OSINT ProjectsIndex ↓
Domain
FILE 05🗂️

Subdomain Finder

Enumerate subdomains of a target domain using public Certificate Transparency logs (crt.sh and certspotter). Great for mapping an organisation's attack surface.

What is a subdomain finder?

A subdomain finder discovers the subdomains that belong to a root domain — names like mail.example.com, vpn.example.com or staging.example.com. Mapping these is a core step in reconnaissance, because each subdomain is a potential entry point and together they describe an organisation's public attack surface.

This tool uses passive enumeration via Certificate Transparency (CT) logs rather than noisy brute-force scanning. Every time a site obtains an SSL certificate, the hostname is recorded in public CT logs. By querying sources like crt.sh and Cert Spotter, we can list subdomains that have ever had a certificate — quietly, without sending a single packet to the target.

Why Certificate Transparency works so well

Certificate Transparency was introduced to detect mis-issued certificates, but it has become one of the most reliable OSINT sources for subdomain discovery. Because virtually every public HTTPS site needs a certificate, and every certificate is logged, CT logs capture subdomains that wordlist-based scanners would miss — including short-lived staging and admin hosts.

Passive discovery is also stealthy and legal: you are reading public logs, not probing the target's servers. That makes it ideal for early-stage reconnaissance, bug-bounty scoping and attack-surface monitoring.

Using the results responsibly

The output is a deduplicated, sorted list of subdomains with quick links to visit each one. Use it to understand how an organisation is structured, to find forgotten or development hosts, and to monitor for new infrastructure over time.

Only test systems you own or are explicitly authorised to assess. Discovering a subdomain is passive and harmless, but actively scanning or attacking it without permission may be illegal.

// Frequently asked questions

How does this find subdomains without scanning?+

It reads public Certificate Transparency logs (crt.sh and Cert Spotter). Any subdomain that has had an SSL certificate is recorded there, so no active scanning is needed.

Will it find every subdomain?+

It finds subdomains that have appeared in CT logs, which is most public HTTPS hosts. Internal hosts that never had a public certificate may not appear.

Is using a subdomain finder legal?+

Passive discovery via public logs is legal. Actively scanning or attacking the discovered hosts without authorisation is not — only test what you own or are permitted to assess.

Why did I get zero results?+

Brand-new domains, or domains with no public HTTPS certificates, may have nothing logged yet. The CT sources can also be briefly unavailable.

What is the difference between passive and active enumeration?+

Passive enumeration reads existing public data (like CT logs) without touching the target. Active enumeration sends DNS queries or requests to the target, which is noisier and may need permission.

// Other instruments

🌐
WHOIS / RDAP Lookup
open →
📡
DNS Lookup
open →
📍
IP Lookup & Geolocation
open →
🔒
SSL Certificate Checker
open →
🛰️
What Is My IP
open →
#️⃣
Hash Generator
open →
🔡
Base64 Encode / Decode
open →
🔗
URL Encode / Decode
open →