At our crypto service discovery site discovery.cryptosense.com you don’t have to enter the qualified domain name of a server to test (like
www.mydomain.com) – you can just enter a partial name like
mydomain.com and the tool will query DNS records to look for machines.
Previously, we used to do this by looking for common machines like
vpn.mydomain.com. Recently, we added a feature to query the certificate transparency log to look for certificates registered to this domain. This results in much better coverage of machines. The example screenshot below shows part of the results when querying for
Once you’ve got the list, discovery will scan all the machines for crypto services including TLS, STARTTLS (SMTP, IMAP,..) and SSH. If you create a free account, you can add all these machines to the list that you monitor, and sort them in result order to easily spot misconfigured servers.
Some domains have thousands of certificates in the log. In the free online version of discovery, we timeout the query to certificate transparency server and only return a limited number of results. If you operate a lot of machines and are interested in trying a free discovery account with all your machines pre-loaded, get in touch and we’d be happy to set it up.