SubDomainFinder

The SubDomainFinder by binsec.tools is a free tool for the systematic discovery of subdomains of a target domain. It helps security teams to identify hostnames and thereby make an organization’s external attack surface transparent. This allows potential entry points to be detected at an early stage, making SubDomainFinder a reliable foundation for penetration tests, red team exercises, and continuous security monitoring.

• DNS brute-force (wordlist iteration): Systematically iterates through subdomain words against DNS to identify resolvable hostnames.
• Certificate Transparency Logs (CT logs): Analysis of published TLS/SSL certificates for included Common Names and SAN entries that reveal subdomains.
• Indexed search engine results (e.g., Google): Targeted search queries and analysis of indexed pages to identify subdomains mentioned in search results. The wordlists used can range from 500 to 50,000 words, depending on the desired duration.

All results are deduplicated and exported as a list, allowing the data to be directly integrated into subsequent processes such as port scanning, web path enumeration, or automated testing routines.

Limitations such as non-publicly visible internal hostnames or delays in CT logs affect only a small part of the relevant attack surface in practice and are rarely decisive in the initial analysis phases. For complete assessments, internal methods may be added; however, SubDomainFinder already provides a fast, extensive, and useful set of subdomains in most engagements. Legal requirements and a clearly defined scope remain important: with proper authorization and coordination, SubDomainFinder is an efficient, pragmatic tool for security researchers and penetration testers.