Most organizations have services such as employee login portals, internal subdomains, and test servers that they would rather keep private. Red teams and white-hat hackers can find these obscure and often vulnerable services by using a tool to protect users from fraudulent certificates.
What is a Certificate Trust Protocol?
Certificates are issued to companies that operate online services through a certificate to protect users from fraudulent websites. In 2011, restrictions on the ability of certificates to protect users were proven by attacks against the certification bodies Comodo and DigiNotar. Since the detection of fraudulent certificates took a long time, certificate trust logs were created to provide users with better visibility.
Facebook has used CT protocols to detect misplaced TLS certificates and prevent them from being used to intercept HTTPS traffic. This success led them to publish a CT protocol tool for the public, with the ability to "subscribe" to a domain to quickly see certificates.
Ironically, releasing this tool directly resulted in several bug bounty reports being detected in the Facebook test server that did not have the same authorization checks as production servers, potentially leading to free access to all sorts of information. This perfectly illustrates how CT trust logs can uncover an inadvertent amount of information in the enterprise while identifying domains with fraudulent certificates.
Hidden subdomains can view hidden pages such as employee logins, used web applications, only internal domains only by an internal DNS and old or deleted domains. While we can use Facebook's CT monitoring tool online to find hidden subdomains, we use a local tool for more anonymity. It's called CT-Imagesetter, a Python OSINT scanner that can be easily run on any platform. It does not show us as much data as the Facebook tool and does not provide as many results, but the information is much easier to sift through.
To start with the CT imagesetter, you need to make sure that Python3 is installed on your computer. If you do not have it, you can download it from the Python website . Once you have Python installed, you can ensure that you have the correct version by typing python3 in a terminal window. If the output resembles the following edition, you should be fine. You can type quit () after the >>> to finish.
python3 Python 3.6.4 (v3.6.4: d48ecebad5, Dec 18th 2017, 9:07:28 pm) [GCC 4.2.1 (Apple Inc. build 6996) (dot 3)] about Husker Enter "help", "copyright", "credits" or "license" for more information. >>> quit ()
If you are running Kali Linux, make sure you also update and update your system with the following commands:
apt update apt upgrade
Step 1: Download and installation requirements
When Python is installed and your system has been fully upgraded, you can start navigating to the GitHub for CT imagesetter page. Copy the URL below the clone or download button and execute the command Git Clone in a terminal window:
git clone https://github.com/chris408/ct-exposer .git
Once the files are finished downloading, change the directories to root, cd to the folder ct-exposter then install the requirements as follows:
cd ct - Imagesetter sudo pip3 install -r requirements.txt
Once the requirements are installed, you should be ready!
To find out which CT logs can be viewed, conduct a domain test and see what information can be viewed from the perspective of an attacker. To get started, try priceline.com
The main URL for this nonsense is priceline.com, so run CT Exposer on the URL to see what you can find. Make sure you are in the ct-exposer folder. Once you're in the ct-exposer folder, you can run the following command to scan the certificate trust logs for the domain priceline.com .
python3 ct-exposer.py -d priceline.com
The output below shows the results of the priceline.com scan. Impressive! There are many results, but how could they be useful?
sudo python3 ct-exposer.py -d priceline.com [+]: Download the domain list ... [+]: Download the domain list completed. [+]: Parsing 33 domain (s) from the list. [+]: Locations: 188.8.131.52 admin.groupcommerce.com 184.108.40.206 app-install.priceline.com 220.127.116.11 appinstall.priceline.com 18.104.22.168 bomgar.corp.priceline.com 22.214.171.124 career.priceline.com 126.96.36.199 cruises.priceline.com 188.8.131.52 dealreveal.corp.priceline.com 184.108.40.206 enet.qahotelportal.priceline.com 220.127.116.11 g.ssl.fastly.net 18.104.22.168 h.priceline.com 22.214.171.124 hsecure.priceline.com 126.96.36.199 mail.corp.priceline.com 188.8.131.52 media.priceline.com 184.108.40.206 phantom.corp.priceline.com 220.127.116.11 picme.priceline.com 18.104.22.168 priceline.map.fastly.net 22.214.171.124 qahotelportal.priceline.com 126.96.36.199 splunkes.corp.priceline.com 188.8.131.52 ssh.corp.priceline.com 184.108.40.206 travela.a1.qa.priceline.com 220.127.116.11 travela.priceline.com 18.104.22.168 www.a1.dev.priceline.com 22.214.171.124 www.a1.qa.priceline.com 126.96.36.199 www.a309.corp.priceline.com 188.8.131.52 www.b1.dev.priceline.com 184.108.40.206 www.priceline.com 220.127.116.11 www.qaa.priceline.com [+]: Domains without DNS entry: no en.hotelportal.priceline.com no fs.corp.priceline.com no pcln04.corp.priceline.com no rsecure.priceline.com none secure.priceline.com
Example 1: Subdomains with DNS that can not be resolved
You can try to navigate to the various subdomains that are displayed. If they are not resolved, this can have one of several meanings:
See what happens when you try to access an internal service because you need to be connected to an internal DNS server in a service. For example, when you try to navigate to mail.corp.priceline.com through your Web browser, you may encounter the following:
unlike what you see when the page you want to get to does not exist. That's it, you just can not see it on a public server. For a red team or an attacker, an internal infrastructure has just been discovered. A Simple Nmap Displays a Microsoft IIS / 8.5 Server at This Address
Some subdomains dissolve and are not secret at all. For an attacker, however, this may allow an early entry to explore a possible attack path.
For an example, see a Career Subdomain at careers.priceline.com . As an attacker, I've just learned what kind of resume I need to copy and paste into these job postings to get the attention of an HR employee at Priceline. Maybe I can even get them to open a PDF resume with an exploit, but even if they use an outsourced hiring company, by reading the job requirements carefully I can learn the physical locations they work on and the types of systems. 19659033] Hiding hidden subdomains for viewing internal services with CT Exposters ” width=”532″ height=”532″ style=”max-width:532px;height:auto;”/>