Subdomain Discovery

Subdomain discovery is the foundation of external-attack-surface mapping. You start with one apex domain and end with a list of every subdomain a target operates — or has ever operated, in the case of certificate-transparency data.

The toolkit ships two complementary discovery tools:

• Certificate transparency — every certificate the target has ever requested includes the hostname(s) it covers. Public CT logs preserve those forever.
• Wordlist enumeration — DNS-resolve a list of common subdomain names against the apex, keep the ones that resolve.

Most investigations want to combine the two. CT gives you the historical truth; wordlist enum catches the live-but-never-certified hostnames (internal-only, dev, staging).

Certificate-transparency discovery

Inputs: the apex domain (example.com).

Output: deduplicated list of every name appearing as a Subject Alternative Name in any public certificate issued for the apex or any of its subdomains.

A "first seen" date close to today on a name you do not recognise is high-signal: someone just started a new service, possibly without telling the security team.

Group-by-issuer view

A toggle re-groups the list by certificate authority. Useful for spotting:

• Sites that switched from a vanity CA to Let's Encrypt (or vice versa).
• Sub-organisations using a different CA than the parent.
• Renewal patterns.

Auto-resolve to A / AAAA

A second-pass option resolves each discovered hostname to its current A / AAAA records. Hostnames that no longer resolve are abandoned subdomains — often the most interesting finds.

Wordlist enumeration

Inputs: the apex domain plus a wordlist (the toolkit ships several, from a 100-line common list to a 100k-line aggressive list, plus you can paste your own).

For each candidate <word>.example.com, the tool resolves DNS and keeps the ones that return a record.

Wildcard DNS detection runs first: the tool resolves a random nonsense subdomain. If the apex is configured to resolve everything, the tool warns you and suppresses matches that point at the wildcard target.

Live-probe pass

After enumeration, an optional second pass HEAD-probes each resolved subdomain for:

• HTTP status code.
• Page title (when 200).
• Tech-stack hints (a lite version of site analysis).

Sort the result by alive-vs-dead. Filter to 200s. Click any alive subdomain to open it in the browser.

Subdomain wordlist generator

The subdomain wordlist generator utility generates target-specific wordlists — for example, "permutations of api, app, staging, dev, prod with 1-9 and 01-20 suffixes." Feed the output directly into the enumeration tool.

Combined workflow

The recommended pattern for a real reconnaissance pass:

1. Run certificate transparency against the apex.
2. Auto-resolve every hostname; export the live ones.
3. Run wordlist enumeration against the apex with a generic wordlist.
4. Merge the two result sets (deduped).
5. Live-probe everything.
6. Pin alive 200s to your profile; pivot each into site analysis for tech-stack profiling.

The whole workflow runs in minutes for a small target, an hour for a large one.

Pivots

Sources

• Certificate transparency: crt.sh (Sectigo's free CT log search).
• DNS resolution: the system resolver, with optional cross-resolution against Cloudflare / Google DNS.
• Live probing: direct HTTP HEAD against each resolved hostname, rate-limited per host.