Introduction
This enumeration step was taken off Nahamsec's recon video. It involves using the following tools:1. crt.sh
2. jq
3. httprobe
4. meg
5. aquatone or webscreenshot. I used the latter.
These techniques involve use of the mentioned tools in particular order. Firstly, crt.sh can be called using a script or directly from its website. The input it stored into json output. That's when you need jq to parse the output into the readble format. You can oneliner it into a single script which I have included in the steps below.
Meg is used to perform force browsing for specific paths that you are looking for and aquatone or webscreenshot are tools used to index the output of the websites that was enumerated.
Steps
1. Save the following curl statement into a executable script eg. crt.sh:#!/bin/bash
curl -s https://crt.sh\?q\=%.$1\&output\=json | jq -r '.[].name_value' | sed 's/\*\.//g' | sed '/@/d' | sort -u
2. Run the script agaisnt target:
$ crt.sh yahoo.com | tee out.txt | more
2013-en-imagenes.es.yahoo.com
3arrebni.yahoo.com
7-eleven.yahoo.com
a10.go.yahoo.com
a1.go.yahoo.com
a.analytics.yahoo.com
aat.answers.yahoo.com
ab.login.cn.yahoo.com
ab.login.yahoo.com
absnd.login.yahoo.com
ac4-as-cas01.ds.corp.yahoo.com
ac4-as-cas02.ds.corp.yahoo.com
ac4-as-isa01.ds.corp.yahoo.com
ac4-as-isa02.ds.corp.yahoo.com
academy.cc.corp.yahoo.com
academy-delivery.cc.corp.yahoo.com
academy-delivery-stage.cc.corp.yahoo.com
academy-rm.cc.corp.yahoo.com
academy-stage.cc.corp.yahoo.com
academy-stage-rm.cc.corp.yahoo.com
academy-stg.cc.corp.yahoo.com
accountlink.www.yahoo.com
accountlink.yahoo.com
--More--
4. Now, run it thru httprobe or Nmap to see if http or https is running:
$ nmap -iL out.txt -p80,443 -oG out-nmap.txt
5. Inspect the output and remove unwanted chars and add the https:// into each line:
$ cat out-nmap.txt | httprobe
http://2013-en-imagenes.es.yahoo.com
https://2013-en-imagenes.es.yahoo.com
http://accountlink.www.yahoo.com
http://accountlink.yahoo.com
https://accountlink.www.yahoo.com
https://accountlink.yahoo.com
https://2013-en-imagenes.es.yahoo.com
http://accountlink.www.yahoo.com
http://accountlink.yahoo.com
https://accountlink.www.yahoo.com
https://accountlink.yahoo.com
--More--
6. Use meg to force browse to the endpoints path that you are looking for, in this case we are looking for the infamous Citrix Netscaler bug CVE-2019-19781, don't forget to add the '/' in the search pattern:
$ meg '/*/vpns/cfg/smb.conf' out-format.txt out-dir
7. There will be a out-dir created, inside there is an index file. Here is just a sample of /index.html I searched:
/tmp/out-dir$ cat index
out-dir/media-router-fp2.prod1.media.vip.sg3.yahoo.com/3994ddc095f04708e6a476c7dbda6808cbcdbb8b https://media-router-fp2.prod1.media.vip.sg3.yahoo.com/index.html (301 Moved Permanently)
out-dir/o2.ycpi.vip.sg3.yahoo.com/a1426f50f9c785e28e51de89ba4d52d3e5ff014f https://o2.ycpi.vip.sg3.yahoo.com/index.html (404 Not Found on Accelerator)
out-dir/w2.src1.vip.sg3.yahoo.com/f6f9173b70df41d4ac99e337fdfd137fe4a21826 https://w2.src1.vip.sg3.yahoo.com/index.html (200 OK)
out-dir/e1.ycpi.vip.sgb.yahoo.com/b8eefa16ab7eaa1a3fa6099a5a8988dad15f2c91 https://e1.ycpi.vip.sgb.yahoo.com/index.html (404 Not Found on Accelerator)
out-dir/ats1.l7.search.vip.sg3.yahoo.com/a900373dc6d4aee1f0b10fbd26d5969287737970 https://ats1.l7.search.vip.sg3.yahoo.com/index.html (404 Not Found)
out-dir/media-router-omega1.prod.media.vip.gq1.yahoo.com/c6aef34813955ecc248a8b2401b60f1e30b7e766 https://media-router-omega1.prod.media.vip.gq1.yahoo.com/index.html (404 Not Found)
out-dir/w2.src1.vip.sg3.yahoo.com/a831e26d93084d96171fce67ed4aa3f5119c990d https://w2.src1.vip.sg3.yahoo.com/index.html (200 OK)
out-dir/w2.src1.vip.sg3.yahoo.com/0ed90c45f0ae3107247eaf312b35906dc2b946a0 https://w2.src1.vip.sg3.yahoo.com/index.html (200 OK)
out-dir/w2.src1.vip.sg3.yahoo.com/1eddab1986d57d5464cf60695d5efae6cf482400 https://w2.src1.vip.sg3.yahoo.com/index.html (200 OK)
out-dir/w2.src1.vip.sg3.yahoo.com/94edbc7e3226e5496b04039e3f26329eb5fb67d5 https://w2.src1.vip.sg3.yahoo.com/index.html (200 OK)
8. Lastly, examine meg output for the interesting response, grep the '200 OK' responses and use webscreenshot or aquatone to create a curated snapshot of each result. I won't have to document this step since it is rather straight forward.
Summary
The technique above can be used to enumerate http or https endpoint for specific paths or files. You may also force browse using a dictionary like gobuster or dirb but that take more time. If you know the exact files or directories, it is faster to use this technique. Eitherway, you can still use your fav tools by building your own dictionary using the output from crt.sh. The point here is to scrape subdomains from certificate search.
