Sublert : Security & Reconnaissance Tool Which Leverages Certificate Transparency

Sublert is a security and reconnaissance tool which leverages certificate transparency to automatically monitor new subdomains deployed by specific organizations and issued TLS/SSL certificate.

The tool is supposed to be scheduled to run periodically at fixed times, dates, or intervals (Ideally each day). New identified subdomains will be sent to Slack workspace with a notification push. Furthermore, the tool performs DNS resolution to determine working subdomains.

Requirements

Virtual Private Server (VPS) running on Unix. (I personally use digitalOcean)
Python 2.x or 3.x.
Free Slack workspace.

Also Read – AutoRDPwn : The Shadow Attack Framework

How to set up?

Requirements:

Virtual Private Server (VPS) running on Unix. (I use digitalOcean)
Python 2.x or 3.x.
Free Slack workplace.

First of all, you will have to clone the tool from Github to your web server:

$ git clone https://github.com/yassineaboukir/sublert.git && cd sublert

Now, we can install the required modules as follows:

forPython 2:

$ sudo pip install -r requirements.txt

alternatively, Python 3:

$ sudo pip3 install -r requirements.txt

Next step is to create a Slack workplace to where new subdomains will be sent to. Just browse to https://slack.com/ and create a free account.

Then, create two channels: one for the subdomains and the other is for error logging as follows:

Next, we need to generate Webhook URLs for each channel so we can leverage Slack API.

Browse to https://api.slack.com/apps and create a new application.

Browse to Incoming Webhooks and create two Webhooks and link each one to the two channels formed previously.

And link each webhook with the corresponding Slack channel.

You will obtain a link in the following format:

https://hooks.slack.com/services/XXXXXXX/BF0XXXXME/XXXXXXXXXXXXX

Copy both two webhook links and edit config.py

You’re almost ready! Interesting part now is adding domains to monitor for new subdomains. For now, it’s preferable to add each domain separately. Let’s add PayPal for instance:

$ python sublert.py -u paypal.com

You can proceed the same way with all the other domain names you would like to monitor. Once you’re finished adding the targets, the next step would be to configure Cron in order to schedule execution of Sublert periodically at fixed times.

Let’s make Sublert.py executable:

$ chmod u+x sublert.py

Now, we need to add a new Cron job to schedule execution of it at given time. To do it, type:

$ Crontab -e

Add the following line at the end of the Cron file:

0 */12 * * * cd /root/sublert/ && /usr/bin/python sublert.py -r -l >> /root/sublert/sublert.log 2>&1

You will need to change /root/sublert/ to the exact directory where you have the tool.

If you’re using python3 make sure to change /usr/bin/python to /usr/bin/python3

0 */12 * * * → instructs Cron to run the tool every 12th hour. If you wish to change it to any fixed time you want, feel free to use https://crontab.guru/ to customize your timing.
-r → instructs Sublert to perform DNS resolution. It’s optional but recommended.
– l → instructs Sublert to log errors and push them to Slack channel. It’s optional but recommended.
/var/log/sublert.log 2>&1 → Instructs Cron to save Sublert output to /var/log/sublert.log which you can inspect at any given time if you have any doubts the tool is running smoothly.

Usage

Short Form	Long Form	Description
-u	–url	Adds a domain to monitor. E.g: yahoo.com.
-d	–delete	Domain to remove from the monitored list. E.g: yahoo.com.
-a	–list	Listing all monitored domains.
-t	–threads	Number of concurrent threads to use (Default: 20).
-r	–resolve	Perform DNS resolution.
-l	–logging	Enable Slack-based error logging.
-m	–reset	Reset everything.