# Use Crt.Sh To Identify Domains And Sub-Domains That Belong To An Organization ## Background: Every Certificate Transparency log is a record of all publicly trusted digital certificates. The main goal of Certificate Transparency is to provide a publicly available system of logs, where any domain owner can verify whether a certificate was issued by a trusted CA or issued maliciously, and to prevent users from being tricked by any fraudulent certificates. Crt.sh is a great online tool for finding the DNS information for a domain or subdomain. It can also help identify the domain's owner and contact information. To use Crt.sh, simply enter the domain name or subdomain you want to lookup into the search bar on the home page. Crt.sh will then display all of the DNS information for that domain, including the domain's owner and contact information. ## Exercise: crt.sh monitors and records Certificate Transparency logs. Use crt.sh to identify domains and sub-domains that belong to an organization. ## Example: Using the domain [monkeytype.com](http://monkeytype.com), I looked to see all of the subdomains that belong to the organization. ![](https://1305929913-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlapqrpN4sXz7jqsMPRUD%2Fuploads%2FgVxtIt6Ljiwwp7o6Rlqj%2Fimage.png?alt=media\&token=92f3d897-5564-4718-9c07-4275caa9d0e7) Editing [andrewsmhay](https://github.com/andrewsmhay/CrtShcrape/blob/main/CrtShcrape.ipynb)'s github slightly, I was able to query this site, as well as output all the sub domains using a python script. ### Script: {% code overflow="wrap" lineNumbers="true" %} ````python ``` # Copyright (c) 2021 Andrew Hay import requests from bs4 import BeautifulSoup import pandas as pd import numpy as np #Setting the domain and the request domain = 'monkeytype.com' payload = {'q': domain} req = requests.get('https://crt.sh/?', params=payload) #Defining the Parser soup = BeautifulSoup(req.text) tbody = soup.find_all("table")[2] td_list = tbody.find_all("td") features="html.parser" pyt itlist = [] for i in td_list: itlist.append(i.text) itlist = np.asarray(itlist) itlist = np.split(itlist, len(itlist)/7) #Gathering the columns that were parsed df = pd.DataFrame(itlist, columns = ['crt.sh ID','Logged At','Not Before','Not After','Common Name','Matching Identities','Issuer Name']) print('Rows: ', len(df)) df = df.drop_duplicates(subset=['Common Name']) print('Rows: ', len(df)) #Print out the domain name print(df['Common Name'].to_csv(index=False, header=False)) ``` ```` {% endcode %} ### Output: ![](https://1305929913-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlapqrpN4sXz7jqsMPRUD%2Fuploads%2F7K1j5ZVN6YvwYVBiNWVU%2Fimage.png?alt=media\&token=23ece6a4-af54-43ca-96ac-ae778a70a959) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://dthomsen.gitbook.io/mcsi/passive-network-reconnaissance/use-crt.sh-to-identify-domains-and-sub-domains-that-belong-to-an-organization.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.