π‘οΈ Methodology Checklist
- Query crt.sh:
curl -s "https://crt.sh/?q=[DOMAIN]&output=json" | jq . - Filter unique subdomains from CT results
- Cross-reference subdomains with DNS resolution
- Look for internal/staging subdomains in CT logs
- Check expired certs for historical subdomain exposure
- Add confirmed live subdomains to scope list
π― Operational Context
Think Dumber First:
curl -s "https://crt.sh/?q=%25.[DOMAIN]&output=json" | jq -r '.[].name_value' | sort -uβ run this before anything else. CT logs are completely passive, leave zero footprint on target, and regularly reveal internal subdomains, staging servers, and dev environments that arenβt in DNS.
When you land here: Starting web recon on a domain. CT logs first (passive), then verify discovered subdomains with DNS lookup, then active probing of responsive hosts. CT log entries often include wildcard certificates that reveal internal naming conventions.
β‘ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
curl -s "https://crt.sh/?q=[DOMAIN]&output=json" | jq -r '.[] | .name_value' | sort -u | Extract all subdomains from CT logs |
curl -s "https://crt.sh/?q=[DOMAIN]&output=json" | jq -r '.[] | select(.name_value | contains("dev")) | .name_value' | sort -u | Filter CT results for βdevβ entries |
curl -s "https://crt.sh/?q=[DOMAIN]&output=json" | jq -r '.[] | .name_value' | sed 's/\*\.//g' | sort -u > crt_sh_results.txt | Export to file with wildcard removal |
π¬ Deep Dive & Workflow
What Are CT Logs?
Public, append-only ledgers that record every SSL/TLS certificate issued by a Certificate Authority (CA). Browsers use them to detect rogue certificates. Attackers use them to find subdomains.
Integrity mechanism: Merkle Tree structure β any change to a cert changes the root hash β tamper-proof log.
SCT (Signed Certificate Timestamp): Cryptographic proof that a cert was submitted to the log β included in the cert itself.
Why CT Logs Are Valuable for Recon
- Definitive β Subdomains listed must have existed to get a valid certificate
- Historical β Shows old/expired certs β legacy subdomains missed by brute-forcing
- Comprehensive β Reveals βhiddenβ subdomains (e.g.,
dev-internal.target.com) not in standard wordlists
Search Tools
| Tool | Pros | Use Case |
|---|---|---|
| crt.sh | Free, no registration, simple UI | Quick subdomain discovery |
| Censys | Advanced filtering, API access | Deep analysis, related hosts |
What to Look For
| Type | Examples |
|---|---|
| VPNs/Portals | vpn.target.com, citrix.target.com |
| Dev/Staging | dev.target.com, stg.target.com, test.target.com |
| Legacy | Old subdomains β unpatched servers |
| Internal | payroll.target.com, internal.target.com |
jq Filtering
# All subdomains
jq -r '.[] | .name_value'
# Filter for specific keyword
jq -r '.[] | select(.name_value | contains("dev")) | .name_value'
# Remove wildcard prefixes
sed 's/\*\.//g'Exam Strategy
- Run CT log query immediately during passive recon β itβs completely silent (no target contact)
- Run before brute-forcing β often finds subdomains not in any wordlist
- Combine results with brute-force output into a master list
π οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| crt.sh query returns empty JSON | Domain too new or no certs issued | Check older TLD variants; try censys.io search; verify domain spelling |
| jq parsing fails | Malformed JSON from crt.sh | Add error handling: curl -s ... | python3 -m json.tool | ...; retry as crt.sh can return 500 errors under load |
| CT logs show hundreds of subdomains | Need to filter for live targets | Pipe through dnsx: cat subdomains.txt | dnsx -resp -a to resolve only live hosts |
| Subdomain found in CT but not resolving | DNS record removed but cert still logged | CT logs are historical; removed subdomains may have been retired; still useful for naming convention patterns |
| Internal subdomains (dev.internal.corp.com) in CT | Certificate issued for internal name accidentally | This IS the finding β document internal hostname exposure via public CT logs |
π Reporting Trigger
Finding Title: Internal Subdomain / Staging Environment Exposure via Certificate Transparency Logs Impact: Internal hostnames, development environments, and staging servers discoverable by any attacker via public CT log search. May expose internal network topology. Root Cause: TLS certificates issued for internal/staging hostnames using public CA, resulting in automatic CT log submission. Recommendation: Use private PKI for internal systems. Implement wildcard certificates for internal domains to prevent specific hostname disclosure. Audit all CT log entries for unintended internal hostname exposure.