CRT.SH

crt.sh is a publicly accessible Certificate Transparency (CT) log search tool that allows users to query and analyze SSL/TLS certificates issued for specific domains. By aggregating data from multiple CT logs, crt.sh provides comprehensive visibility into all certificates—both legitimate and potentially fraudulent—associated with a target’s domain and its subdomains. For penetration testers, crt.sh is a powerful reconnaissance tool as it helps uncover previously unknown or forgotten subdomains, identify newly issued certificates, and detect possible certificate mis-issuance. This information expands the understanding of a target’s infrastructure, revealing hidden assets and helping testers map the attack surface more thoroughly.

crt.sh | Certificate Search

//overview
root@oco:~$ curl -s https://crt.sh/\?q\=cnd.dev\&output\=json | jq .
 [
  {
    "issuer_ca_id": 286236,
    "issuer_name": "C=US, O=Google Trust Services, CN=WE1",
    "common_name": "git.cnd.dev",
    "name_value": "git.cnd.dev",
    "id": 19712941882,
    "entry_timestamp": "2025-07-16T15:32:15.865",
    "not_before": "2025-07-16T13:44:12",
    "not_after": "2025-10-14T14:44:04",
    "serial_number": "00b981d268ffb7cae60e122c7893af80ae",
    "result_count": 2
  },
 ...
 
//filter on unique subdomains
root@oco:~$ curl -s https://crt.sh/\?q\=cnd.dev\&output\=json | jq . | grep name | cut -d":" -f2 | grep -v "CN=" | cut -d'"' -f2 | awk '{gsub(/\\n/,"\n");}1;' | sort -u
 *.cnd.dev
 cnd.dev
 git.cnd.dev
 nuclear.cnd.dev
 payload.cnd.dev
 vpn.cnd.dev
 www.cnd.dev

PreviousGOOGLE NextDNS

Last updated 3 days ago