- by x32x01 ||
If you’re into web reconnaissance and penetration testing, one of the first things you’ll want to do is enumerate all subdomains of a target domain. Subdomains can reveal hidden parts of a website, staging servers, admin panels, or legacy systems that could be vulnerable.
CrtFinder is a simple Python script that allows you to extract all subdomains from the crt.sh website. It’s lightweight, fast, and outputs subdomains in a hierarchical format, from sub.domain.com up to sub.sub.sub.subdomain.com. This tool is perfect for bug bounty hunters, security researchers, and web developers who want to check their own domain security.
What is crt.sh and Why Use It?
Crt.sh is a Certificate Transparency (CT) log database that lists all SSL/TLS certificates issued publicly. It’s an invaluable resource for security professionals because:
Features of CrtFinder
Download CrtFinder from GitHub
To get started, clone the GitHub repository:
After cloning, you’ll have all the necessary files to run the script.
Installation of Dependencies
CrtFinder requires Python and some dependencies. To install them:
This ensures all necessary packages are installed, such as requests, argparse, or others used by the script.
Make sure you’re using Python 3.x for compatibility.
How to Use CrtFinder: Basic Usage Guide
Once dependencies are installed, you can run CrtFinder with a simple command:
This allows you to map the domain’s entire subdomain structure.
Advanced Usage Tips
This gives a full picture of live subdomains and potential vulnerabilities.
This way, you can quickly go from subdomain enumeration to directory discovery.
Then use tools like grep, sort, or uniq to clean the results.
Why Subdomain Enumeration Matters
Best Practices When Using CrtFinder
Conclusion
CrtFinder is a must-have tool for anyone serious about domain reconnaissance or penetration testing. With just a few commands, you can uncover hidden subdomains that may expose sensitive services or admin panels.
Pair CrtFinder with tools like Nmap, Gobuster, or Nikto, and you have a powerful reconnaissance workflow for security research or bug bounty hunting.
Get started today, clone the repo, install dependencies, and start mapping your subdomains!
CrtFinder is a simple Python script that allows you to extract all subdomains from the crt.sh website. It’s lightweight, fast, and outputs subdomains in a hierarchical format, from sub.domain.com up to sub.sub.sub.subdomain.com. This tool is perfect for bug bounty hunters, security researchers, and web developers who want to check their own domain security.
What is crt.sh and Why Use It? 
Crt.sh is a Certificate Transparency (CT) log database that lists all SSL/TLS certificates issued publicly. It’s an invaluable resource for security professionals because:- It allows you to find subdomains that may not be publicly listed
- Helps detect shadow IT and forgotten assets
- Can be used for security audits and penetration testing
Features of CrtFinder 
Simple Python script- Extracts all subdomains of a domain
- Handles multi-level subdomains
- Outputs clean and readable results
- Lightweight and fast
Download CrtFinder from GitHub 
To get started, clone the GitHub repository: Code:
git clone https://github.com/eslam3kl/crtfinder.gitInstallation of Dependencies 
CrtFinder requires Python and some dependencies. To install them: Code:
pip install -r requirements.txtMake sure you’re using Python 3.x for compatibility.
How to Use CrtFinder: Basic Usage Guide 
Once dependencies are installed, you can run CrtFinder with a simple command: Code:
python crtfinder.py -u domain.com- -u specifies the target domain
- The script queries crt.sh for all SSL certificates related to the domain
- Outputs all subdomains in a hierarchical order
Example Output
Code:
sub.domain.com
api.sub.domain.com
dev.sub.domain.com
login.api.sub.domain.comAdvanced Usage Tips 
1. Integrating with Other Tools
You can combine CrtFinder output with Nmap or Gobuster to scan for open ports or hidden directories: Code:
nmap -iL subdomains.txt -p 80,4432. Automating Reconnaissance
For bug bounty programs, you can integrate CrtFinder into an automated workflow: Code:
python crtfinder.py -u example.com > subdomains.txt
python gobuster dir -u https://example.com -w wordlist.txt -l3. Exporting to File
You can save output directly into a file for later analysis: Code:
python crtfinder.py -u domain.com > all_subdomains.txtWhy Subdomain Enumeration Matters 
- Detect Hidden Assets: Developers often leave staging, dev, or admin subdomains online without knowing.
- Bug Bounty Hunting: Finding subdomains often leads to vulnerable endpoints.
- Security Audits: Helps companies identify shadow IT or forgotten services.
- Network Mapping: Provides a clear map of all resources under a domain.
Best Practices When Using CrtFinder 
- Always have legal permission before testing a domain
- Use CrtFinder in combination with other reconnaissance tools
- Keep output organized for future penetration testing phases
- Respect the target server: CrtFinder only queries crt.sh, so it’s safe and doesn’t directly stress the target server
Conclusion 
CrtFinder is a must-have tool for anyone serious about domain reconnaissance or penetration testing. With just a few commands, you can uncover hidden subdomains that may expose sensitive services or admin panels.Pair CrtFinder with tools like Nmap, Gobuster, or Nikto, and you have a powerful reconnaissance workflow for security research or bug bounty hunting.
Get started today, clone the repo, install dependencies, and start mapping your subdomains!
Last edited: