Certificate Transparency

  • Under Certificate Transparency(CT), a Certificate Authority(CA) will have to publish all SSL/TLS certificates they issue in a public log
  • Anyone can look through the CT logs and find certificates issued for a domain
  • CT allows website users and domain owners to identify mistakenly or worse maliciously issued certificates. This aids domain owners and browser vendors in identifying erring CAs
  • Details of known CT log files can be found at - https://www.certificate-transparency.org/known-logs

You can read more about Certificate Transparency on our technical blog https://blog.appsecco.com/certificate-transparency-the-bright-side-and-the-dark-side-8aa47d9a6616

Certificate Transparency - OSINT angle

Certificate Transparency(CT) logs by design contain all the certificates issued by a participating CA for any given domain. SSL/TLS certificates generally contain domain names, sub-domain names and email addresses. These logs are available publicly and anyone can look through these logs. This makes them a treasure trove of information for attackers.

By looking through the CT logs an attacker can gather a lot of information about an organization’s infrastructure i.e. internal domains, email addresses in a completely passive manner.

Searching through CT logs

There are various search engines that collect the CT logs and let’s anyone search through them:

  1. https://crt.sh/
  2. https://censys.io/
  3. https://developers.facebook.com/tools/ct/
  4. https://google.com/transparencyreport/https/ct/

Using crt.sh

  • On crt.sh web interface https://crt.sh, use a search operator similar to following to extract certificates of any domain with a pattern(example.com in this case). Using a liberal search operator like this may result in some false positives but it is hard to miss any potential sub-domains
%example.com

crtsh-web

  • crt.sh provides RSS feed which can be queried using the URL https://crt.sh/atom?q=%wikimedia.org

  • crt.sh provides a PostgreSQL interface to their data. The script below extracts sub-domains for a given domain name using crt.sh PostgreSQL Interface

#!/bin/sh
# Script by Hanno Bock - https://github.com/hannob/tlshelpers/blob/master/getsubdomain

query="SELECT ci.NAME_VALUE NAME_VALUE FROM certificate_identity ci WHERE ci.NAME_TYPE = 'dNSName' AND reverse(lower(ci.NAME_VALUE)) LIKE reverse(lower('%.$1'));"

echo $query | \
    psql -t -h crt.sh -p 5432 -U guest certwatch | \
    sed -e 's:^ *::g' -e 's:^*\.::g' -e '/^$/d' | \
    sort -u | sed -e 's:*.::g'

crtsh-psql-script

https://github.com/appsecco/the-art-of-subdomain-enumeration/blob/master/crtsh_enum_psql.sh

Keeping track of an organization's sub-domains

  • Facebook's Certificate Transparency Monitoring tool not only let's you search through CT Logs but it also has subscription option where an email alert will be sent everytime there is a new certificate found in CT logs for a domain you are subscribed to
  • This is helpful for domain owners to keep track of the certificates issued for the domains they manage
  • On the flip side, attackers can use this to keep track of domains of an organization that they are targeting to quickly learn about any new sub-domains that are created

keeping-track-of-subdomains

Downside of Certificate Transparancy

  • Certificate Transparency logs are append only which means once a SSL/TLS certificate is appended to a CT log, there is no way to delete them
  • The obvious downside of this during recon is that the domain/sub-domain names found in CT Logs maynot exist anymore and thus will not resolve to any valid IP address

Extracting unique resolvable sub-domains using massdns

  • Massdns is a blazing fast DNS resolver that can resolve massive amount of domain names in substantially less amount of time
  • Massdns can be used in conjunction with script that extracts sub-domains from CT logs to quickly identify unique resolvable domain names
# ct.py - extracts domain names from CT Logs(shipped with massdns)
# massdns - will find resolvable domains & adds them to a file

./ct.py icann.org | ./bin/massdns -r resolvers.txt -t A -q -a -o -w icann_resolvable_domains.txt -

massdns-ct

Using censys.io

  • Censys.io aggregates the data collected as part of scans.io project
  • Censys.io aggregates SSL/TLS certificates and lets us search through them thus it potentially helps us discover new sub-domains

censys-output

censys-script

results matching ""

    No results matching ""