How to extract HTTPS websites subdomains from Certificate Transparency logs

…using a small python script!

SSL certificate system suffer of several structural flaws that weaken the reliability and effectiveness of encrypted Internet connections and can compromise critical TLS/SSL mechanisms, such us domain validation, end-to-end encryption, and the chains of trust set up by certificate authorities.

Certificate Transparency is a Google‘s project that aim to eliminate these flaws by providing an open framework for monitoring and auditing SSL certificates.

In 2015, Comodo (now Sectigo) has released an online tool, named crt.sh, that discovers certificates by continually monitoring all of the publicly known Certificate Transparency logs.

So, during a penetration test, may be really useful obtain the enumeration of subdomains, and this step can be performed (but only on https websites) accessing crt.sh public data.

For example with this simple python script, that downloads and process the json export of crt.sh:

import requests, json
target = "andreafortuna.org"

req = requests.get("https://crt.sh/?q=%.{d}&output=json".format(d=target))
json_data = json.loads('[{}]'.format(req.text.replace('}{', '},{')))

for (key,value) in enumerate(json_data):
    print(value['name_value'])

Obviously, into the”for” loop a lot of additional operation can be performed, such us a check of availability or a simple ip resolve, and all data can be esported in csv format for further analysis.

I could develop something like this, when I find some time!


References and further reading

Comments

This site uses Akismet to reduce spam. Learn how your comment data is processed.