Subdomain Finder
Discover subdomains for any domain by querying Certificate Transparency logs (crt.sh) and AlienVault OTX. Passive discovery, no probing of the target.
About subdomain discovery
Every TLS certificate issued by a public Certificate Authority is logged to Certificate Transparency (CT). By searching these logs (crt.sh) and AlienVault OTX, we can enumerate subdomains that were ever issued a certificate without sending a single packet to the target. This is pure passive reconnaissance.
Sources
- crt.sh Certificate Transparency log search (Sectigo operated).
- AlienVault OTX threat-intel community feed.
Wildcard entries (*.example.com) are filtered. Duplicates are de-duplicated. Internal or expired subdomains may still appear.
When it's useful
- Mapping an organization's external attack surface before a penetration test.
- Finding forgotten staging or admin endpoints that still have certs.
- Due diligence on a domain you're about to acquire.
Questions
Is this legal?
Yes. CT logs are public by design. No packets are sent to the target. OTX is a public threat-intel community.
Why don't I see a subdomain I know exists?
If no public TLS cert was ever issued for it, and no one reported it to OTX, it won't appear. Internal-only or self-signed subdomains are invisible to passive discovery.
How fresh are the results?
CT is near-realtime (minutes). OTX can lag by hours or days. New subdomains issued with certs show up quickly.
Related tools
CVE Search
Search vulnerabilities by CVE ID, product, or keyword.
IP Lookup
Instant geolocation, ISP, ASN, abuse history and reputation for any IPv4 or IPv6 address.
DNS Lookup
Query A, AAAA, MX, TXT, NS, SOA, CNAME, CAA and SRV records from authoritative resolvers.
WHOIS Lookup
Domain ownership, registrar, nameservers and key dates.