# Certifcates

1 week ago 18

BOOK THIS SPACE FOR AD

ARTICLE AD

# Certifcates

To increase security by providing a way to validate the legitimacy of a
domain and help curb phishing and impersonation, SSL certificates are
acquired by domains from registered certificate authorities (CAs). In
order to be able to effectively monitor and audit these certificates, they
are recorded in a cryptographically secure manner, then published and
accessible to everyone via Certificate Transparency Logs. These logs
exist to be monitored proactively and allow domain owners to discover
if fraudulent certificates are issued for their domains, while also keeping
certificate issuing entities accountable, as anyone can trace these
timestamped certificates granted to malicious entities back to the
carefree CA and browbeat them into obscurity.

Conveniently for us, we can utilize this to monitor certificates ourselves
or see their entire backlog of them to enhance our recon efforts. On the
other hand, since logs are never removed, there may exist a lot of crap
subdomains to parse out that haven’t existed for a decade, but that’s
nothing we aren’t dealing with every minute in this game.
It would be remiss not to mention crt.sh ﬁrst. You can view the site in
your browser and use the search function (which accepts wildcards
using a “%”, like %.kindboys.com) or query it directly using the syntax
below (with your own domain as a value, obviously).

https://crt.sh/?q=onlyfans.com

Because of its unlimited, unauthenticated free tier, constantly updated
and a profusion of historical records dating back to the invention of the
internet, crt.sh is generally regarded as a grounded, excellent source for
certiﬁcate recon for hunters like me and you. To get a parsed list of
subdomains from the terminal, you can use the command below, then
pipe the output to a ﬁle for your records.

curl -s https://crt.sh/\?q\=%25.onlyfans.com\&output\=json |
jq . | grep ‘name_value’ | awk ‘{print $2}’ | sed -e
‘s/”//g’| sed -e ‘s/,//g’ | awk ‘{gsub(/\\n/,”\n”)}1’ |
sort -u
Certiﬁcates with Censys
You can also use Censys, which claims to hold the largest collection of
certiﬁcates at over 5 billion certiﬁcates logged. Pro accounts are
marketed to organization’s for monitoring their own resources, so the
free account gets you total access to their data.

82
. From the web UI at “https://search.censys.io/”, you can set the dataset
to “Certiﬁcates” instead of “Hosts” and search for your target domain.
Through the command line, here’s a few queries to execute to increase
your target’s attack surface (just replace my stupid domains with your
real ones).
443.https.tls.certificate.parsed.subject.common_name:poundto
wn.com
[443.https.tls.certificate.parsed.extensions.subject_alt_nam
e.dns_names:[fromdariver2daC.com] ]
A tool that does a lot of special stuff under the hood and presents you
with a nice list of IP addresses coupled with their open ports, ready for
further investigation, is projectdiscovery’s uncover. You can conjure the
binary yourself via the method below, which will also set you up with a
default conﬁg ﬁle in the expected location. Otherwise, you will have to
create it yourself if you go to their releases page, and there’s a lukewarm
chance something will go very wrong (the location it should be found
at is $HOME/.config/uncover/provider-config.yaml though).
go install -v
github.com/projectdiscovery/uncover/cmd/uncover@latest
Uncover works by giving it a query and it will work its mysterious magic
and give you some endpoints; their usefulness ranging across a broad

83
spectrum of value and their origin highly confounding. You’ll want to ﬁll
out as many API keys as you can for this tool, as most of these providers
will not return anything without them. By default, it checks Shodan,
but also has the ability to ﬁnd hidden attack surface assets through
Fofa, Censys, Zoomeye, Hunter, Quake, Netlas, CriminalIP, PublicWWW
and HunterHow.
Specify your provider or providers with the -e ﬂag and your query with
the -q ﬂag. Queries can be any variety of things from domains,
technologies (i.e. “Jira”, “Nginx”), organizations or even a ﬁle with a list of
dorks or subdomains.
uncover -q ‘tay-k47.com’ -e
shodan,censys,fofa,quake,hunter,zoomeye,netlas,criminalip
uncover -q ‘ssl:”Uber Technologies, Inc.”’
You can even use it for passive port ﬁnding via the third party services it
queries (not including an engine defaults to Shodan).
echo 51.83.59.99/24 | uncover
Finally, a hyperfast and direct way to chop up, ﬂip and serve
subdomains from a TLS certiﬁcate is glebarez’s cero tool. Embodies the
Linux ideals of doing one thing really well and produces results ready
for any pipe you decide to send them through.
go install github.com/glebarez/cero@latest

84
This tool takes domains, IPs, IPv6, CIDR ranges and even non-HTTP
protocol targets as inputs and ﬁres back like an overactive chain gun
shooting the shields off an organization’s attack surface.
cero whitecastle.com
cat deez_subs.txt | cero -c 500
cat cidr-ranges.txt | cero -p 4443,8443,2083 -c 1000 | anew
cero-cidr.txt
I’d like to take a quick detour to talk about tomnomnom’s tool
anew. It is super simple, super clever and super useful, as I use it
every ten minutes during every session.
As much as I love using “tee -a “ (show output and append output
to ﬁle), 90% of the time, I need to follow it with a couple more
commands to remove duplicates and route the output to another
ﬁle, then overwrite my old ﬁle with the new ﬁle. This tool
condensed that workﬂow into a single command, only appending
new data to your output. Just like tee, it will create a ﬁle if one
doesn’t exist already.
Use cases for this are overwhelmingly frequent — essentially,
any time I need to update a list of subdomains, URLs, JS ﬁles, IP
addresses.
vita -d goatpig.org > goatpig-subs.txt

85
python3.11 subj.py goatpig.org | anew goatpig-subs.txt
The output will show only the newly discovered subs. You could
also utilize this by piping it to a ﬁle and setting it as a cron job, so
you could see which subdomains were newly discovered, or
routing it directly to notify.
subscout -t goatpig.org -o subscoutput.txt
cat subscoutput.txt | anew goatpig-subs.txt | notify
The Content Security Policy (CSP) header serves as a security
protection against XSS or other malicious content by deﬁning and
restricting the locations that code is allowed to load from. Rather than

86
hosting all their content on one server, most modern websites pull their
resources across cloud providers, image hosting services, content
delivery networks and ofﬁcial Javascript libraries, in an effort to deliver
content faster through the parallelization capabilities of browsers.
Setting the CSP header to trusted locations is commonly
misconﬁgured, in addition to some “trusted” services offering anyone
the ability to host arbitrary code, can make the CSP a minor
inconvenience for many malicious actors. However, this is a book about
recon and the assets often listed in the CSP headers can illuminate
more assets that serve to increase our opportunities for ﬁnding
vulnerabilities against our target.
Let’s get straight to the point with a tool that gets us there quickly -
0xbharath’s tool domains-from-csp. Without ﬂexing your head too
hard, I’m sure you understand that it does a thing and spits out
domains from the CSP. Install it via the following instructions:
git clone https://github.com/0xbharath/domains-from-csp
cd domains-from-csp
python3.11 -m pip install requests click
The tool takes a full URL as its ﬁrst argument for input and lovingly add
“-r” to resolve the output as well.
python3.11 domains-from-csp.py https://slimetimelive.com -r

87
You can also directly pull the contents of the CSP header using curl, for
double-checking or integrating into your automation scripts.
curl -s -I -L “https://www.newyorker.com/" | grep -Ei
‘^Content-Security-Policy:’ | sed “s/;/;\\n/g”
Our good boy here also has another tool that compliments and reﬂects
the prior script. 0xbharath’s assets-from-spf earns its namesake and
delivers exactly what we deserve, some assets from our target’s SPF
(Sender’s Policy Framework). Prepare your terminals, my friends.
git clonehttps://github.com/0xbharath/assets-from-spf
cd assets-from-spf
python3.11 -m pip install click ipwhois
Fire it off with this simple syntax (add an -a ﬂag if you want ASN
included in the output as well).
python3.11 assets-from-spf.py morbidsniper.gov
One other ﬁeld that can help you ﬁnd subdomains, as well as
associated domains for your target (lovingly referred to as horizontal
enumeration by some), is the “Subject Alternative Name” (SAN) ﬁeld.
This ﬁeld allows domain owners to add multiple hosts on a single SSL
certiﬁcate, so they are generally ﬁlled with locations where the domain’s
content is hosted and other domains owned by the same organization.
Here’s a tool by projectdiscovery called tlsx, because we might as well
mention everything they’ve ever made in this book. You can grab it via

88
their “Releases” page (https://github.com/projectdiscovery/tlsx/releases)
or punch in the following:
go install github.com/projectdiscovery/tlsx/cmd/tlsx@latest
There’s more features than nightmares that geniuses like myself suffer
through in a week, but to fulﬁll our most common recon needs you can
pull relevant SAN data and common name (CN) data via the -san and
-cn ﬂags.
echo 173.0.84.0/24 | tlsx -san -cn -silent
To restrict the output to a list of domains, you can add the -resp-only
only. You can make a cool chain with dnsx to resolve your output and
ﬁlter out invalid locations, followed by httpx, to add some more
information, like the site’s title, server type, basic technology and status
code.
echo 173.0.84.0/24 | tlsx -san -cn -silent | dnsx -any
-resp-only | httpx -td -title -cl -sc -ip -server -cname
-asn -cdn
To wrap up certiﬁcates real quick, here’s a couple browser based
sources you can check out if you’re tired of the terminal.
https://ui.ctsearch.entrust.com/ui/ctsearchui