# **Basic Information** # **Certificate Transparency Logs** - Possible subdomains can be extracted from SSL certificates - All issued digital certificates must be maintained in audit-proofed logs known as certificate transparency logs. [crt.sh](https://crt.sh/) can be used to view these logs - To compile a list of subdomains use `curl` and some JSON magic ```bash # replace the with the target domain # gather a list of subdomains, replace <target_domain> curl -s https://crt.sh/\?q\=inlanefreight.com\&output\=json | jq . | grep name | cut -d":" -f2 | grep -v "CN=" | cut -d'"' -f2 | awk '{gsub(/\\n/,"\n");}1;' | sort -u # identify which subdomains have an associated IP for i in $(cat subdomainlist);do host $i | grep "has address" | grep inlanefreight.com | cut -d" " -f1,4;done # run the identified IPs through Shodan for i in $(cat subdomainlist);do host $i | grep "has address" | grep inlanefreight.com | cut -d" " -f4 >> ip-addresses.txt;done for i in $(cat ip-addresses.txt);do shodan host $i;done ``` # **DNS Records** ```bash # replace the with the target domain dig any inlanefreight.com ``` # **References** - [crt.sh](https://crt.sh/) - [shodan.io](https://www.shodan.io/dashboard) - [domain.glass](https://domain.glass/) # **Practical Application** | Platform | Name | Notes | | -------- | ---- | ----- | | | | |