Blackcert monitors Certificate Transparency Logs for a keyword. Blackcert collects any certificate changes for this keyword and also checks if any domain changes with that keyword look like a phishing domain.
APACHE-2.0 License
Blackcert monitors Certificate Transparency Logs for a keyword. Blackcert collects any certificate changes for this keyword and also checks if any domain changes with that keyword look like a phishing domain.
Developed to proactively monitor for actors registering certificates for a domain for phishing purposes. Although I have found it useful/used for:
splunk
medium, fastly
coronavirus, covid, chloroquine
.git clone https://github.com/d1vious/blackcert.git && cd blackcert
pip install virtualenv && virtualenv -p python3 venv && source venv/bin/activate && pip install -r requirements.txt
python blackert.py
all results will be printed and also written to results.log by default.
usage: blackcert.py [-h] [-c CONFIG] [-o OUTPUT] [-v]
starts listening for newly registered certificates and sends slack alerts when
it matches
optional arguments:
-h, --help show this help message and exit
-c CONFIG, --config CONFIG
path to the configuration file of blackcert
-o OUTPUT, --output OUTPUT
path to a JSON log file of the matches
-v, --version shows current blackcert version
I recommend creating a bot channel eg. blackcert-bot and then creating a webhook for it. Below is an example message for it. Protip inviting the SOC into a bot channel like this will help them understand how certificates are being used in the org. 😉
The score calculation is graciously borrowed from Phishing Catcher which was an inspiration for this project. It calculates the score using the following workflow:
*.com-account-management.info
-
character in the domain, for example, www.paypal-datacenter.com-acccount-alert.com
www.paypal.com.security.accountupdate.gq
Below is an example of how objects are saved in results.json. Protip, indexing these in a system like Splunk or ES will allow you to create a nice histogram on certificate changes for your organization, a competitor, or even mine the data for enumeration purposes.
{
"timestamp": "2020-03-26T03:26:58.097680",
"fingerprint": "51635745d6b7da0914196e6015023bac67351e86",
"domain": "woodsnap.com",
"subject": "/C=US/CN=sni.cloudflaressl.com/L=San Francisco/O=Cloudflare, Inc./ST=CA",
"CA": [
"CloudFlare Inc ECC CA-2",
"Baltimore CyberTrust Root"
],
"score": 29
}