loading
loading
Recon
Scrape domain names from the SSL certificates of arbitrary hosts.
overview
cero connects to hosts over TLS and reads the domain names out of the certificates they present. A certificate's common name and subject alternative names often list other domains and subdomains the same organization owns, so a single TLS handshake can hand you a cluster of related names that passive sources missed.
It works straight off IP addresses or host:port pairs, so you can sweep a netblock or a port-scan result and harvest certificate names at scale. Concurrency (-c), a TLS timeout (-t), and filtered output (-d) that strips IPs, wildcards, and gibberish keep a wide sweep fast and the results usable.
Run it over an address range to pull certificate-sourced domains, then merge them with subdomain enumeration and feed the lot to a prober. On Trickest the Recon node takes a file of targets and writes a file and a folder of results.
source github.com/glebarez/cero
use cases
Read the common name and SANs off live TLS certificates to surface related domains and subdomains that passive subdomain sources do not list.
Sweep an IP range and pull certificate domains from every TLS-listening host, turning raw address space into a list of owned names.
Point cero at custom ports with -p so certificates served on services beyond 443 still contribute their domain names to the scope.
Enable -d filtered output to drop IPs, wildcards, and gibberish so the domains that flow into enumeration and probing are valid names.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| targets | FILE | · | File of target hosts or IPs to read certificates from. |
| ports | STRING | -p | TLS ports to use when not specified in the host address (default 443). |
| concurrency | STRING | -c | Concurrency level (default 100). |
| tls-timeout | STRING | -t | TLS connection timeout in seconds (default 4). |
| filter-output | BOOLEAN | -d | Output only valid domain names (strip IPs, wildcards, and gibberish). |
| verbose | BOOLEAN | -v | Verbose output with per-address results and errors. |
Showing key inputs. cero exposes 6 inputs in total.
example
# scrape cert domains from hosts, keep only valid namescero -p 443,8443 -c 50 -t 4 -d < hosts.txtwww.example.comapi.example.commail.example.comstaging.example.comdev.example.comportal.example.comcdn.example.comvpn.example.comguidance
Use cero to expand scope from TLS certificates when you have hosts or an IP range to sweep. It reads certificate names actively over TLS, so unlike passive sources it needs a connection. Merge its names with subfinder output and pass the combined list to httpx.
Broad TLS data collection including certificate fields. cero focuses tightly on scraping the domain names.
Passive subdomain discovery from many sources. cero adds names pulled directly from live certificates.
Pulls names from crt.sh's certificate log. cero reads certificates straight off the live hosts instead.
faq
related
Asynchronous DNS brute-force tool for fast subdomain enumeration.
OWASP Amass: network mapping and external asset discovery.
OWASP Amass intel: find an organization's root domains and ranges.
OWASP Amass enumeration that produces structured JSON output.
Find related domains and subdomains via shared Google Analytics IDs.
Find domains and subdomains potentially related to a given domain.
A target list feeds cero, which scrapes domain names from each host's TLS certificate and hands them to httpx so the live ones land as a queryable output.
Facts on this page come from the live Trickest tool library.