Most organizations have services such as employee login portals, internal subdomains, and test servers that they would rather keep private. Red teams and white-hat hackers can find these obscure and often vulnerable services by using a tool to protect users from fraudulent certificates.
What is a Certificate Trust Protocol?
Certificates are issued to companies that operate online services through a certificate to protect users from fraudulent websites. In 2011, restrictions on the ability of certificates to protect users were proven by attacks against the certification bodies Comodo and DigiNotar. Since the detection of fraudulent certificates took a long time, certificate trust logs were created to provide users with better visibility.
Facebook has used CT protocols to detect misplaced TLS certificates and prevent them from being used to intercept HTTPS traffic. This success led them to publish a CT protocol tool for the public, with the ability to "subscribe" to a domain to quickly see certificates.
Ironically, releasing this tool directly resulted in several bug bounty reports being detected in the Facebook test server that did not have the same authorization checks as production servers, potentially leading to free access to all sorts of information. This perfectly illustrates how CT trust logs can uncover an inadvertent amount of information in the enterprise while identifying domains with fraudulent certificates.
Hidden subdomains can view hidden pages such as employee logins, used web applications, only internal domains only by an internal DNS and old or deleted domains. While we can use Facebook's CT monitoring tool online to find hidden subdomains, we use a local tool for more anonymity. It's called CT-Imagesetter, a Python OSINT scanner that can be easily run on any platform. It does not show us as much data as the Facebook tool and does not provide as many results, but the information is much easier to sift through.
What you need
To start with the CT imagesetter, you need to make sure that Python3 is installed on your computer. If you do not have it, you can download it from the Python website . Once you have Python installed, you can ensure that you have the correct version by typing python3 in a terminal window. If the output resembles the following edition, you should be fine. You can type quit () after the >>> to finish.
python3
Python 3.6.4 (v3.6.4: d48ecebad5, Dec 18th 2017, 9:07:28 pm)
[GCC 4.2.1 (Apple Inc. build 6996) (dot 3)] about Husker
Enter "help", "copyright", "credits" or "license" for more information.
>>> quit ()
If you are running Kali Linux, make sure you also update and update your system with the following commands:
apt update
apt upgrade
Step 1: Download and installation requirements
When Python is installed and your system has been fully upgraded, you can start navigating to the GitHub for CT imagesetter page. Copy the URL below the clone or download button and execute the command Git Clone in a terminal window:
git clone https://github.com/chris408/ct-exposer .git
Once the files are finished downloading, change the directories to root, cd to the folder ct-exposter then install the requirements as follows:
cd ct - Imagesetter
sudo pip3 install -r requirements.txt
Once the requirements are installed, you should be ready!
Step 2: Select Domain and Run Scan
To find out which CT logs can be viewed, conduct a domain test and see what information can be viewed from the perspective of an attacker. To get started, try priceline.com
The main URL for this nonsense is priceline.com, so run CT Exposer on the URL to see what you can find. Make sure you are in the ct-exposer folder. Once you're in the ct-exposer folder, you can run the following command to scan the certificate trust logs for the domain priceline.com .
python3 ct-exposer.py -d priceline.com
Step 3: Disassemble and Interpret the Scan
The output below shows the results of the priceline.com scan. Impressive! There are many results, but how could they be useful?
sudo python3 ct-exposer.py -d priceline.com
[+]: Download the domain list ...
[+]: Download the domain list completed.
[+]: Parsing 33 domain (s) from the list.
[+]: Locations:
23.23.126.26 admin.groupcommerce.com
178.250.2.116 app-install.priceline.com
35.241.46.146 appinstall.priceline.com
64.6.22.95 bomgar.corp.priceline.com
161.47.16.153 career.priceline.com
209.202.133.98 cruises.priceline.com
64.6.22.95 dealreveal.corp.priceline.com
69.195.35.215 enet.qahotelportal.priceline.com
151.101.196.65 g.ssl.fastly.net
185.28.222.22 h.priceline.com
185.28.222.21 hsecure.priceline.com
64.6.22.100 mail.corp.priceline.com
104.196.14.36 media.priceline.com
64.6.22.95 phantom.corp.priceline.com
104.131.82.197 picme.priceline.com
151.101.196.204 priceline.map.fastly.net
69.195.35.246 qahotelportal.priceline.com
64.6.22.95 splunkes.corp.priceline.com
64.6.22.95 ssh.corp.priceline.com
69.195.35.226 travela.a1.qa.priceline.com
64.6.21.26 travela.priceline.com
69.195.35.166 www.a1.dev.priceline.com
69.195.35.245 www.a1.qa.priceline.com
64.6.23.56 www.a309.corp.priceline.com
69.195.35.167 www.b1.dev.priceline.com
151.101.130.186 www.priceline.com
69.195.35.143 www.qaa.priceline.com
[+]: Domains without DNS entry:
no en.hotelportal.priceline.com
no fs.corp.priceline.com
no pcln04.corp.priceline.com
no rsecure.priceline.com
none secure.priceline.com
Example 1: Subdomains with DNS that can not be resolved
You can try to navigate to the various subdomains that are displayed. If they are not resolved, this can have one of several meanings:
See what happens when you try to access an internal service because you need to be connected to an internal DNS server in a service. For example, when you try to navigate to mail.corp.priceline.com through your Web browser, you may encounter the following:

unlike what you see when the page you want to get to does not exist. That's it, you just can not see it on a public server. For a red team or an attacker, an internal infrastructure has just been discovered. A Simple Nmap Displays a Microsoft IIS / 8.5 Server at This Address
Example 2: Subdomains with DNS Disconnecting (1)
Some subdomains dissolve and are not secret at all. For an attacker, however, this may allow an early entry to explore a possible attack path.
For an example, see a Career Subdomain at careers.priceline.com . As an attacker, I've just learned what kind of resume I need to copy and paste into these job postings to get the attention of an HR employee at Priceline. Maybe I can even get them to open a PDF resume with an exploit, but even if they use an outsourced hiring company, by reading the job requirements carefully I can learn the physical locations they work on and the types of systems. 19659033] Hiding hidden subdomains for viewing internal services with CT Exposters ” width=”532″ height=”532″ style=”max-width:532px;height:auto;”/>