We at Girls Learn Cyber (GLC) have been learning how to use certificate transparency logs for reconnaissance. Crt. sh is one of many tools that allow you to search these types of logs.
Certificates "bind a public cryptographic key to a domain name, similar to how a passport brings together a person's photo and name" (CertificateTransparency.Dev).
Certificate Authorities (CAs) issue certificates to domain owners to make sure domains are run by the appropriate domain owners. Without certificates, anyone could claim that they run any domain and there would be a large scale lack of security.
One way to monitor certificates and the certificate issuing process is via certificate transparency (CT). According to DigiCert , CT is "an open framework of logs, monitors, and auditors created to help domain owners oversee digital certificates issued for their brands. CT logs help domain owners protect their brand by providing a way to find misissued or rogue certificates more easily. Certificate-issuing entities, like CAs, log certificates to comply with standards."
Crt.sh represents a searchable database of certificate transparency logs. We can use information from certificate transparency logs for recon.
Go to the Crt.sh search box and enter in a selected domain name.
Check out the results in the "Common Name" column for unique subdomain names.
Also check out the "Matching Identities" column for unique subdomain names.
Click on a select crt.sh_ID to review more data about a certificate (such as subdomain names under the "Subject Alternative Name" field).
Back on the main results screen, click the "Issuer Name" column heading to sort this column. This can help you find certificates grouped together by interesting issuers like a government agency.
We have found that Crt.sh to be a great source for finding subdomains of a target organization. To learn more about certificate transparency check out this guide: https://certificate.transparency.dev/howctworks/