Want to find every subdomain of any website? There's a trick most developers don't know.
Every time a website gets an SSL certificate, it gets logged in a public database called Certificate Transparency logs. And crt.sh lets you search all of them — for free, with no API key.
This means you can find every subdomain of any domain that has ever had an SSL certificate.
Why This Is Useful
- Security audits: Find forgotten subdomains (staging.company.com, dev.company.com)
- Bug bounty: Discover attack surface of target domains
- Competitive analysis: See what internal tools competitors are running
- Monitoring: Get alerts when new certificates are issued for your domain
Quick Start
crt.sh has no official docs, but it supports a simple JSON API:
import requests
def find_subdomains(domain):
"""Find all subdomains via Certificate Transparency logs."""
url = f"https://crt.sh/?q=%25.{domain}&output=json"
resp = requests.get(url, timeout=30)
if resp.status_code != 200:
return []
certs = resp.json()
subdomains = set()
for cert in certs:
name = cert.get('name_value', '')
for sub in name.split('\n'):
sub = sub.strip().lower()
if sub and '*' not in sub:
subdomains.add(sub)
return sorted(subdomains)
# Example: Find all subdomains of a company
subs = find_subdomains('github.com')
print(f'Found {len(subs)} subdomains for github.com:')
for s in subs[:20]:
print(f' {s}')
Output:
Found 847 subdomains for github.com:
alive.github.com
api.github.com
assets-cdn.github.com
classroom.github.com
cloud.github.com
codespaces.github.com
...
847 subdomains for github.com. Imagine running this on your competitor's domain.
Advanced: Monitor New Certificates
import time
from datetime import datetime, timedelta
def monitor_new_certs(domain, hours=24):
"""Find certificates issued in the last N hours."""
url = f"https://crt.sh/?q=%25.{domain}&output=json"
resp = requests.get(url, timeout=30)
certs = resp.json()
cutoff = datetime.now() - timedelta(hours=hours)
new_certs = []
for cert in certs:
issued = cert.get('not_before', '')
if issued:
try:
issued_dt = datetime.fromisoformat(issued.replace('T', ' ').split('.')[0])
if issued_dt > cutoff:
new_certs.append({
'domain': cert['name_value'],
'issuer': cert.get('issuer_name', ''),
'issued': issued
})
except ValueError:
pass
return new_certs
# Check what certs were issued for your domain in last 24h
new = monitor_new_certs('yourcompany.com', hours=24)
for c in new:
print(f"NEW CERT: {c['domain']} (issued: {c['issued']})")
Run this as a cron job and you'll know within hours when someone gets a cert for a subdomain of your domain — which could mean a phishing attack.
Combine With Other Tools
import shodan
# Step 1: Find subdomains via crt.sh
subdomains = find_subdomains('target.com')
# Step 2: Check each subdomain for open ports via Shodan
api = shodan.Shodan('YOUR_SHODAN_KEY')
for sub in subdomains[:10]:
try:
host = api.host(sub)
print(f'{sub}: ports {host["ports"]}')
except shodan.APIError:
pass
Now you have a subdomain scanner + port scanner. All from free APIs.
Rate Limits
crt.sh is free and has no official rate limit, but:
- Be respectful: 1 request per 5 seconds
- Large domains (google.com) return 10K+ results and can be slow
- Cache results — certificates don't change that often
What security recon tools do you use?
I've been building a toolkit combining crt.sh + Shodan + WHOIS + VirusTotal. All free APIs, all in one Python script.
If you know other useful security APIs, share them in the comments — I'll add the best ones to my Free Security APIs Toolkit.
More security APIs: 5 Free Security APIs Every Developer Should Know
All tools: Awesome Web Scraping 2026 — 77+ free tools
Top comments (0)