Skip to main content

Overview

The Domain Finder discovers additional domain names owned by a target organization. These associated domains may expose resources that are less secure than the main domain, making domain discovery a useful step during penetration tests and bug bounty activities. Domain Finder is a discovery tool: it identifies related domains but does not test for vulnerabilities. It does not add data to your Attack Surface or generate findings. Example: For facebook.com, the tool discovers related domains like:
  • facebook.net
  • fbcdn.net
  • fb.com
  • messenger.com
  • fbsbx.com

Scan types

TechniqueLight scanDeep scan
SSL Certificates
BuiltWith
Reverse Whois
Custom scan allows you to select which techniques to use and configure all parameters manually.

Parameters

ParameterDescription
TargetThe target domain (e.g., oracle.com, yahoo.com). Must be a root domain with a TLD, subdomains like www.example.com are not accepted.
Scan typeLight, Deep, or Custom. See comparison table above.
SSL CertificatesEnable searching Certificate Transparency Logs. See SSL Certificates for details.
BuiltWithEnable searching for shared technology relationships. See BuiltWith for details.
Reverse WhoisEnable reverse Whois lookups on registrant data. See Reverse Whois for details.
Minimum weightCertainty threshold (0-100) for including a domain in results. Default is 30. Higher values show only high-confidence matches; lower values show more potential matches that may need verification. See How results are scored for details on how certainty is calculated.

Discovery techniques

SSL Certificates

Searches Certificate Transparency Logs for certificates that include the target domain or its subdomains. The tool examines:
  • Current certificates: Active certificates where the target appears in the Common Name or Subject Alternative Names
  • Expired certificates: Historical certificates that may reveal previously associated domains
  • Organization field: The company name in certificates, used to find other domains with matching organizations
This technique is particularly effective because organizations often include multiple domains in a single certificate or use the same company name across certificates for different domains.

BuiltWith

Searches BuiltWith for technology relationship data. When two websites share the same tracking identifiers (like Google Analytics IDs, Facebook Pixels, or other technology fingerprints), they’re likely owned by the same organization. The tool considers:
  • Whether the relationship is currently active
  • How long the relationship has existed
  • How many times the relationship appears across different technologies

Reverse Whois

Performs a multi-step Whois analysis:
  1. Initial lookup: Gets the registrant company and contact email from the target domain’s Whois record
  2. Reverse lookup on company: Finds all domains registered under the same company name
  3. Reverse lookup on email: Finds all domains registered with the same contact email
Domain registration data directly links domains to their owners, making this an effective technique.

How results are scored

Each discovered domain receives a certainty score based on multiple factors:
FactorDescription
SSL certificate matchesHow the domain appears in certificates (in target’s cert, in other certs, organization match)
BuiltWith relationshipsShared technology identifiers, relationship duration, and current status
Whois record matchesMatching registrant companies or contact emails
Name similaritySimilar domain names (e.g., amazon.com and amazon.de)
Redirect analysisWhether domains redirect to each other
The Minimum weight parameter filters out low-confidence results. The default of 30 provides a good balance between coverage and accuracy. Increase it to see only high-confidence matches; decrease it to see more potential matches that may need manual verification.
Not all discovered domains may belong to your target. Always verify ownership before adding domains to your testing scope.

Follow-up actions

After discovering related domains:
  1. Verify ownership: Confirm domains belong to the target
  2. Enumerate subdomains: Use Subdomain Finder on each discovered domain
  3. Check for takeover risks: Use Subdomain Takeover to find dangling DNS entries
  4. Look up registration details: Use WHOIS Lookup for domain registration information
  5. Search for exposed data: Use Google Hacking to find indexed information about discovered domains
  6. Scan discovered assets: Run appropriate vulnerability scanners on confirmed domains