Passive recon using "Certificate Transparency": A deep dive ๐งต
We all use tools like Amass, ReconFTW & subfinder for finding new subdomains. Let's demystify these tools by looking at how they work ๐ช
Today: Recon through Certificate Transparency
What is it? How does it work? ๐
We all use tools like Amass, ReconFTW & subfinder for finding new subdomains. Let's demystify these tools by looking at how they work ๐ช
Today: Recon through Certificate Transparency
What is it? How does it work? ๐
1๏ธโฃ SSL Certificates
These allow users to verify a website's identity. They allow HTTPS to work and thus are at the base of how the modern web works!
These certs are issued by a CA. But what if a CA issues a cert mistakenly or even maliciously? How do users not get duped by that?
These allow users to verify a website's identity. They allow HTTPS to work and thus are at the base of how the modern web works!
These certs are issued by a CA. But what if a CA issues a cert mistakenly or even maliciously? How do users not get duped by that?
2๏ธโฃ Certificate Transparency
This is where CT comes into play. It's an open framework for monitoring certs ๐
This means that all certificates are publicly disclosed! ๐ค
Domain owners can now get a list of all certs issued to their domain ๐
BUT we as hackers can now ... ๐จโ๐ป
This is where CT comes into play. It's an open framework for monitoring certs ๐
This means that all certificates are publicly disclosed! ๐ค
Domain owners can now get a list of all certs issued to their domain ๐
BUT we as hackers can now ... ๐จโ๐ป
3๏ธโฃ CT for recon
We as hackers can now also get a list of all certificates issued to a domain! ๐
This means that we can get a list of all certificates issued to a specific domain! ๐
And there's one specific thing that certificates can show us: More subdomains! ๐
We as hackers can now also get a list of all certificates issued to a domain! ๐
This means that we can get a list of all certificates issued to a specific domain! ๐
And there's one specific thing that certificates can show us: More subdomains! ๐
4๏ธโฃ Subject Alternative Name (SAN)
SAN is a structured way to show all the domains names and IPs that are secured by a certificate ๐
Looking into a certificate reveals these domains and IPs, giving you as a hacker a really cool passive way to gather more data on your target! ๐ช
SAN is a structured way to show all the domains names and IPs that are secured by a certificate ๐
Looking into a certificate reveals these domains and IPs, giving you as a hacker a really cool passive way to gather more data on your target! ๐ช
5๏ธโฃ crtsh
How do we query those certificate transparency reports? We can use a website such as crt.sh
We can enter a domain name, and it will really simply return us all the certificates alongside the matching identities! ๐ป
It's as simple as that! ๐ช
How do we query those certificate transparency reports? We can use a website such as crt.sh
We can enter a domain name, and it will really simply return us all the certificates alongside the matching identities! ๐ป
It's as simple as that! ๐ช
6๏ธโฃ How do the tools do it?
As far as I can tell, all the major tools use the crt(.)sh database to query the CT information ๐
Here we can how Amass makes a GET request to query the information ๐
github.com/OWASP/Amass/blโฆ
As far as I can tell, all the major tools use the crt(.)sh database to query the CT information ๐
Here we can how Amass makes a GET request to query the information ๐
github.com/OWASP/Amass/blโฆ
And that brings us to the end of this thread ๐งต
I hope you learned something new about Certificate Transparency and how all of these amazing tools give you the incredible results you're looking for! ๐ช
Want more of this kind of content? Be sure to give us a follow! ๐
I hope you learned something new about Certificate Transparency and how all of these amazing tools give you the incredible results you're looking for! ๐ช
Want more of this kind of content? Be sure to give us a follow! ๐
โข โข โข
Missing some Tweet in this thread? You can try to
force a refresh
ใ
