Certificate Transparency Logs
Certificate Transparency monitors and logs digital certs. This is publicly correlated in a searchable log. Using Certificate Transparency logs you may be able to find additional subdomains or other top level domains.
You could also search on a disclosed internal hostname from things such as e-mail headers and find the publicly accessible URL associated with this machine or other machines that share the internal domain (hostname01.domain.local, hostname02.domain.local) by looking at the x509v3 extension data.
External services
| Service | info |
|---|---|
| crt.sh | crt.sh |
Example
We somehow found out that the internal hostname use domain.local in their FQDN. We can use crt.sh to potentially find public accessible URLS associated with these machines.
Searching for domain.local
Inspecting the x509v3 data show external hostnames.
Which leads us to a public accessible server.
Related pages
| Name | Description |
|---|