loading
loading
Recon
Get subdomains for a root domain straight from SecurityTrails.
overview
securitytrails-subdomains asks the SecurityTrails API for every subdomain it knows under a root domain and parses the response into a flat, usable list. SecurityTrails builds its inventory from passive DNS and certificate data, so this node surfaces hosts you would never reach by brute force, including hosts that resolve only intermittently or were active in the past.
Because the lookup is entirely passive, it sends no traffic to the target. You hand it a root domain and an API key, and it returns the subdomain set without touching the target's own DNS resolvers. That makes it a quiet first move in a recon pipeline and a cheap way to expand scope before any active stage runs.
On Trickest, securitytrails-subdomains is a Recon node that takes a root domain and an API key and writes a file and a folder of results. Pair it with active enumerators so the combined output covers both historical records and live brute-forced hosts before you probe or scan.
source github.com/trickest
use cases
Pull SecurityTrails subdomains for a root domain to grow the target list without sending a request to the target's infrastructure.
Surface subdomains from passive DNS history that no longer appear in live resolution but may still answer or leak information.
Feed the SecurityTrails set into a brute-force tool so its wordlist run starts from known-good hosts and finds more siblings.
Merge this output with crawler and certificate-transparency results so the final host list draws on several independent sources.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| root-domain | STRING | · | Root domain to find and parse subdomains from response |
| api-key | STRING | · | SecurityTrails API key |
Showing key inputs. securitytrails-subdomains exposes 2 inputs in total.
example
# securitytrails-subdomains: passive pull for example.com (api-key as node input)# root-domain: example.com# writes one subdomain per line for downstream resolverswww.example.comapi.example.commail.example.comstaging.example.comdev.example.comcdn.example.comvpn.example.comportal.example.comstatus.example.comguidance
Use securitytrails-subdomains when you want a quick, passive subdomain list from SecurityTrails with no traffic to the target. For arbitrary SQL-style lookups over the same source, use securitytrails-sql. For active brute-force resolution, pair it with shuffledns.
Same data source with full query control. Use it when a flat subdomain list is not enough.
Active brute-force and resolution. Feed it the passive set as known-good seeds.
Service and device intelligence rather than DNS inventory. A different lens on the same target.
faq
related
Asynchronous DNS brute-force tool for fast subdomain enumeration.
OWASP Amass: network mapping and external asset discovery.
OWASP Amass intel: find an organization's root domains and ranges.
OWASP Amass enumeration that produces structured JSON output.
Find related domains and subdomains via shared Google Analytics IDs.
Find domains and subdomains potentially related to a given domain.
A root domain feeds securitytrails-subdomains, whose passive set seeds shuffledns to resolve and confirm the final subdomain list.
Facts on this page come from the live Trickest tool library.