Discover subdomains of a domain using public certificate transparency logs.

Subdomain enumeration via certificate transparency log search. Queries crt.sh and other CT log aggregators for all certificates issued for a domain and its subdomains, extracting unique hostnames.

GET https://crt.sh/?q=[domain]&output=json searches the crt.sh aggregator which indexes all public CT logs (RFC 6962 Certificate Transparency). Returns deduplicated Subject CN and SAN DNS names from all certificates. Does not perform DNS resolution or active scanning; results reflect issued certificates only, not live services. Rate limits apply (crt.sh public API).