Subdomain Finder & Recon Tool avatar

Subdomain Finder & Recon Tool

Pricing

$1.00 / 1,000 domain scans

Try for free
Go to Apify Store
Subdomain Finder & Recon Tool

Subdomain Finder & Recon Tool

Try for free

Discover subdomains for any target via passive OSINT sources. Ideal for security bug bounties and attack surface mapping.

Pricing

$1.00 / 1,000 domain scans

Rating

0.0

(0)

Developer

Andok

Andok

Maintained by Community

Actor stats

0

Bookmarked

3

Total users

2

Monthly active users

a day ago

Last modified

Categories

Business

Developer tools

Share

Subdomain Finder (CT Logs + DNS)

Map the full attack surface of any domain by discovering subdomains through certificate transparency logs and optional DNS brute-force. Security audits and penetration tests start with knowing what is exposed — yet manual subdomain enumeration is slow and incomplete. Scan multiple domains in bulk with configurable concurrency and get structured results ready for downstream security tools.

Features

  • Certificate transparency — queries crt.sh to find subdomains from publicly issued TLS certificates
  • DNS brute-force — optional wordlist-based subdomain discovery for common names like api, staging, admin
  • Bulk scanning — process multiple root domains in a single run
  • Configurable concurrency — control parallel lookups from 1 to 25 simultaneous queries
  • Source tracking — reports how many subdomains came from each discovery method
  • Custom wordlists — extend or replace the default brute-force wordlist with your own terms
  • Charge limit support — respects the Apify max charge per run to control costs

Input

FieldTypeRequiredDefaultDescription
domainsarrayNo["example.com"]Root domains to scan for subdomains
domainstringNoSingle domain to scan (backwards compatible, use domains for bulk)
useCertificateTransparencybooleanNotrueQuery certificate transparency logs (crt.sh) for subdomain discovery
useDnsBruteforcebooleanNofalseCheck a wordlist of common subdomain names via DNS resolution
bruteforceWordsarrayNo["www", "mail", "api", ...]Custom wordlist for DNS brute-force. Only used when brute-force is enabled
timeoutSecondsintegerNo15Timeout in seconds for each DNS or HTTP request
concurrencyintegerNo5Number of parallel domain lookups (1-25)

Input Example

{
  "domains": ["example.com", "example.org"],
  "useCertificateTransparency": true,
  "useDnsBruteforce": true,
  "concurrency": 10
}

Output

Each root domain produces one dataset item with all discovered subdomains and source counts.

Key fields:

  • domain (string) — the root domain that was scanned
  • subdomainCount (integer) — total number of unique subdomains found
  • subdomains (array) — sorted list of all discovered subdomains
  • sources (object) — count of subdomains found per method (crtsh, dnsBruteforce)
  • checkedAt (string) — ISO 8601 timestamp of the scan
  • error (string | null) — any issues encountered during the scan

Output Example

{
  "domain": "example.com",
  "subdomainCount": 12,
  "subdomains": [
    "api.example.com",
    "blog.example.com",
    "cdn.example.com",
    "dev.example.com",
    "mail.example.com",
    "staging.example.com",
    "status.example.com",
    "support.example.com",
    "vpn.example.com",
    "wiki.example.com",
    "www.example.com",
    "zabbix.example.com"
  ],
  "sources": {
    "crtsh": 10,
    "dnsBruteforce": 4
  },
  "checkedAt": "2025-03-09T14:30:00.000Z",
  "error": null
}

Pricing

EventCost
Domain ScanPay-per-event pricing applies

Set ACTOR_MAX_TOTAL_CHARGE_USD to control maximum spending per run.

Use Cases

  • Penetration testing reconnaissance — discover all exposed subdomains before beginning a security assessment
  • Attack surface management — schedule weekly scans to detect new or unauthorized subdomains as they appear
  • Brand protection — find subdomains that may have been forgotten, misconfigured, or hijacked
  • Certificate audit preparation — enumerate subdomains to feed into SSL certificate monitoring
  • Infrastructure inventory — build a complete map of subdomains across multiple client domains for MSPs and agencies
ActorWhat it adds
DNS Propagation CheckerVerify DNS records for discovered subdomains across global resolvers
SSL Certificate MonitorCheck SSL certificate health for every subdomain found
Security Headers AnalyzerAudit HTTP security headers on discovered subdomains

Notes

  • Certificate transparency results depend on crt.sh availability. If crt.sh is temporarily down, the actor logs the error and continues with DNS brute-force if enabled.
  • DNS brute-force only checks the provided wordlist — it does not perform exhaustive enumeration. Extend bruteforceWords for deeper coverage.

You might also like

Subdomain Finder avatar

Subdomain Finder

happitap/subdomain-finder

Subdomain Finder is a high-speed intelligence tool that uncovers subdomains for any target domain using Certificate Transparency (CT) logs. Unlike traditional brute-force tools, it requires no heavy traffic and provides results in seconds.

User avatar

HappiTap

12

Subdomain Finder avatar

Subdomain Finder

automation-lab/subdomain-finder

This actor discovers subdomains by querying certificate transparency logs via crt.sh. It finds all SSL/TLS certificates ever issued for a domain, extracting unique subdomain names. This passive reconnaissance technique requires no direct scanning.

User avatar

Stas Persiianenko

3

Bug Bounty Recon Scanner avatar

Bug Bounty Recon Scanner

iamuendo/Bug-Bounty-Recon-Scanner

Find exposed admin panels, missing/weak security headers, sensitive file leaks, and HTTPS misconfigurations across target domains. Export prioritised risk scores and JSON reports. Run via API, schedule scans, or integrate with bug bounty tools.

User avatar

Isaac Muendo

14

Holehe Email Osint avatar

Holehe Email Osint

anshumanatrey/holehe-email-osint

Check if an email is registered on 120+ platforms (Instagram, Twitter, GitHub, Discord, etc.) without alerting the target. Perfect for OSINT investigations, security research, and email verification.

User avatar

Anshuman Atrey

412

5.0

OSINT Scraper avatar

OSINT Scraper

epctex/osint-scraper

Harness the power of OSINT data with our advanced OSINT Scraper. Discover keywords and leaked information from platforms like Ideone, Dumpz, Github Gist, Pastebin, Pasteorg and Textbin. You can specify search terms, customize and retrieve OSINT data out of the box.

User avatar

epctex

947

5.0

Organization Registered Domain & Subdomain Scraper avatar

Organization Registered Domain & Subdomain Scraper

lofomachines/organization-registered-domain-subdomain-scraper

Discover all domains registered by any organization by company domain. Find related domains, subdomains, registration dates, expiration dates, and registrar information. Perfect for brand protection, competitive analysis, M&A due diligence, and security research.

User avatar

Lofomachines

4

5.0

Threat Profiler avatar

Threat Profiler

peachstudio/threat-profiler

Generate AI-powered cyber threat intelligence reports in minutes. Get threat actor profiles with MITRE ATT&CK mappings, attack surface analysis, and security recommendations. Perfect for security assessments, M&A due diligence, and vendor risk management, but also to know your target in cyber sales.

User avatar

Peach Studio

3

Target avatar

Target

mynewhome/target

Target Scrapper agent

User avatar

Aida Sarre

2

Subdomain Finder & Reverse IP avatar

Subdomain Finder & Reverse IP

canadesk/subdomain-finder-reverse-ip

Enumerate Subdomains and Reverse IPs with RapidDNS, Anubis, AlienVault and crt.sh! It's fast and costs little.

User avatar

Canadesk Support

186

Target Keyword Scraper avatar

Target Keyword Scraper

crafter/target-keyword-scraper

User avatar

Eve Ezetta

16