Subdomain Finder
Enumerate every subdomain of a domain via certificate transparency logs. Best first step for any external attack-surface review of your own infrastructure.
Powered by crt.sh — a public mirror of Certificate Transparency logs. Only subdomains that have had a public TLS certificate issued appear here.
FAQ
Where does the data come from?▼
Certificate Transparency logs via crt.sh. Every public TLS certificate issued has to be logged in CT — we query for certs covering *.<your-domain> and dedupe the hostnames.
Will this find every subdomain?▼
Only subdomains that have ever had a publicly-issued TLS certificate. Internal-only subdomains using private CAs or self-signed certs won't show up. But almost every public-facing service today uses Let's Encrypt or a public CA, so coverage is high.
Is this 'hacking'?▼
No. CT logs are explicitly public — they exist so anyone can audit what certs are issued for what names. This is the standard first step in any external attack-surface review for your own domain.
Why is this taking 20 seconds?▼
crt.sh can be slow under load. The query covers historical and current certificates so the index is large. If it times out, try again in a minute.
More Website Tools
HTTP Bulk Status Checker
Paste up to 50 URLs and get status, redirects, final URL, and timing for all of them. CSV export.
WHOIS Lookup
See a domain's registrar, registration date, expiry, status flags, and nameservers. Powered by RDAP — the modern WHOIS replacement.
Tech Stack Detector
Identify the CMS, framework, CDN, analytics, and payment tools behind any public site by sniffing HTTP headers and HTML signatures.