Popular Posts

Search This Blog

Discover Internal Subdomains using CT-Exposer

Share it:

Discover sub-domains by searching through Certificate Transparency logs

What is CT?

Certificate Transparency (CT) is an experimental IETF standard. The goal of it was to allow the public to audit which certificates were created by Certificate Authorities (CA). TLS has a weakness that comes from the large list of CAs that your browser implicitly trusts. If any of those CAs were to maliciously create a new certificate for a domain, your browser would trust it. CT adds benefits to TLS certificate trust: Companies can monitor who is creating certificates for the domains they own. It also allows browsers to verify that the certificate for a given domain is in the public log record.
These logs end up being a gold mine of information for penetration testers and red teams.

What can you find with ct-exposer?

ct-exposer will query the CT logs for a given domain, and then try to do DNS lookups for the domains to see which ones exist in DNS. In my experience, so far, I've found numerous sub-domains that were not located with 'site:domain.com' google searches. Keep in mind that the domains that do not resolve, they can either be old domains, or internal only domains (Ex: you need access to the internal DNS server to resolve them).


Python3, gevent, and requests. pip3 install -r requirements.txt


usage: ct-exposer.py [-h] -d DOMAIN [-u] [-m]

optional arguments:
  -h, --help            show this help message and exit
  -d DOMAIN, --domain DOMAIN
                        domain to query for CT logs, ex: domain.com
  -u, --urls            ouput results with https:// urls for domains that
                        resolve, one per line.
  -m, --masscan         output resolved IP address, one per line. Useful for
                        masscan IP list import "-iL" format.

Thank you✌✌✌>>>READMORE<<<

Share it:


Kali Linux