Tool
Subdomain Finder
Enumerate subdomains from certificate transparency logs. No active scanning — purely passive OSINT.
Passive enumeration via certificate transparency logs — no active scanning.
About
What is Certificate Transparency?
Certificate Transparency (CT) is a public framework that requires every SSL/TLS certificate to be logged in a publicly verifiable, append-only log before browsers will trust it. This was introduced to detect mis-issued certificates and rogue certificate authorities.
As a side effect, CT logs are a goldmine for passive subdomain enumeration. Every time an organization obtains an SSL certificate for a subdomain — even an internal staging environment — it gets logged publicly. This tool queries crt.sh, which aggregates data from all major CT logs.
Unlike active DNS brute-forcing, this technique is entirely passive — no packets are sent to the target. It only retrieves what certificate authorities have already logged publicly.
Use Cases
Who Uses Subdomain Enumeration?
Penetration Testers
Map the attack surface of an authorized target before active testing. Subdomains often expose forgotten dev, staging, or admin environments.
Bug Bounty Hunters
Quickly find all in-scope assets for a program. Many high-severity findings come from overlooked subdomains with weaker security posture.
Security Teams
Audit your own organization's external attack surface. Find shadow IT, expired certificates, and services that shouldn't be public.
OSINT Researchers
Understand infrastructure relationships, hosting providers, and organizational structure through passive certificate analysis.