How to extract HTTPS websites subdomains from Certificate Transparency logs

…using a small python script!

SSL certificate system suffer of several structural flaws that weaken the reliability and effectiveness of encrypted Internet connections and can compromise critical TLS/SSL mechanisms, such us domain validation, end-to-end encryption, and the chains of trust set up by certificate authorities.

Certificate Transparency is a Google‘s project that aim to eliminate these flaws by providing an open framework for monitoring and auditing SSL certificates.

In 2015, Comodo (now Sectigo) has released an online tool, named, that discovers certificates by continually monitoring all of the publicly known Certificate Transparency logs.

So, during a penetration test, may be really useful obtain the enumeration of subdomains, and this step can be performed (but only on https websites) accessing public data.

For example with this simple python script, that downloads and process the json export of

import requests, json, sys
target = sys.argv[1].rstrip()

req = requests.get("{d}&output=json".format(d=target))
json_data = json.loads(req.text)
for (key,value) in enumerate(json_data):

Obviously, into the”for” loop a lot of additional operation can be performed, such us a check of availability or a simple ip resolve, and all data can be esported in csv format for further analysis.

I could develop something like this, when I find some time!

References and further reading

Related posts

  1. CloudBrute: a multi-platform Cloud Enumeration Tool
  2. Red Commander: open source Red Team C2 Infrastructure
  3. Noctilucent brings back ‘domain fronting’ as ‘domain hiding’
  4. Backdoorplz, a privilege escalation tool for Windows
  5. Pen Test Partners: Boeing 747 walk through, from a hacker’s perspective