Enumerates subdomains using CT logs, passive DNS, and search engine dorks
Enumerate all discoverable subdomains for a given domain using passive reconnaissance techniques including Certificate Transparency logs, passive DNS, and search engine dorks.
Query Certificate Transparency logs via crt.sh API.
Endpoint:
GET https://crt.sh/?q=%25.{domain}&output=json
Process:
Example Response:
[
{
"issuer_ca_id": 183267,
"issuer_name": "C=US, O=Let's Encrypt, CN=R3",
"common_name": "*.example.com",
"name_value": "api.example.com\nwww.example.com"
}
]
Use search engine dorks to discover subdomains.
Dork Queries: