Subdomain Enumeration

Discover subdomains via CT Logs (crt.sh) with DNS resolution for each result.

Subdomain	IP Address	Status

Certificate TransparencyData from public CT logs (crt.sh)

DNS ResolutionActivity check for each subdomain

Full ListAll discovered subdomains with IP addresses

Passive ReconNo aggressive scanning

Enter a domain name (e.g., example.com)

The system queries CT logs via crt.sh and resolves DNS for each discovered subdomain

A list of subdomains is displayed with IP addresses and activity status

Why enumerate subdomains?

Forgotten subdomains (dev, staging, test) are one of the most common entry points for attackers. Subdomain enumeration helps discover your hidden attack surface and eliminate risks before an incident.

CT Log Search

Search Certificate Transparency logs via crt.sh — discovers subdomains that had SSL certificates issued.

DNS Resolution

Each discovered subdomain is verified via DNS to confirm its activity and obtain its IP address.

Data Export

Results can be copied or exported for further security analysis.

Common Mistakes

❌

Not auditing subdomainsForgotten dev/staging subdomains with outdated software are easy targets for attackers.

❌

Leaving dev subdomains publicTest environments should be behind a VPN or IP filter, not open to the entire internet.

❌

Wildcard certs hide subdomainsWildcard SSL does not register specific subdomains in CT logs — use additional discovery methods.

❌

Not removing DNS records after decommissioningDangling DNS records can be hijacked by attackers (subdomain takeover).

Best Practices

✓

Regularly scan your domainAudit subdomains at least monthly — new certificates are issued constantly.

✓

Close unused subdomainsRemove DNS records for subdomains that are no longer needed. Minimize the attack surface.

✓

Protect dev/staging via VPNTest environments should not be accessible from the internet without authentication.

What is Subdomain Enumeration?

Subdomain enumeration discovers all subdomains of a domain using Certificate Transparency logs (crt.sh). This technique is widely used in security assessments to map the attack surface of a target, find forgotten dev/staging environments, and detect misconfigured services. All discovered subdomains are verified via DNS resolution to confirm if they are live.

Frequently Asked Questions

What is subdomain enumeration?

Subdomain enumeration is the process of discovering all registered subdomains for a given domain. It uses Certificate Transparency logs (crt.sh), DNS records, and other public sources to compile a complete list.

How are subdomains discovered?

The primary source is Certificate Transparency (CT) logs via crt.sh. When an SSL certificate is issued for a subdomain, it is logged in a public CT log. We also check DNS resolution for each discovered subdomain to confirm it is active.

Why search for subdomains?

Forgotten subdomains (dev, staging, test) are a common entry point for attackers. They may contain outdated software, open admin panels, or data leaks. Regular subdomain auditing is an important part of attack surface management.

What to do with discovered subdomains?

Review each subdomain: is it still needed, should it be publicly accessible, is the software up to date. Remove unused DNS records, restrict access to dev/staging via IP filters or VPN, and update certificates.

Is this tool safe to use?

Yes. We only use public data sources (CT logs, DNS). No aggressive scanning methods (brute force, zone transfer) are used. This is passive reconnaissance, similar to a Google search.

🌎 Subdomain Enumeration