Subdomain Enumeration with Merklemap: Real-Time CT Logs

In cybersecurity, mainly in bug bounty or when finding vulnerabilities in subdomains, certain terms are commonly used. One of the most important terminology that you must know is Certificate Transparency which plays a crucial role in website’s security by issuing the valid SSL/TLS certificate for authorized and trusted website. These certificates establish a trust worthy connection to the user, which help identify subdomains associated with a domain by keeping the track of their CT (Certificate Transparency) logs.

Let’s discuss the relation of the Certificate Transparency with the Subdomain Enumeration by uneviling the remarkable benefits of MerkleMap Tool.

Certificate Transparency Logs (CT Logs) and Subdomain Enumeration

Certificate Transparency Logs (CT Logs) are publicly available records of certificates for different domains that are issued by Certificate Authorities (CAs).

Certificate Transparency are valuable resource for discovering subdomains and monitoring domain security in bug bounty  and during security audits.

Use-Case of CT Logs:

1. Open Auditing System: An open auditing system is a publicly accessible system where anyone can inspect, monitor, and verify specific content.
2. Track SSL/TLS Certificates: SSL/TLS Certificates are cryptographic credentials used to establish secure connections between web browsers and servers through HTTPS.

MerkleMap for Subdomain Enumeration

MerkleMap is highly effective in finding CT Logs and is commonly used by bug bounty hunters and penetration testers to validate the CT logs of any website, conveniently providing a full attack surface of any domain. MerkleMap is completely built using the Rust language.

MerkleMap is available in two forms:

• MerkleMap Website (https://www.MerkleMap.com): The MerkleMap website is the best way to find CT Logs and perform subdomain enumeration within seconds (80ms per entry).

•  MerkleMap CLI: The MerkleMap command-line interface is also available, which is useful for finding and retrieving results in JSON format via the terminal, without opening a browser. For example:

curl 'https://api.MerkleMap.com/live-domains?no_throttle=true'

Features of MerkleMap:

1. User-Friendly UI: The MerkleMap website features an easy-to-use interface that helps in analyzing and generating large outputs easily.
2. Intensive Subdomain Discovery: MerkleMap provides subdomain listings, including DNS records, SSL certificates, and publicly available information.
3. Real-Time Results: MerkleMap provides results based on real-time data, ensuring that users receive up-to-date information.
4. Customizable Search Queries: You can use wildcards (*) in your search or use the prefix = for exact matches.
5. Extensive CT Logs: MerkleMap provides the maximum CT logs of all subdomains compared to any other website.

Using MerkleMap for Subdomain Enumeration:

1. Expanded Attack Surface: Additional services hosted on subdomains (e.g., development/dev, admin, APIs, etc.) can be poorly secured or outdated.
2. Cross-Link Analysis: Large and complex organizations with multiple domains may have connected domains or infrastructure. Using MerkleMap can help analyze connections between certificates, hosts, or services.
3. Forgotten Assets: Organizations often don’t overlook old subdomains, hence making old scrap subdomains that can pose a serious security issues making a prime target for an attacker.
4. Weak Security: Subdomains may have outdated TLS/SSL certificates, misconfigured CORS, or unpatched software, resulting in security compromises.
5. Sensitive Data: Uncovering exposed subdomains can sometimes reveal sensitive files, credentials, API keys, etc., providing attackers with a foothold.

Why Subdomain Enumeration Is Important:

1. Exposing Hidden Attack Surfaces: Finding subdomains, especially those used for testing or development purposes, can reduce an organization’s attack surface.
2. Preventing Subdomain Takeovers: Any unmonitored or improperly decommissioned subdomain can be taken over by malicious actors, who may then use it for phishing or scamming.
3. In-Depth Subdomain Security Coverage: Frequent subdomain enumeration ensures that all assets linked to a domain are included in security assessments. This helps prevent the inadvertent exposure of internal assets, staging environments, or third-party services.

MerkleMap’s Main Goal

MerkleMap’s main goal is to help users uncover hidden subdomains,  or expired SSL/TLS certificates, which could pose security risks if left unmonitored or unpatched .