Subdomain Finder
Discover subdomains for any domain using public Certificate Transparency logs via crt.sh. Pure passive — the target never sees your query.
Source: Certificate Transparency logs via crt.sh. Passive — no traffic hits the target.
How to Use the Subdomain Finder
- Enter the root domain you want to enumerate (e.g., example.com).
- Click "Find Subdomains" — the tool queries crt.sh for all certificates issued for *.example.com.
- Results appear sorted alphabetically with one subdomain per line.
- Use the filter box to narrow the list (e.g., 'api' or 'staging').
- Click any subdomain to visit it, or use Copy / Download .txt to pipe results into other tools.
About Certificate Transparency Subdomain Discovery
Certificate Transparency (CT) is an open framework for monitoring and auditing X.509 certificates. Every publicly-trusted CA (Let's Encrypt, DigiCert, Sectigo, etc.) is required to publish every certificate they issue to at least two CT logs. Those logs are append-only, cryptographically verifiable, and mirrored across the internet. The side effect: if anyone on the target domain has ever requested a certificate for a subdomain, that name becomes permanently discoverable in the CT logs. This makes CT the gold standard for passive subdomain enumeration. Unlike traditional brute-force wordlists, there are zero false positives — every name returned actually had a certificate issued at some point. Unlike DNS brute-forcing, you do not send a single packet to the target's infrastructure: the reconnaissance is completely invisible to them. This is the first step in virtually every modern web recon methodology. Common discoveries include forgotten staging environments (staging-old.example.com), internal tools exposed to the public internet (jenkins.example.com, grafana.example.com), legacy infrastructure (old2022.example.com), and third-party integrations (shopify.example.com). The tool uses crt.sh, the community CT log search engine run by Sectigo. It may return thousands of results for large organizations — use the filter box or the .txt download to feed the list into your preferred DNS resolution tool.
Frequently Asked Questions
The tool filters out wildcard certificates because a wildcard doesn't reveal actual subdomains — it just means the CA issued a wildcard. Wildcards are removed automatically; you will only see concrete hostnames.
crt.sh is a volunteer-operated service and regularly returns 502s or partial data under load. Re-run the query if you get an error or suspicious count. Results are cumulative over time, so older queries may show historical subdomains that are now gone.
Yes. The only network traffic is from your browser to our server and from our server to crt.sh. The target domain's infrastructure never receives a single packet, making it safe for reconnaissance on in-scope but sensitive targets.
Only if their certificates were issued by a public CA. If the company uses a private PKI for internal services, those subdomains won't appear in CT logs. In practice, you'll find staging environments and legacy tooling surprisingly often — companies provision Let's Encrypt certs on internal services and forget about them.