...using a small python script!



SSL certificate system suffer of several structural flaws that weaken the reliability and effectiveness of encrypted Internet connections and can compromise critical TLS/SSL mechanisms, such us domain validation, end-to-end encryption, and the chains of trust set up by certificate authorities.

Certificate Transparency is a Google's project that aim to eliminate these flaws by providing an open framework for monitoring and auditing SSL certificates.

https://www.youtube.com/watch?v=tJFfDOQT46k

In 2015, Comodo (now Sectigo) has released an online tool, named crt.sh, that discovers certificates by continually monitoring all of the publicly known Certificate Transparency logs.

So, during a penetration test, may be really useful obtain the enumeration of subdomains, and this step can be performed (but only on https websites) accessing crt.sh public data.

For example with this simple python script, that downloads and process the json export of crt.sh:

#!/usr/bin/python
import requests, json, sys
target = sys.argv[1].rstrip()

req = requests.get("https://crt.sh/?q=%.{d}&output=json".format(d=target))
json_data = json.loads(req.text)
for (key,value) in enumerate(json_data):
    print(value['name_value'])

Obviously, into the"for" loop a lot of additional operation can be performed, such us a check of availability or a simple ip resolve, and all data can be esported in csv format for further analysis.

I could develop something like this, when I find some time!


References and further reading