BOOK THIS SPACE FOR AD
ARTICLE AD# Certifcates
To increase security by providing a way to validate the legitimacy of a
domain and help curb phishing and impersonation, SSL certificates are
acquired by domains from registered certificate authorities (CAs). In
order to be able to effectively monitor and audit these certificates, they
are recorded in a cryptographically secure manner, then published and
accessible to everyone via Certificate Transparency Logs. These logs
exist to be monitored proactively and allow domain owners to discover
if fraudulent certificates are issued for their domains, while also keeping
certificate issuing entities accountable, as anyone can trace these
timestamped certificates granted to malicious entities back to the
carefree CA and browbeat them into obscurity.
Conveniently for us, we can utilize this to monitor certificates ourselves
or see their entire backlog of them to enhance our recon efforts. On the
other hand, since logs are never removed, there may exist a lot of crap
subdomains to parse out that haven’t existed for a decade, but that’s
nothing we aren’t dealing with every minute in this game.
It would be remiss not to mention crt.sh first. You can view the site in
your browser and use the search function (which accepts wildcards
using a “%”, like %.kindboys.com) or query it directly using the syntax
below (with your own domain as a value, obviously).
https://crt.sh/?q=onlyfans.com
Because of its unlimited, unauthenticated free tier, constantly updated
and a profusion of historical records dating back to the invention of the
internet, crt.sh is generally regarded as a grounded, excellent source for
certificate recon for hunters like me and you. To get a parsed list of
subdomains from the terminal, you can use the command below, then
pipe the output to a file for your records.
curl -s https://crt.sh/\?q\=%25.onlyfans.com\&output\=json |
jq . | grep ‘name_value’ | awk ‘{print $2}’ | sed -e
‘s/”//g’| sed -e ‘s/,//g’ | awk ‘{gsub(/\\n/,”\n”)}1’ |
sort -u
Certificates with Censys
You can also use Censys, which claims to hold the largest collection of
certificates at over 5 billion certificates logged. Pro accounts are
marketed to organization’s for monitoring their own resources, so the
free account gets you total access to their data.
82
. From the web UI at “https://search.censys.io/”, you can set the dataset
to “Certificates” instead of “Hosts” and search for your target domain.
Through the command line, here’s a few queries to execute to increase
your target’s attack surface (just replace my stupid domains with your
real ones).
443.https.tls.certificate.parsed.subject.common_name:poundto
wn.com
[443.https.tls.certificate.parsed.extensions.subject_alt_nam
e.dns_names:[fromdariver2daC.com] ]
A tool that does a lot of special stuff under the hood and presents you
with a nice list of IP addresses coupled with their open ports, ready for
further investigation, is projectdiscovery’s uncover. You can conjure the
binary yourself via the method below, which will also set you up with a
default config file in the expected location. Otherwise, you will have to
create it yourself if you go to their releases page, and there’s a lukewarm
chance something will go very wrong (the location it should be found
at is $HOME/.config/uncover/provider-config.yaml though).
go install -v
github.com/projectdiscovery/uncover/cmd/uncover@latest
Uncover works by giving it a query and it will work its mysterious magic
and give you some endpoints; their usefulness ranging across a broad
83
spectrum of value and their origin highly confounding. You’ll want to fill
out as many API keys as you can for this tool, as most of these providers
will not return anything without them. By default, it checks Shodan,
but also has the ability to find hidden attack surface assets through
Fofa, Censys, Zoomeye, Hunter, Quake, Netlas, CriminalIP, PublicWWW
and HunterHow.
Specify your provider or providers with the -e flag and your query with
the -q flag. Queries can be any variety of things from domains,
technologies (i.e. “Jira”, “Nginx”), organizations or even a file with a list of
dorks or subdomains.
uncover -q ‘tay-k47.com’ -e
shodan,censys,fofa,quake,hunter,zoomeye,netlas,criminalip
uncover -q ‘ssl:”Uber Technologies, Inc.”’
You can even use it for passive port finding via the third party services it
queries (not including an engine defaults to Shodan).
echo 51.83.59.99/24 | uncover
Finally, a hyperfast and direct way to chop up, flip and serve
subdomains from a TLS certificate is glebarez’s cero tool. Embodies the
Linux ideals of doing one thing really well and produces results ready
for any pipe you decide to send them through.
go install github.com/glebarez/cero@latest
84
This tool takes domains, IPs, IPv6, CIDR ranges and even non-HTTP
protocol targets as inputs and fires back like an overactive chain gun
shooting the shields off an organization’s attack surface.
cero whitecastle.com
cat deez_subs.txt | cero -c 500
cat cidr-ranges.txt | cero -p 4443,8443,2083 -c 1000 | anew
cero-cidr.txt
I’d like to take a quick detour to talk about tomnomnom’s tool
anew. It is super simple, super clever and super useful, as I use it
every ten minutes during every session.
As much as I love using “tee -a “ (show output and append output
to file), 90% of the time, I need to follow it with a couple more
commands to remove duplicates and route the output to another
file, then overwrite my old file with the new file. This tool
condensed that workflow into a single command, only appending
new data to your output. Just like tee, it will create a file if one
doesn’t exist already.
Use cases for this are overwhelmingly frequent — essentially,
any time I need to update a list of subdomains, URLs, JS files, IP
addresses.
vita -d goatpig.org > goatpig-subs.txt
85
python3.11 subj.py goatpig.org | anew goatpig-subs.txt
The output will show only the newly discovered subs. You could
also utilize this by piping it to a file and setting it as a cron job, so
you could see which subdomains were newly discovered, or
routing it directly to notify.
subscout -t goatpig.org -o subscoutput.txt
cat subscoutput.txt | anew goatpig-subs.txt | notify
The Content Security Policy (CSP) header serves as a security
protection against XSS or other malicious content by defining and
restricting the locations that code is allowed to load from. Rather than
86
hosting all their content on one server, most modern websites pull their
resources across cloud providers, image hosting services, content
delivery networks and official Javascript libraries, in an effort to deliver
content faster through the parallelization capabilities of browsers.
Setting the CSP header to trusted locations is commonly
misconfigured, in addition to some “trusted” services offering anyone
the ability to host arbitrary code, can make the CSP a minor
inconvenience for many malicious actors. However, this is a book about
recon and the assets often listed in the CSP headers can illuminate
more assets that serve to increase our opportunities for finding
vulnerabilities against our target.
Let’s get straight to the point with a tool that gets us there quickly -
0xbharath’s tool domains-from-csp. Without flexing your head too
hard, I’m sure you understand that it does a thing and spits out
domains from the CSP. Install it via the following instructions:
git clone https://github.com/0xbharath/domains-from-csp
cd domains-from-csp
python3.11 -m pip install requests click
The tool takes a full URL as its first argument for input and lovingly add
“-r” to resolve the output as well.
python3.11 domains-from-csp.py https://slimetimelive.com -r
87
You can also directly pull the contents of the CSP header using curl, for
double-checking or integrating into your automation scripts.
curl -s -I -L “https://www.newyorker.com/" | grep -Ei
‘^Content-Security-Policy:’ | sed “s/;/;\\n/g”
Our good boy here also has another tool that compliments and reflects
the prior script. 0xbharath’s assets-from-spf earns its namesake and
delivers exactly what we deserve, some assets from our target’s SPF
(Sender’s Policy Framework). Prepare your terminals, my friends.
git clonehttps://github.com/0xbharath/assets-from-spf
cd assets-from-spf
python3.11 -m pip install click ipwhois
Fire it off with this simple syntax (add an -a flag if you want ASN
included in the output as well).
python3.11 assets-from-spf.py morbidsniper.gov
One other field that can help you find subdomains, as well as
associated domains for your target (lovingly referred to as horizontal
enumeration by some), is the “Subject Alternative Name” (SAN) field.
This field allows domain owners to add multiple hosts on a single SSL
certificate, so they are generally filled with locations where the domain’s
content is hosted and other domains owned by the same organization.
Here’s a tool by projectdiscovery called tlsx, because we might as well
mention everything they’ve ever made in this book. You can grab it via
88
their “Releases” page (https://github.com/projectdiscovery/tlsx/releases)
or punch in the following:
go install github.com/projectdiscovery/tlsx/cmd/tlsx@latest
There’s more features than nightmares that geniuses like myself suffer
through in a week, but to fulfill our most common recon needs you can
pull relevant SAN data and common name (CN) data via the -san and
-cn flags.
echo 173.0.84.0/24 | tlsx -san -cn -silent
To restrict the output to a list of domains, you can add the -resp-only
only. You can make a cool chain with dnsx to resolve your output and
filter out invalid locations, followed by httpx, to add some more
information, like the site’s title, server type, basic technology and status
code.
echo 173.0.84.0/24 | tlsx -san -cn -silent | dnsx -any
-resp-only | httpx -td -title -cl -sc -ip -server -cname
-asn -cdn
To wrap up certificates real quick, here’s a couple browser based
sources you can check out if you’re tired of the terminal.
https://ui.ctsearch.entrust.com/ui/ctsearchui