Skip to main content

Cool Query of the Week for July 25, 2024: Recently-issued certs on login pages


MattK_Censys
Forum|alt.badge.img+2

This week we’ve got a complex query that leverages our relative time variables to identify recently-issued (within the last 6 hours) certificates that are present on hosts with exposed login pages. Certs like this could be used to impersonate an organization for phishing or MITM attacks. Thanks to Morgan on our team for highlighting it.

services: ((tls.certificate.ct.entries.value.added_to_ct_at: [now-6h to *]) and (labels: login-page))

Combine this query with fields like the following to look for hosts that could be used to impersonate a specific organization or service.

  • dns.names:  [orgname][.]com
  • services.tls.certificate.names:  [orgname][.]com
  • services.tls.certificate.parsed.subject.organization: “Org Name”
  • services.http.response.html_title: *[orgname]*
  • whois.organization.name: “Org Name”
  • whois.organization.tech_contacts.email: *@[orgname][.]com

This is part of a regular series of posts in which we’ll highlight useful, interesting, and otherwise cool queries for use with Censys Search and ASM. If you have any questions, similar queries, or custom versions of this week’s highlight, let us know!

Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings