Certificate Transparency Logs

Introduction

Secure Sockets Layer/Transport Layer Security (SSL/TLS) protocol encrypts the communication between your browser and a website. At the heart of SSL/TLS lies the digital certificate, a small file that verifies a website's identity and allows for secure, encrypted communication.

Certificate Transparency (CT) logs are publicly auditable, append-only logs designed to monitor and detect the issuance of SSL/TLS certificates by Certificate Authorities (CAs). These logs ensure that all certificates issued are visible and accessible for scrutiny by anyone, helping to prevent misuse and improper issuance of certificates, such as rogue or fraudulent certificates.

Web Recon for CT Logs

Certificate Transparency logs offer a unique advantage in subdomain enumeration compared to other methods. Unlike brute-forcing or wordlist-based approaches, which rely on guessing or predicting subdomain names, CT logs provide a definitive record of certificates issued for a domain and its subdomains.

Furthermore, CT logs can unveil subdomains associated with old or expired certificates. These subdomains might host outdated software or configurations, making them potentially vulnerable to exploitation.

Searching CT Logs

There are two popular options for searching CT logs:

Tool

Key Features

Use Cases

Pros

Cons

crt.sh

User-friendly web interface, simple search by domain, displays certificate details, SAN entries.

Quick and easy searches, identifying subdomains, checking certificate issuance history.

Free, easy to use, no registration required.

Limited filtering and analysis options.

Censys

Powerful search engine for internet-connected devices, advanced filtering by domain, IP, certificate attributes.

In-depth analysis of certificates, identifying misconfigurations, finding related certificates and hosts.

Extensive data and filtering options, API access.

Requires registration (free tier available).

crt.sh Lookup

We can use crt.sh with command-line to search through its API. Let's see how to find all 'dev' subdomains on facebook.com using curl and jq:

$ curl -s "https://crt.sh/?q=facebook.com&output=json" | jq -r '.[]
 | select(.name_value | contains("dev")) | .name_value' | sort -u
 
*.dev.facebook.com
*.newdev.facebook.com
*.secure.dev.facebook.com
dev.facebook.com
devvm1958.ftw3.facebook.com
facebook-amex-dev.facebook.com
facebook-amex-sign-enc-dev.facebook.com
newdev.facebook.com
secure.dev.facebook.com

curl -s "https://crt.sh/?q=facebook.com&output=json": fetches the JSON output from crt.sh for certificates matching the domain facebook.com
jq -r '.[] | select(.name_value | contains("dev")) | .name_value': filters the JSON results, selecting only entries where the name_value field (which contains the domain or subdomain) includes the string "dev." The -r flag tells jq to output raw strings
sort -u: This sorts the results alphabetically and removes duplicates

PreviousVirtual Hosts NextFingerprinting

Last updated 1 year ago