Subdomain Finder & Recon Tool

Pricing

$1.00 / 1,000 domain scans

Subdomain Finder & Recon Tool

Discover subdomains for any target via passive OSINT sources. Ideal for security bug bounties and attack surface mapping.

Pricing

$1.00 / 1,000 domain scans

Rating

0.0

(0)

Developer

👁 Andok

Andok

Maintained by Community

Actor stats

Bookmarked

Total users

Monthly active users

3 months ago

Last modified

Subdomain Finder (CT Logs + DNS)

Map the full attack surface of any domain by discovering subdomains through certificate transparency logs and optional DNS brute-force. Security audits and penetration tests start with knowing what is exposed — yet manual subdomain enumeration is slow and incomplete. Scan multiple domains in bulk with configurable concurrency and get structured results ready for downstream security tools.

Features

Certificate transparency — queries crt.sh to find subdomains from publicly issued TLS certificates
DNS brute-force — optional wordlist-based subdomain discovery for common names like api, staging, admin
Bulk scanning — process multiple root domains in a single run
Configurable concurrency — control parallel lookups from 1 to 25 simultaneous queries
Source tracking — reports how many subdomains came from each discovery method
Custom wordlists — extend or replace the default brute-force wordlist with your own terms
Charge limit support — respects the Apify max charge per run to control costs

Input

Field	Type	Required	Default	Description
`domains`	`array`	No	`["example.com"]`	Root domains to scan for subdomains
`domain`	`string`	No	—	Single domain to scan (backwards compatible, use `domains` for bulk)
`useCertificateTransparency`	`boolean`	No	`true`	Query certificate transparency logs (crt.sh) for subdomain discovery
`useDnsBruteforce`	`boolean`	No	`false`	Check a wordlist of common subdomain names via DNS resolution
`bruteforceWords`	`array`	No	`["www", "mail", "api", ...]`	Custom wordlist for DNS brute-force. Only used when brute-force is enabled
`timeoutSeconds`	`integer`	No	`15`	Timeout in seconds for each DNS or HTTP request
`concurrency`	`integer`	No	`5`	Number of parallel domain lookups (1-25)

Input Example

{
"domains":["example.com","example.org"],
"useCertificateTransparency":true,
"useDnsBruteforce":true,
"concurrency":10
}

Output

Each root domain produces one dataset item with all discovered subdomains and source counts.

Key fields:

domain (string) — the root domain that was scanned
subdomainCount (integer) — total number of unique subdomains found
subdomains (array) — sorted list of all discovered subdomains
sources (object) — count of subdomains found per method (crtsh, dnsBruteforce)
checkedAt (string) — ISO 8601 timestamp of the scan
error (string | null) — any issues encountered during the scan

Output Example

{
"domain":"example.com",
"subdomainCount":12,
"subdomains":[
"api.example.com",
"blog.example.com",
"cdn.example.com",
"dev.example.com",
"mail.example.com",
"staging.example.com",
"status.example.com",
"support.example.com",
"vpn.example.com",
"wiki.example.com",
"www.example.com",
"zabbix.example.com"
],
"sources":{
"crtsh":10,
"dnsBruteforce":4
},
"checkedAt":"2025-03-09T14:30:00.000Z",
"error":null
}

Pricing

Event	Cost
Domain Scan	Pay-per-event pricing applies

Set ACTOR_MAX_TOTAL_CHARGE_USD to control maximum spending per run.

Use Cases

Penetration testing reconnaissance — discover all exposed subdomains before beginning a security assessment
Attack surface management — schedule weekly scans to detect new or unauthorized subdomains as they appear
Brand protection — find subdomains that may have been forgotten, misconfigured, or hijacked
Certificate audit preparation — enumerate subdomains to feed into SSL certificate monitoring
Infrastructure inventory — build a complete map of subdomains across multiple client domains for MSPs and agencies

Related Actors

Actor	What it adds
DNS Propagation Checker	Verify DNS records for discovered subdomains across global resolvers
SSL Certificate Monitor	Check SSL certificate health for every subdomain found
Security Headers Analyzer	Audit HTTP security headers on discovered subdomains

Notes

Certificate transparency results depend on crt.sh availability. If crt.sh is temporarily down, the actor logs the error and continues with DNS brute-force if enabled.
DNS brute-force only checks the provided wordlist — it does not perform exhaustive enumeration. Extend bruteforceWords for deeper coverage.

👁 Subdomain Finder - Discover Subdomains via CT Logs avatar

Subdomain Finder - Discover Subdomains via CT Logs

logiover/subdomain-finder

Discover every subdomain of any domain using Certificate Transparency logs (crt.sh). Fast bulk subdomain enumeration for security recon, attack-surface mapping, asset discovery and SEO. No API key — export to CSV or JSON.

👁 User avatar

Logiover

Attack Surface Recon: Subdomain Discovery + HTTP Fingerprint

advx/attack-surface-recon

Map a domain's external attack surface. Passive subdomain enumeration with subfinder, HTTP fingerprint with httpx: status, title, server, technology stack, TLS issuer and IP. One dataset row per responding host. For recon, asset discovery and security audits.

👁 User avatar

Sevastian Z

theHarvester Domain OSINT - Subdomains, Hosts & Emails

ntriqpro/theharvester-osint

Run theHarvester (the standard open-source OSINT tool) on any domain: discover subdomains, hosts, IPs and emails from free public sources (crt.sh, Certspotter, HackerTarget, DuckDuckGo). For recon, attack-surface mapping and due diligence.

👁 User avatar

daehwan kim

👁 Subdomain Radar — Passive OSINT Enumeration avatar

Subdomain Radar — Passive OSINT Enumeration

saregaa/subdomain-scraper

Discover subdomains silently. No brute-force — pure OSINT from 5 passive sources with DNS resolve, HTTP probing & takeover detection.

👁 User avatar

Saregaa

Certificate Transparency Subdomain Search (crt.sh alternative)

advx/ct-domain-lookup

Find subdomains and TLS certificates for any domain from Certificate Transparency logs. A fast, working crt.sh alternative for subdomain enumeration, recon and attack-surface mapping. Returns unique hostnames with first/last seen and issuers, or raw certificates.

👁 User avatar

Sevastian Z

👁 Subdomain Intelligence OSINT Scanner & Monitor avatar

Subdomain Intelligence OSINT Scanner & Monitor

thescrapelab/subdomain-intelligence-osint

Subdomain finder and OSINT exposure monitor for authorized domains. Discover subdomains, validate DNS, classify live/auth-gated/DNS-only assets, detect technologies and providers, monitor changes, and generate reports.

👁 User avatar

Inus Grobler

👁 Real Subdomain Finder avatar

Real Subdomain Finder

onescales/real-subdomain-finder

Discover every subdomain for any domain. Queries 40+ OSINT sources including cert transparency, DNS archives & web scanners. Results enriched with DNS validation, HTTP probing, and subdomain takeover detection. Simple Subdomain Lookup that works!

👁 User avatar

One Scales

5.0

👁 Subdomains Finder API - Realtime DNS Subdomain Scanner avatar

Subdomains Finder API - Realtime DNS Subdomain Scanner

dev00/subdomains-finder-api-realtime-dns-subdomain-scanner

High-performance subdomain scanner that retrieves all registered subdomains, IP addresses, and Cloudflare protection status for any given domain.

dev00

👁 Automated reconnaissance actor for bug bounty hunters avatar

Automated reconnaissance actor for bug bounty hunters

wonderful_beluga/automated-reconnaissance-actor-for-bug-bounty-hunters

This Apify actor automates bug bounty recon by scraping the Wayback Machine and GitHub for legacy attack surfaces. It extracts historical URLs, public code, and deprecated files, parsing them to uncover hidden subdomains and forgotten API endpoints. The findings are saved into structured JSON files.

👁 User avatar

Zaher el siddik

👁 Subdomain Finder avatar