Tool 03 — Network & Recon

Subdomain Recon

Discover subdomains using passive certificate transparency logs and public DNS datasets. Authorized testing only.

Subdomain Recon

Discover subdomains using passive sources (crt.sh + HackerTarget).

Passive recon only — queries public databases, no direct scanning.

What is subdomain enumeration?

Subdomain enumeration is the process of discovering all subdomains associated with a target domain — for example finding api.example.com, staging.example.com, or admin.example.com when starting with just example.com.

Subdomains matter from a security perspective because they often host older, less-maintained applications, test environments with weaker security configurations, internal services accidentally exposed to the internet, or services running outdated software. Finding them is one of the first steps in any authorized penetration test or bug bounty reconnaissance.

Passive vs. active reconnaissance

There are two broad approaches to subdomain discovery:

Active recon — directly probing the target's DNS servers, brute-forcing subdomain names, or scanning IP ranges. This generates traffic visible to the target and may be illegal without permission.
Passive recon — querying third-party databases that have already indexed information about the target without direct interaction. This tool uses passive sources only.

How does certificate transparency work?

Every TLS/SSL certificate issued by a trusted Certificate Authority (CA) must be recorded in a public log — this requirement is called Certificate Transparency (CT), defined in RFC 6962. CT logs exist to detect fraudulent or misissued certificates.

A useful side effect: because every certificate must list the domain name(s) it covers, CT logs become a comprehensive index of every subdomain that has ever had a certificate issued for it. The crt.sh service aggregates these logs and makes them searchable — which is exactly what this tool uses.

Common subdomain types and their risks

staging / dev / test

Often run older software, skip WAF rules, or expose debug endpoints

admin / portal / dashboard

Management interfaces — if exposed, often the highest-value targets

api / v1 / v2

API endpoints that may lack the same auth as the main app

mail / smtp / webmail

Email infrastructure — open relays and MX misconfigs

vpn / remote / citrix

Remote access services — high value if credentials are weak

old / legacy / 2020

Forgotten applications, rarely patched, easy wins for attackers

What to do with subdomain results

For defenders: audit your own domain for unexpected subdomains. Every subdomain you don't know about is an asset you can't protect.
For pentesters: cross-reference with port scanning and HTTP probing to identify live services (use only on authorized targets).
For developers: decommission old subdomains properly — simply removing DNS records while leaving the underlying server running is not enough. A "dangling DNS" record pointing to an abandoned cloud resource can be taken over by an attacker.
Check for subdomain takeover possibilities: if a subdomain points to a third-party service (GitHub Pages, Heroku, Netlify) that no longer has the corresponding project configured, the subdomain may be claimable by anyone.

← Back to all tools