:fqdn=docs.vertex.link | crtsh.certs --size 3 --yield
fileparser parsing sha256: 2c4f8ac49b113cac099599642af0d6e02b315d66d03bb92aa03f0a1bee328097
crypto:x509:cert=d7e66faf819d0f3c56f6073b89d133ed
        .created = 2024/04/17 17:03:28.523
        :algo = 1.2.840.113549.1.1.11
        :crl:urls = ['http://crl.sca1b.amazontrust.com/sca1b.crl']
        :file = sha256:2c4f8ac49b113cac099599642af0d6e02b315d66d03bb92aa03f0a1bee328097
        :identities:fqdns = ['enterprise.docs.vertex.link']
        :issuer = CN=Amazon,OU=Server CA 1B,O=Amazon,C=US
        :md5 = a04f417a701834d2c87a32ef42fdff9b
        :rsa:key = ('d5ece9b029fb462fc5869faff90d1f96c9cd75783ece9ca330f8a946cbb0c900a10d27cff58da177ce14402b6e0f9ff3fd80f59f1d9f7a6c6e4dbe2ec4ddf1187b580523de989815f8befc86b3081174ad65a83b6296867e99e0bafa5dc51791f59987da18bed80b11aad0a9d8ca0c803785c033918436a9341f51faf469c7eb70ffd9d932ad02b48752f164ea17229ccc772184afe6b62a8a243e8a158d9a55a8b385e0e91804b48a5d888e502e27d9c5e64dc088346a9d00243dbf2583da394e0686554fb953f73e6d00ca8b4149b707cfc6a4772e866cce34b43f07845673bf07b64d9220130d0382fac31aca3bb685643eaaa3988ddc270afb8acb2e33fb', '65537')
        :selfsigned = false
        :serial = 00000000050e85a64a7bf4e8d5b8dbc3620c3d6c
        :sha1 = 3772c87fc77971e7ff95b28f7869bc50090730aa
        :sha256 = 2c4f8ac49b113cac099599642af0d6e02b315d66d03bb92aa03f0a1bee328097
        :signature = 8c60e96b47f767864227df2ead8664721f970d3793e3ae79e092cf50b9850dcf2a448ae96e5c46ec78bbb50cc38ebf8a5b8e685d66c207755ce57cae0493186914ba3491e7e16f2c930933d78bc053c5e7b308b4d0ca06991945979d1f99d737e62a4badce39892437c4a6079d186869822f29020518946b2afb32f4728b7cbd8c6e04d1d7c21a24a8d65d3c76ad086801940e58d85b3327c004dbba828103d97675e12b3da9c9475cd2c03fbe795c5ebbf1e74a922a4079519ead71cc0ef1a7ba7419307f5b32fca78b9a89573a0805152d56a7484bbe7ae4e04445c11c9852ed0dfd9c1c5187bb13d6772c3ee18c1bcc2c6d282538224b9e837d6783b8a86f
        :subject = CN=enterprise.docs.vertex.link
        :validity:notafter = 2021/07/03 12:00:00.000
        :validity:notbefore = 2020/06/03 00:00:00.000
        :version = v3
fileparser parsing sha256: 43a4fce0e88ad651e35078180916f0343e24fbc0b0752e8223084cb0d518b351
crypto:x509:cert=bfa7c213e36dd5a6203c2a7c0dc2d7c0
        .created = 2024/04/17 17:03:32.354
        :algo = 1.2.840.113549.1.1.11
        :crl:urls = ['http://crl.sca1b.amazontrust.com/sca1b.crl']
        :file = sha256:43a4fce0e88ad651e35078180916f0343e24fbc0b0752e8223084cb0d518b351
        :identities:fqdns = ['optic.docs.vertex.link']
        :issuer = CN=Amazon,OU=Server CA 1B,O=Amazon,C=US
        :md5 = 947a10856721c3c6652a3b78b4767e69
        :rsa:key = ('e4c582fbd2d83bda3813ca1f87c29bdc7830f9876f2391a8b0e987ff452c25573ff95a5c62e47841a352331af5b8b14aab10deb9ef8ba9a67b7b7215ae70bfa86a33157e781638d6fd104126e79ef8a9e963580011a16685680ec8dd86a44fa19aa69396238d3182601e3232404fa83df7eeca76ebd7d4bc29f5d86c94d890c8c56906e3ec2f474c1cdc644ded1c386a0c4a84ef0c09c4678a6a8ec06731fbd750e846cfb6b2a4c160da762a1fdc16ed8e6d82ba9ee1a9fc7c0a01fe72ab63a466521ceb5e42dadc2812746bc3ca7e61b3b80ecd583f5c968a4ae841b7fb53fdc99bc38881e5d75615c8d23a5e1af80a33a13b805e9a9d90e6e6be75b560f505', '65537')
        :selfsigned = false
        :serial = 000000000797adf13d80735795926cd6daa17f52
        :sha1 = e0808fe89a0d98f0b35efe0749a068008bbde8dd
        :sha256 = 43a4fce0e88ad651e35078180916f0343e24fbc0b0752e8223084cb0d518b351
        :signature = 1a4ae03a703207af6796ac14bfa37673ad86dedfecf01ffbea5858a92384ba391c2ae7aefa4b2769fe0680881ea929e791fb97d8e0b86fee90ff6adb2c78571399a394c6d53ce1fe4c0f1ff8f5feba32af58ee6172f51336b4b8092631d6a45ea1ac7791ff21ee4cbf05e1aa7abbad7ae43b04be2372e6deaefcb102f89be579cda9abfd0bf0da431d030b26d08e66284701a15142cd987c91b5eef7cf5b756374238f1e802093e0570a9680273dd22664de6b260c7959bddfb2c2d8c78c9117adf0dbc36545c7a6ee123630d04692e8a9e3b85db135de8de089f38abccea80c03e9666c7a8f3cfc9a4bc607c20b31c0c3e129e9abe73905504bc3ba1d1119b6
        :subject = CN=optic.docs.vertex.link
        :validity:notafter = 2021/07/03 12:00:00.000
        :validity:notbefore = 2020/06/03 00:00:00.000
        :version = v3
fileparser parsing sha256: d23d9647cbf6f67275c4343f3ad9afdbd975c1a0dc2ec0531b92e0a5c44a69fd
crypto:x509:cert=f806f466663f4c758e6f4c9f9530d6f3
        .created = 2024/04/17 17:03:36.195
        :algo = 1.2.840.113549.1.1.11
        :crl:urls = ['http://crl.sca1b.amazontrust.com/sca1b.crl']
        :file = sha256:d23d9647cbf6f67275c4343f3ad9afdbd975c1a0dc2ec0531b92e0a5c44a69fd
        :identities:fqdns = ['synapse.docs.vertex.link']
        :issuer = CN=Amazon,OU=Server CA 1B,O=Amazon,C=US
        :md5 = ff0f23ed6763ce8170b26df54eae3864
        :rsa:key = ('cfb93eea9770a9a72e15605f3a9e89826d877697baf269077275ac2e795fe3fbd04fb086ca6876d3e7c2c70173005a60e0fe6908dfc2f345e022939d32a0edef4b466d868669e945b4d4677bfad2004dfcae813f21d7ec14387fd6cc6383ddd887e5a901ca11bbb5ef6ed9c4bcbc0674206ba7952545da2db3f45dcccc1c76cb3f5717921cd2c11257781abbb747f773371edc1f20b59002e33da79fadd2f03b195f170a078ce92bb2eb374fcd2b430a607fe4bc569c87cd1f21be3a0c931cbcea7ca726874ae9bea3c2fd3a3a4cc65612b85a1693c18a2d456ce3c9d0927f2ec96e87c8a426b190639d81ea64089a03a08752cc6c4938a2727aa8d39227cb37', '65537')
        :selfsigned = false
        :serial = 000000000f618a104260722cd5a5e25109947ccf
        :sha1 = f205406a2a0e4c38744240d7c9965b3b8701eafe
        :sha256 = d23d9647cbf6f67275c4343f3ad9afdbd975c1a0dc2ec0531b92e0a5c44a69fd
        :signature = ad341b10dcdee30f1dbfa90dd9d40bf9a10793398e928137f666373bf2abc71de439377c07ca93212f4598f705d025433412f3e513349e1a74b9eece3d0385427a3a0f1ece8cbb6972c0cf345c49cab8e3e78912ad90077be04c39d03ce84a4a87a750eb9b655170af9d5b7a81cb473201ca95b7fa5dcc8089c7e2622130ff90a929c3cb3a0d5c2f7e802ab9c32f012662055f4fbf581683e6fe4aa86d579935813418be13ca31a84e41fc971552c27a74b6e15e1d84627b7a226a98b7a6df199f5e61b268b6aad48b0bf14776f17988edb2ec35be78a2c3b23cfbfb7f64239d7d7f67fee23c357d3d0128f703cd2178deb079a370c89425fba72575f1b53304
        :subject = CN=synapse.docs.vertex.link
        :validity:notafter = 2021/07/10 12:00:00.000
        :validity:notbefore = 2020/06/10 00:00:00.000
        :version = v3

Ingest certificates by hash

> hash:sha1#myhash | crtsh.certs --yield
fileparser parsing sha256: 00a00c6f0518e50441d4006a4ddb91a9d295dfd0264e4e8832e3723840e6b95f
crypto:x509:cert=0782a7a2d2765ad50ea6b26e83759617
        .created = 2024/04/17 17:03:40.503
        :algo = 1.2.840.113549.1.1.11
        :file = sha256:00a00c6f0518e50441d4006a4ddb91a9d295dfd0264e4e8832e3723840e6b95f
        :identities:fqdns = ['www.vertex.link']
        :issuer = CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
        :md5 = d15347c67ece871312374b1fa8228cd5
        :rsa:key = ('c967fb985d869d608c79d9a61e367853a43f0bd84e5cc2111e15f3c2306e332cef0a45f8b2e1530cd1855086c2e72997079206e736bd12ec80066ef7d0d51fb63b5261af6aa1ef33655f5fe5c6b30afdf424e44dad81061bdb4efdae7f101d328e91489c69358a20c7678315982af29e017844c48c5b9c03ef85ec5e1220f9de6ef404c8e7eb5995cf6cf271b372467c4074e7f322750e7f55026df2f3486da2b15fcc4b80ee96b567a45ae0b105066ec81a3fa8f0c13b63328fdb5e8d6f68391446c2d7a7ae5077ed9ee8dd72959b5ec662c0c8afe96cc6dd81c7e4067ebdf128e4d96b429fe96b9a0e6740acca747e89140181642b78add7a559724678dfef', '65537')
        :selfsigned = false
        :serial = 000003d420c55ab5ce25c7f2919b839189413cc5
        :sha1 = ed36d838bbda855b2b2acaf8059730f28a6e860c
        :sha256 = 00a00c6f0518e50441d4006a4ddb91a9d295dfd0264e4e8832e3723840e6b95f
        :signature = 00fde648b3179709c56d6cc28fa4a4cbd38da7a9a3c3f2d2d03ef953eaf513e40fac1a404059d40cbb68f58ea37b9a12104272929d5c95c8e9494ea31b86264af489b1adfbe62fb191b7c1e273cd818be6251ba56a0860019efc1f746eca2e4844e1578fe79a8621e5769b4adaa8be3aedba577dbcae9fca85e1d6f9fe1264c161bd9f9cc34b717631d18c122d4d787d75d873c50752dca099aee5bd00471a50b08249014152c7a9f85889d719a1e12e70602b98aab2e51ad41018f6f971afc3bc39656761a0b2af4cc70d0b00924093552c1c37676374d9496fdb8a8e69e8aa185c8fcea0ec6ac6d66df9a62bf71532035439e8fd31cbd5d3ddd37d7dd23657
        :subject = CN=www.vertex.link
        :validity:notafter = 2017/01/21 02:27:00.000
        :validity:notbefore = 2016/10/23 02:27:00.000
        :version = v3

Use of `meta:source` nodes

Synapse-Crtsh uses a meta:source node and -(seen)> light weight edges to track nodes observed from the crt.sh API.

> meta:source=7bb2a103c4c9ea8cdcdfbd77c03e03d0
meta:source=7bb2a103c4c9ea8cdcdfbd77c03e03d0
        .created = 2024/04/17 17:03:24.021
        :name = crt.sh api

Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-Crtsh. The following example shows how to filter the results of a query to include only results observed by Synapse-Crtsh:

> hash:sha1#myhash -> crypto:x509:cert +{ <(seen)- meta:source=7bb2a103c4c9ea8cdcdfbd77c03e03d0 }
crypto:x509:cert=0782a7a2d2765ad50ea6b26e83759617
        .created = 2024/04/17 17:03:40.503
        :algo = 1.2.840.113549.1.1.11
        :file = sha256:00a00c6f0518e50441d4006a4ddb91a9d295dfd0264e4e8832e3723840e6b95f
        :identities:fqdns = ['www.vertex.link']
        :issuer = CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
        :md5 = d15347c67ece871312374b1fa8228cd5
        :rsa:key = ('c967fb985d869d608c79d9a61e367853a43f0bd84e5cc2111e15f3c2306e332cef0a45f8b2e1530cd1855086c2e72997079206e736bd12ec80066ef7d0d51fb63b5261af6aa1ef33655f5fe5c6b30afdf424e44dad81061bdb4efdae7f101d328e91489c69358a20c7678315982af29e017844c48c5b9c03ef85ec5e1220f9de6ef404c8e7eb5995cf6cf271b372467c4074e7f322750e7f55026df2f3486da2b15fcc4b80ee96b567a45ae0b105066ec81a3fa8f0c13b63328fdb5e8d6f68391446c2d7a7ae5077ed9ee8dd72959b5ec662c0c8afe96cc6dd81c7e4067ebdf128e4d96b429fe96b9a0e6740acca747e89140181642b78add7a559724678dfef', '65537')
        :selfsigned = false
        :serial = 000003d420c55ab5ce25c7f2919b839189413cc5
        :sha1 = ed36d838bbda855b2b2acaf8059730f28a6e860c
        :sha256 = 00a00c6f0518e50441d4006a4ddb91a9d295dfd0264e4e8832e3723840e6b95f
        :signature = 00fde648b3179709c56d6cc28fa4a4cbd38da7a9a3c3f2d2d03ef953eaf513e40fac1a404059d40cbb68f58ea37b9a12104272929d5c95c8e9494ea31b86264af489b1adfbe62fb191b7c1e273cd818be6251ba56a0860019efc1f746eca2e4844e1578fe79a8621e5769b4adaa8be3aedba577dbcae9fca85e1d6f9fe1264c161bd9f9cc34b717631d18c122d4d787d75d873c50752dca099aee5bd00471a50b08249014152c7a9f85889d719a1e12e70602b98aab2e51ad41018f6f971afc3bc39656761a0b2af4cc70d0b00924093552c1c37676374d9496fdb8a8e69e8aa185c8fcea0ec6ac6d66df9a62bf71532035439e8fd31cbd5d3ddd37d7dd23657
        :subject = CN=www.vertex.link
        :validity:notafter = 2017/01/21 02:27:00.000
        :validity:notbefore = 2016/10/23 02:27:00.000
        :version = v3

Read the Docs v: latest

Versions: latest; enterprise_docs

Downloads

On Read the Docs: Project Home; Builds