This is a Python script that scrapes the Cert Spotter API for newly issued certificates for domains you are monitoring and dumps them to a Slack channel.
There are a number of use cases for why you might want to do this:
- Blue/Security teams should be pro-actively monitoring their domains for (i) misissuance of certificates and (ii) new infrastructure and services being spun up which may be inappropriately exposed to the public internet
- Red-teamers and Bug Bounty hunters alike can also use this to be alerted when certificates have been issued which could indicate new targets to perform recon and assessments on
The script has been written, and is intended to run in AWS Lambda.
Note: Please feel free to contribute and make pull requests as I know there will be more efficient ways to do this
The script does the following:
- Checks whether this is the first time the domain is being monitored (i.e., does a stored certificate ID for the domain already exist?)
- If this domain has not been monitored before then the script will call out to the Cert Spotter API, grab the latest issued certificate ID and store it in a marker file. We start monitoring from this point on.
- If this domain has already been monitored then the script pulls the certificate ID out of the marker file and checks to see if any certificates have been issued since that certificate ID
- Dump any new certificates to Slack
I have compared this script with Facebook's CT monitoring service, Cert Spotter (e-mail service) and several others - this tool always alerts me the fastest.
Here's a diagram which shows both scenarios (top: new domain and bottom: subsequent runs)
You'll need the following:
- Storage - local disk or S3 bucket - doesn't matter what you call it but it will be referenced in the script
- Cert Spotter API Credentials - there is a free tier which allows 100 full-domain queries/hour
- Slack Incoming Webhook - really easy to create an app and link it to a #channel of your choice
- Domains you want to monitor!
- Update the script with the above information
- Update the .yml if you intend to use it
| Variable | Description |
|---|---|
SLACK_WEBHOOK |
Slack URL for notifications |
MONITOR_DOMAINS |
Comma delimited list of domains to query from API |
CERTSPOTTER_API_TOKEN |
CertSpotter API token |
FILESYSTEM_PATH |
volume mount target for persistence / state |
SLEEP_DELAY |
how long to wait between each call, adjust for ratelimiting |
LOG_FORMAT |
json or syslog for logging flavor |
DEBUG |
true/false adjust logger level for troubleshooting |
A public Slack Workspace exists for a previous project of mine - I'm still on there so anyone can join to discuss new features, changes, feature requests or simply ask for help. Here's the invite link: