🌐
Subdomain Enumeration Guide
  • Home 🏠
  • Introduction
    • What's the need ?🤔
    • Prerequisites
  • Types
    • Horizontal Enumeration
    • Vertical Enumeration
  • Passive Techniques
    • Passive Sources
    • Certificate Logs
    • Recursive Enumeration
  • Active Techniques
    • DNS Bruteforcing
    • Permutation/Alterations
    • Scraping(JS/Source code)
    • Google analytics
    • TLS, CSP, CNAME Probing
    • VHOST probing
  • Web probing
  • Automation 🤖
Powered by GitBook
On this page
  • What are SSL/TLS certificates?
  • 1) Certificate Transparency(CT) Logs
  • 🔧Tool:
  • CTFR
  • 2) tls.bufferover.run

Was this helpful?

  1. Passive Techniques

Certificate Logs

PreviousPassive SourcesNextRecursive Enumeration

Last updated 2 years ago

Was this helpful?

What are SSL/TLS certificates?

SSL/TLS certificates are obtained to help a website move from "HTTP" to "HTTPS" which is more secure. This certificate is trusted by both the domain presenting the certificates and the clients that use the certificate to encrypt their communications with the domain’s services. To obtain such a certificate we need to request it from the CA(Certificate Authority).

1) Certificate Transparency(CT) Logs

What was the need to implement Certificate Transparency Logs?

Before 2013 these CA(Certificate Authority) authorities faced various breaches. Due to such breaches, anyone could maliciously create a forged certificate of the domain owner and gain the trust of the end-user. Also, CA didn't perform proper verifications if the requester is an authorized person of the domain. Hence, there was a need to create a central repository to maintain transparency amongst all.

What is Certificate Transparency Log?

Google came up with a unique solution to this problem, by introducing . This means that all the certificates issued by the CA would be appended to a common public list. Having a transparent logs of all issued certificates is a great solution for solving the problem of fraudulent certificate issuing, as legitimate domain owners have the ability to spot certificates issued without their consent.

How we can abuse CT logs?

Since every time an organization gets an SSL certificate it gets logged in these CT logs, they can be abused easily. As anyone can query them, thus can be utilized to enumerate the subdomains of a root domain that have an accompanying TLS certificate.

We can find all SSL certificates belonging to a domain by issuing a GET request to

As you can see we got a list of subdomains.

🔧Tool:

CTFR

  • Language: Python

Installation:

git clone https://github.com/UnaPibaGeek/ctfr.git
cd ctfr/
pip3 install -r requirements.txt

Running CTFR:

python3 ctfr.py -d target.com -o output.txt

Flags:

  • d - Target domain

  • o - Output file

2) tls.bufferover.run

Creating API key:

  • Inorder get the results we need to create an API key for this services.

  • You will instantly get the API key in your email Inbox.

Querying for results:

  • Replace the target and API key with yours.

curl 'https://tls.bufferover.run/dns?q=.dell.com' -H 'x-api-key: TYvnAWCtsmJKTjcYs9bE91aNs8GZZMo5lCX3i06a'| jq -r .Results[] | cut -d ',' -f5 | grep -F ".dell.com" | sort -u output.txt

Author:

is a python based tool that helps to grabs all the subdomains for our target domains using Certificate Transparency(CT) logs. CTFR queries website and retrieves subdomains of our mentioned domain.

is a service that scans the whole IPv4 address space and grabs all the necessary data from the TLS certificates of those hosts. These TLS certificate include a field called as "Subject" that hold necessary information from our perspective. The Subject field contains a component called as "CommonName(CN)" which indicates the Fully Qualified Domain Name(FQDN) of that host. So, we can leverage this to look for subdomains of our target. But inorder to query this service we must

Visit and enter your email-id for the "Free-Tier" plan.

UnaPibaGeek
CTFR
crt.sh
tls.bufferover.run
https://tls.bufferover.run/
Certificate Transparency logs
https://crt.sh/?q=%25.dell.com
Screenshot from crt.sh