Find new domains of a company using SSL Certificates - Bug Bounty Recon

crt.sh

crt.sh is best website to fetch domains or subdomains with the help of Domain name, Organisation Name, SSL Certificate Fingerprint, etc.

You can directly search domain name on this website to fetch subdomains

Use this to find Domains of an Organisation in json format

  https://crt.sh/?O=Sony&output=json 
  https://crt.sh/?q=Sony&output=json

Search SSL Certificates Thumbprint:-

You can get SSL Certificate Thumbprint value from Virustotal Relations tab


https://crt.sh/?q=f3cd41a6035ba1b1be1670386918893734363e53

Google Certificate Transparency Monitoring

This is also a best website to search for all domains related to SSL Certificates. It will return so many domains including duplicates, so you will have to remove duplicates. I have created a python tool to fetch all domains/subdomains of a domain from this website and gives you unique result.

Python Script:-

https://github.com/rook1337/googlecertfarm


Facebook Certificate Transparency Monitoring

Facebook also provides this service and it provides email notification feature which mean if any new domain/subdomain is added to any SSL certificate, it will notify you through your email.

  • Search any domain in the search field

  • You can subscribe to any domain for email notification in subscriptions tab


Censys

This is web based and cli-based service which can be used to find new domains/subdomains of any domain or Organisation name.

Use this query in Search field to search for domains based on organisation name:-

parsed.issuer.organization.raw: "Apple Inc."

Enter domain name in search field for normal result:-

For Cli-based queries, check this post




Follow me on twitter for updates

https://twitter.com/imrook1337






1,773 views0 comments