Python App #09

Subdomain Scanner

Subdomain Scanner performs passive subdomain enumeration using multiple public sources. It queries crt.sh certificate transparency logs to discover subdomains that have had SSL certificates issued for them, along with other public DNS and enumeration APIs. This is a key reconnaissance step in security assessments and OSINT investigations — finding subdomains can reveal development servers, staging environments, internal tools, and forgotten infrastructure.

crt.shcert transparencyenumerationpassive

Last updated:

Features

  • crt.sh certificate transparency queries
  • Multi-source enumeration
  • Passive reconnaissance (no active scanning)
  • Duplicate removal and sorting
  • Wildcard subdomain handling
  • Result count tracking
  • One-click URL opening
  • HTML session export
  • Live discovery log
  • Professional results display

Quick Start

# 1. Extract the zip and enter the folder
cd 09-Subdomain-Scanner

# 2. Install dependencies
python install_requirements.py

# 3. Launch the tool
python subdomain_scanner.py

Download

Tool: Subdomain Scanner
File: 09-Subdomain-Scanner.zip
Python: 3.8+
OS: Windows, macOS, Linux
Dependencies: customtkinter, requests

Downloads are free — clicking the link below opens a short ad that helps support Max Intel. Thank you! Wait 15 seconds after clicking to unlock.

Click here for an ad
15
seconds remaining…
✓ Unlocked — thank you!
← All Python OSINT Apps

How Does Passive Subdomain Enumeration Work?

Subdomain discovery expands a domain's attack surface without sending traffic to the target — classified as passive reconnaissance under NIST SP 800-115. This tool queries crt.sh (indexing 10+ billion certificates) to find subdomains from publicly logged SSL/TLS certificates, mandated by Google Chrome's CT Policy since 2018.

Why Certificate Transparency Is Effective for OSINT

When an organization obtains an SSL certificate for internal.corp.example.com, that subdomain becomes permanently recorded in CT logs — even if never intended to be public. According to Censys (2024), CT logs reveal an average of 3.2x more subdomains than DNS brute-forcing alone. This tool leverages that exposure to discover development servers, staging environments, and internal tools.

Complementary Reconnaissance

OWASP Amass extends discovery using DNS resolution, scraping, and 50+ API sources. For assessments per PTES (Penetration Testing Execution Standard) methodology, start with passive discovery here, then pivot to Domain Intel for detailed analysis of discovered subdomains.

🕸️ Subdomain Scanner — Frequently Asked Questions

How does subdomain enumeration work?

The tool combines multiple techniques: DNS brute-forcing with common wordlists, certificate transparency log queries, search engine scraping, and passive DNS lookups to discover subdomains that may reveal hidden infrastructure.

Does the subdomain enumeration tool require installation?

No. The tool runs entirely in your browser using client-side Python via Pyodide. No installation, API keys, or server-side processing required. Your queries are executed locally for maximum privacy.

What can I do with the subdomain enumeration tool?

You can discover subdomains via DNS brute-force, certificate transparency, and public sources. The tool provides a clean interface with exportable results and cross-links to related Max Intel tools for deeper investigation.

Domain Intel

Deep domain investigation.

SSL/TLS Analyzer

Certificate chain analysis.

DNS Deep Dive

Comprehensive DNS record analysis.

CT Monitor

Certificate Transparency monitoring.