CrtFinder Subdomain Enumeration Tool

x32x01
  • by x32x01 ||
If you’re into web reconnaissance and penetration testing, one of the first things you’ll want to do is enumerate all subdomains of a target domain. Subdomains can reveal hidden parts of a website, staging servers, admin panels, or legacy systems that could be vulnerable.

CrtFinder is a simple Python script that allows you to extract all subdomains from the crt.sh website. It’s lightweight, fast, and outputs subdomains in a hierarchical format, from sub.domain.com up to sub.sub.sub.subdomain.com. This tool is perfect for bug bounty hunters, security researchers, and web developers who want to check their own domain security. 🚀💻


What is crt.sh and Why Use It? 📜

Crt.sh is a Certificate Transparency (CT) log database that lists all SSL/TLS certificates issued publicly. It’s an invaluable resource for security professionals because:
  • It allows you to find subdomains that may not be publicly listed
  • Helps detect shadow IT and forgotten assets
  • Can be used for security audits and penetration testing
CrtFinder simply automates the process of querying crt.sh and parsing all subdomains efficiently.


Features of CrtFinder 🌟

  • ✅ Simple Python script
  • ✅ Extracts all subdomains of a domain
  • ✅ Handles multi-level subdomains
  • ✅ Outputs clean and readable results
  • ✅ Lightweight and fast
This makes it a handy tool in the reconnaissance phase of any penetration test.


Download CrtFinder from GitHub 📥

To get started, clone the GitHub repository:
Code: 
git clone https://github.com/eslam3kl/crtfinder.git
After cloning, you’ll have all the necessary files to run the script.

Installation of Dependencies 🛠️

CrtFinder requires Python and some dependencies. To install them:
Code: 
pip install -r requirements.txt
This ensures all necessary packages are installed, such as requests, argparse, or others used by the script.
Make sure you’re using Python 3.x for compatibility.


How to Use CrtFinder: Basic Usage Guide 🐍

Once dependencies are installed, you can run CrtFinder with a simple command:
Code: 
python crtfinder.py -u domain.com
  • -u specifies the target domain
  • The script queries crt.sh for all SSL certificates related to the domain
  • Outputs all subdomains in a hierarchical order

Example Output

Code: 
sub.domain.com
api.sub.domain.com
dev.sub.domain.com
login.api.sub.domain.com
This allows you to map the domain’s entire subdomain structure.


Advanced Usage Tips ⚡


1. Integrating with Other Tools

You can combine CrtFinder output with Nmap or Gobuster to scan for open ports or hidden directories:
Code: 
nmap -iL subdomains.txt -p 80,443
This gives a full picture of live subdomains and potential vulnerabilities.

2. Automating Reconnaissance

For bug bounty programs, you can integrate CrtFinder into an automated workflow:
Code: 
python crtfinder.py -u example.com > subdomains.txt
python gobuster dir -u https://example.com -w wordlist.txt -l
This way, you can quickly go from subdomain enumeration to directory discovery.

3. Exporting to File

You can save output directly into a file for later analysis:
Code: 
python crtfinder.py -u domain.com > all_subdomains.txt
Then use tools like grep, sort, or uniq to clean the results.


Why Subdomain Enumeration Matters 🔑

  • Detect Hidden Assets: Developers often leave staging, dev, or admin subdomains online without knowing.
  • Bug Bounty Hunting: Finding subdomains often leads to vulnerable endpoints.
  • Security Audits: Helps companies identify shadow IT or forgotten services.
  • Network Mapping: Provides a clear map of all resources under a domain.
Remember: subdomains are often overlooked, but they can be an entry point for attackers. 🚨

Best Practices When Using CrtFinder 🧠

  • Always have legal permission before testing a domain
  • Use CrtFinder in combination with other reconnaissance tools
  • Keep output organized for future penetration testing phases
  • Respect the target server: CrtFinder only queries crt.sh, so it’s safe and doesn’t directly stress the target server

Conclusion 💡

CrtFinder is a must-have tool for anyone serious about domain reconnaissance or penetration testing. With just a few commands, you can uncover hidden subdomains that may expose sensitive services or admin panels.

Pair CrtFinder with tools like Nmap, Gobuster, or Nikto, and you have a powerful reconnaissance workflow for security research or bug bounty hunting. 🕵️‍♂️💻
Get started today, clone the repo, install dependencies, and start mapping your subdomains!
Simple script tool to extract all subdomains from crt.sh website.png

Simple script tool to extract all subdomains from crt.sh website2.png
 
Last edited:
Related Threads
x32x01
The Search Engine for Cyber Security (Hackers)
  • x32x01
Replies
0
Views
1K
x32x01
x32x01
x32x01
Fast Network Scanning Tools Cheat Sheet
  • x32x01
Replies
0
Views
1K
x32x01
x32x01
x32x01
DOM Clobbering XSS Explained for Bug Bounty
  • x32x01
Replies
0
Views
54
x32x01
x32x01
x32x01
Subdomain & Port Scanning Guide
  • x32x01
Replies
0
Views
1K
x32x01
x32x01
x32x01
XSS isn't dead - your website just thinks it is
  • x32x01
Replies
0
Views
427
x32x01
x32x01
TAGs: Tags
extract subdomains
Register & Login Faster
Forgot your password?
Latest Posts
Latest Resources
Forum Statistics
Threads
724
Messages
729
Members
70
Latest Member
blak_hat
Back
Top