loading
loading
Recon
Connect to the crt.sh certificate transparency database and get a domain's subdomains.
overview
certsh-subdomains pulls a domain's subdomains out of crt.sh, the public search front end for certificate transparency logs. Every time an organization issues an SSL certificate for a host, the certificate authority writes it to these append-only logs, so one query surfaces names the organization has provisioned, including internal-sounding hosts that never show up in DNS or page links.
Because it reads a public log instead of contacting the target, the lookup stays passive and quick. You hand it a domain and it returns the names crt.sh has on record, a clean seed list for the rest of an attack-surface workflow.
The node exposes a single domain input and no flags, which makes it a fast drop-in enumeration source. Merge its crt.sh results with subfinder for breadth, dedupe, then send the combined names to a prober like httpx to learn which hosts respond.
use cases
Query crt.sh for a domain to list the subdomains certificate transparency has recorded, without sending any traffic to the target.
Certificate logs often capture staging, admin, webmail, and other internal names that DNS scraping misses, giving you leads worth probing first.
Use certsh-subdomains as a starting enumeration source, then pass its names to httpx so probing runs against the discovered footprint.
Combine its crt.sh results with subfinder or amass and dedupe, since each source sees names the others do not.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| domain | STRING | · | Domain to enumerate. certsh-subdomains queries crt.sh for every subdomain seen in that domain's certificates. |
Showing key inputs. certsh-subdomains exposes 1 inputs in total.
example
# pull a domain's subdomains from crt.sh, one name per linecertsh-subdomains example.com*.example.comexample.comapi.example.comautodiscover.example.comcpanel.example.comdev.example.commail.example.comstaging.example.comvpn.example.comwebmail.example.comguidance
Use certsh-subdomains for fast, passive subdomain discovery from certificate transparency at the start of a workflow. It reads crt.sh, not the target, so nothing touches the host. It finds names, it does not test them, so merge it with subfinder and follow with httpx.
Queries many passive sources including crt.sh. certsh-subdomains is the focused, crt.sh-only finder.
Reads certificate names off live hosts over TLS. certsh-subdomains reads the same kind of data from public logs.
Deeper multi-source enumeration with active options. certsh-subdomains is a single, quick certificate-log source.
faq
related
Asynchronous DNS brute-force tool for fast subdomain enumeration.
OWASP Amass: network mapping and external asset discovery.
OWASP Amass intel: find an organization's root domains and ranges.
OWASP Amass enumeration that produces structured JSON output.
Find related domains and subdomains via shared Google Analytics IDs.
Find domains and subdomains potentially related to a given domain.
A domain feeds certsh-subdomains, which pulls its subdomains from the crt.sh log and hands them to httpx so only the live names land as a queryable output.
Facts on this page come from the live Trickest tool library.