During reconnaissance of a target organization, you have only the registered root domain. To expand your attack surface, you need a source that enumerates subdomains embedded in TLS certificates issued for that organization by monitoring certificate transparency logs. Which resource will provide this information most efficiently?
Installing the Wappalyzer browser extension to fingerprint visited pages
Using netcat to connect to port 443 and inspect Server Name Indication responses
Running a Google site:example.com dork against public search results
Searching the crt.sh certificate transparency database
Certificate transparency (CT) logs publicly record the vast majority of browser-trusted TLS certificates that certificate authorities issue, though a few exclusions still exist. Because each certificate lists the fully qualified domain names it secures-now placed primarily in the Subject Alternative Name field-searching CT data is an efficient way to uncover additional hostnames for a target organization. The crt.sh web interface is purpose-built for querying CT logs, enabling an assessor to pull all certificates (and therefore subdomains) related to a domain with a single search. A Google site: query relies on what content the search engine has crawled and often misses hosts that never serve indexable pages. Netcat probing of port 443 without specifying an SNI value reveals only the default certificate, not the many additional names on other virtual hosts. Wappalyzer focuses on identifying technology stacks of pages you already know about and does not enumerate unseen subdomains. Consequently, crt.sh is the most effective resource for this reconnaissance step.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are certificate transparency logs?
Open an interactive chat with Bash
How does crt.sh work for subdomain enumeration?
Open an interactive chat with Bash
What is the Subject Alternative Name field in a certificate?
Open an interactive chat with Bash
What is crt.sh and why is it used for reconnaissance?
Open an interactive chat with Bash
How does Certificate Transparency logging help in ethical hacking?
Open an interactive chat with Bash
Why do other methods like Google dorks or Wappalyzer fall short for subdomain enumeration?
Open an interactive chat with Bash
Certified Ethical Hacker (CEH)
Web Application Hacking
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .