hi@keir_

/journal

Certificate Transparency Is a Confession

Why passive recon starts at crt.sh, and what a CT log quietly hands you for free.

The cheapest, quietest, most legally boring recon I do happens before I send a single packet at the target: Certificate Transparency logs.

Every time an organisation gets a TLS certificate issued, that certificate is written to a public, append-only log, forever. Nobody can un-log it. So the CT log is an accidental confession of every hostname a company has ever bothered to put a certificate on: staging., vpn., internal-tools., that-admin-panel-from-2019.

The whole trick is one request:

curl -s 'https://crt.sh/?q=%25.example.com&output=json' | jq -r '.[].name_value' | sort -u

Lessons I keep relearning here:

  • Passive before active, always. crt.sh never touches the target's infrastructure. You build a near-complete subdomain map without the target ever seeing a request. DNS brute-forcing comes after, and only when it's in scope.
  • Wildcards lie, CT does not. A *.example.com cert hides the specific names, but the issued leaf certs for individual hosts still land in the log. Read the leaves, not just the wildcard.
  • The forgotten host is the soft host. The subdomain nobody remembers provisioning is the one nobody remembers patching.

subhunter automates this and folds the result into recon-suite, but I still run the raw query by hand first. The map you build yourself is the one you actually trust.