Subdomain Enumeration Techniques
Subdomain Enumeration Using Certificate Transparency Logs
Subdomain enumeration using Certificate Transparency logs involves searching the logs for publicly trusted SSL certificates associated with a domain. There are various online services and tools available that provide access to Certificate Transparency logs.
The crt.sh website allows users to search for certificates associated with specific domain names or subdomains. It provides detailed information about each certificate, including the common name and subject alternative names (SANs) that list additional domain names or subdomains covered by the certificate.
here I show how we can enumerate subdomains using this,
- Determine the target domain for which you want to enumerate subdomains. For example, let’s consider the domain “google.com”.
- search for “google.com”.
- The search results will display a list of certificates issued for the domain. Each certificate corresponds to a subdomain associated with the target domain. Look for the “Common Name” or “Subject Alternative Name” fields in the certificate details to identify the subdomains.
- As you can see we got so many subdomains. Again we can perform subdomain enumeration on those subdomains if needed.
You can use oneliner for the same:
curl -s https://crt.sh/\?q\=\google.com\&output\=json | jq -r '..name_value' | grep -Po '(\w+\.\w+\.\w+)$'
Censys.io is a search engine and data analysis platform that focuses on Internet-wide scanning and security research. It provides access to a wealth of information about hosts and networks on the Internet, including details about SSL certificates, open ports, services running on specific IP addresses, and more.
you can use the Censys search interface or API to search for the target domain or a specific keyword related to the domain. For example, you can search for “google.com” to retrieve results related to the domain.
Censys will provide a list of hosts, IP addresses, and other relevant information associated with the domain or keyword. Look for subdomains in the results. Sometimes, the subdomains may be listed in the hostname field or as part of the certificate details.
Use additional filters or keywords to narrow down the search results and focus specifically on subdomains.
you can use https://github.com/christophetd/censys-subdomain-finder for the same.
This helped me to find some subdomains and IPs with some exposed services running. One of my previous article will explain that Issue and the reward I got for the same.
The next series will be explaining more techniques. Thank You.
You can now Buy me a coffee:)