Certificate Transparency Logs

Certificate Transparency monitors and logs digital certs. This is publicly correlated in a searchable log. Using Certificate Transparency logs you may be able to find additional subdomains or other top level domains.

You could also search on a disclosed internal hostname from things such as e-mail headers and find the publicly accessible URL associated with this machine or other machines that share the internal domain (hostname01.domain.local, hostname02.domain.local) by looking at the x509v3 extension data.

External services

Service info
crt.sh crt.sh

Example

We somehow found out that the internal hostname use domain.local in their FQDN. We can use crt.sh to potentially find public accessible URLS associated with these machines.

Searching for domain.local

domain.local

Inspecting the x509v3 data show external hostnames.

Public TLD associated with the hosts

Which leads us to a public accessible server.

Public server

Name Description