white and black outdoor camera
Sat May 27

Leveraging Certificate Transparency for Domain Gathering

When doing some bug bounty programs, red teaming or pentesting, one thing that you most likely to face at the first steps is how do we identify the assets and domains belonging to the target company. In the real world, it can be done with [some approaches](https://www.binaryte.com/blog/unveiling-secrets-with- content-discovery) like brute forcing.

However, most companies are against it due to the impact to their internal servers. By doing so you may flood the traffic to their server, causing their server to be unresponsive if too many requests were sent at a time. Hence, they prohibit the use of automated tools for brute forcing the domains or the web assets.

So, what can you do to achieve this without worrying them to ban your IP? In this article, we will explore how you can leverage Certificate Transparency (CT) to enhance your reconnaissance efforts and discover web assets related to a particular company.

A glimpse of Certificate Transparency

From the [previous article](https://www.binaryte.com/blog/ensuring-trust-the- role-of-certificate-transparency), we learn how the CT is used to detect certificate-related security breaches. Unfortunately, it can also be the source for any malicious actors and adversaries to gather more information about their target. Let’s focus on two components of Certificate Transparency: CT logs and CT monitoring.

To put it simply, certificate logs and monitoring serve as valuable tools for reconnaissance purposes. When a certificate is issued, its data is securely recorded in unchangeable logs, preserving the accuracy and reliability of the certificate information. Additionally, Certificate Transparency monitoring provides individuals with authorized access to these logs. This access allows them to retrieve, store, and conduct targeted searches based on specific fields within the certificates.

Due to the fact that the logs are publicly available, These logs can be accessed and inspected by anyone interested in monitoring or analyzing certificate activity. The public availability of these logs enables domain owners, security researchers, and other stakeholders to gain insights into the certificate ecosystem and identify potential security issues or anomalies. In conclusion, effective monitoring and analysis can be performed, empowering individuals to gather crucial insights and intelligence.

Why is monitoring Certificate Transparency important?

Within these logs, you can find valuable information that includes the organization name, email, common name, country, locality, and zip code. However, among all these details, the organization name and common name to which the certificate is issued are particularly important.

Platforms to inspect the CT logs

Some tools or platforms are available for us to pull the data out. Referring to the article, we have several tools for this, like crt.sh by Sectigo. Additionally, it is also possible to use some other tools from the big name like ct.cloudflare.com - Merkle Town by Cloudflare or Meta Certificate Transparency Monitoring by Meta.

In this particular example, we will only utilize crt.sh, as it is a user- friendly platform that does not require any signup process. Another good thing to consider is, it provides results in JSON format, making it convenient for integration into scripts written in various programming languages.

The basic of crt.sh

If you access the website, you could see some options offered to you. Once you click the “Advanced…” option, you will be presented with more details to search for. For example, it is common to use the organization name instead of the domain name to look for the information from the corresponding target. We will take HackerOne as an example.

Identifying by Organization Name & Domain Name

Say that we want to identify the name of the company behind HackerOne. To do this, you can simply use Google to look for it. If not, you can also check the certificate belonging to HackerOne. If you choose this approach, you can go to its website and click the lock icon on the left of the URL. After clicking it, you should see the words “Connection is secure” and you can click this section.

In some browsers like Firefox, the information to whom the certificate is issued is clearly stated and you should be able to identify the organization name easily. In some cases, you may go further by looking for words like “Details”, “More information” or anything with similar meaning to dig in more information about the target.

As mentioned before, you can also search directly with the domain name. Hence, typing either the domain name “hackerone.com” or the organization name “HackerOne Inc.” is okay.

Gathering target domains and subdomains

If you don’t want to do the hard work to filter the output by yourself, there is a tool called Crtsh Subdomain Enumeration which is very handy. By utilizing a tool like this one, you can easily gather domains and subdomains from your target. If you don’t want to use this, you can still do it with the curl command which you can tweak with the similar logic. So, how is the logic behind this? Let’s break things down.

If you want to follow along, you can open this URL. There are three functions available in this tool: help function (Help()), domain function (Domain()), and organization function(Organization()). The help function only displays the help information, so we can skip this. The domain function is defined to handle the search for a domain name. This function performs the following steps:

  • It sends a GET request to the crt.sh website with the provided domain name as a parameter and retrieves the JSON response using curl. This is what we meant that you can simply use the curl command instead.
  • The response will then be stored in a file called “req.txt:.
  • “jq” command is responsible for converting the JSON format into a more human-friendly format allowing users to extract and manipulate JSON data with ease. In this step the stored file still contains a lot of information, which is irrelevant to what we need. Since we are only interested in common names, we need to clean and sort the output, to make it easier to read.
  • “sed” command is responsible for removing unnecessary characters we don’t want.
  • Additionally, we employ both “sort” and “uniq: to sort the domain names and remove any duplicate entries.
  • The bloated result ”req.txt” is then removed and the cleaned output is saved in a file called output/domain.<domain_name>.txt, where <domain_name> is the provided domain name.
  • The contents of the output file are displayed on the console.
  • Information about the total number of saved domains and the output file path is also displayed.

The organization function works in a similar way with the domain function but searches for the organization name instead of a domain name. The resulting output file is named org.<organization_name>.txt that you can find in the directory called output.

If you choose to clone it directly from Github, make sure to set the permission to executable.

$ git clone https://github.com/az7rb/crt.sh.git && cd crt.sh/
$ chmod +x crt.sh

Finally, assuming you want to use the domain name, you need the -d option.

$ ./crt.sh -d hackerone.com

Or, you can use the -o option if you want to use the organization name.

$ ./crt.sh -d hackerone+inc

Why are these assets important?

For adversaries, this information is crucial to give them competitive advantages. In business settings for example, the more information the adversaries have, the easier it is to infiltrate the rival companies in order to gather intelligence on upcoming projects, product plans, pricing strategies, or other sensitive information. This stolen information can be used to undermine competitors, develop similar products, or disrupt their business operations.

In bigger scope, the target assets can be easily taken advantage of based on the motives of the adversaries themselves, such as exploitation, financial gain, sabotage, etc. Furthermore, if the gathered assets are considered sensitive, it can lead to even worse consequences for the target.

Conclusion

Publicly available Certificate Transparency can be seen as a double-edged sword. On one hand, the transparency provided by Certificate Transparency can benefit organizations and security professionals in identifying and mitigating potential threats. By actively monitoring and analyzing certificate logs, security teams can gain insights into potentially malicious or unauthorized certificates associated with their domain. This allows them to take proactive measures, such as revoking certificates, patching vulnerabilities, or strengthening security controls.

On the other hand, it provides a valuable resource for adversaries to conduct reconnaissance and gather information about target assets. This includes discovering domain names, associated organizations, and potentially vulnerable systems. Adversaries can exploit this information to launch targeted attacks, gain unauthorized access, or steal sensitive data, posing significant risks to businesses and individuals. In this case, the gathered information works as a foothold to conduct even further attacks.

Understanding the power and risks associated with publicly available Certificate Transparency is vital for both defenders and adversaries. While adversaries exploit it for reconnaissance and targeting vulnerabilities, organizations must use it as a tool to enhance their security posture and protect their valuable assets. By embracing transparency while implementing appropriate security measures, businesses can better defend against malicious actors and mitigate potential risks in the future.

You might like

CORS: What Is It and How Does It Work?

Learn what CORS is and how it works in this article. Find out how to fix common CORS errors and what are some best practices for implementing CORS securely and efficiently.
Essential Ports Numbers Explained

Learn about the most important network ports and protocols that you need to know for network configuration and security. Find out how FTP, SSH, SMTP, DNS, HTTP, HTTPS, POP3, IMAP, SMB, DHCP, TFTP, NTP, SNMP and others work and what they are used for. Read more now!