SSL Certificates
SSL Certificate Recon
SSL Certificate Reconnaissance
SSL Certificate Enumeration
SSL Certificate Enumeration involves passively discovering SSL/TLS certificates for a target domain. SSL certificates can discover additional domains associated with a target organization. There are many available tools to enumerate SSL certificates for a target domain. I have listed several online search tools here: Searching Tools & Links
The following are tools and techniques to enumerate SSL certificates for target domains.
curl -s "https://crt.sh/?q=tesla.com&output=json" | jq . | grep common_name #Retreives the host name (CN, FQDN) of all SSL certificates issued to the target domain censys search tesla.com --api-id 'xxxx' --api-secret 'xxxxx' #Retrieves SSL certificate issued for a domain shodan search ssl.cert.subject.cn:tesla.com #Search the Shodan database for SSL certificates issued for a domain curl -s "https://www.virustotal.com/api/v3/domains/tesla.com" -H "x-apikey: xxxx" #VirusTotal search for SSL certificates issued for a domain curl -s "https://api.securitytrails.com/v1/domain/tesla.com?apikey=xxxx" #SecurityTrails search for SSL certificates issued for a domain
SSL Certificate Monitoring
In this phase of SSL certificate reconnaissance, you continuously monitor a target domain to observe if any SSL/TLS certificates are issued for a target organization’s domains. Performing this over a longer period is excellent for long engagements or as part of an ASM (Attack Surface Management) service.
As pentesters, our main objective for SSL certificate monitoring is to discover new subdomains and associated certificates that may have been recently registered. New SSL certificates can expand the target domain’s attack surface.
certspotter -watchlist domains.txt -stdout #Monitor a list of domains and output to stdout