See How the Engine Works
SubSpectre orchestrates a multi-stage reconnaissance process to discover subdomains, analyze ownership, and fingerprint technologies.
1. CT Log Ingestion
We start by querying massive Certificate Transparency logs. Every time an SSL certificate is issued, it's logged publicly. We mine this data instantly to find historical subdomains.
- Queries
crt.sh& Google Logs - 100% Passive & Undetectable
2. Smart Permutation
Subdomains often follow predictable patterns. Our engine takes known subdomains and applies intelligent mutations—adding environments (`dev-`), numbers (`api2`), and common stacks (`jenkins`).
3. Mass Resolution
Finally, we validate every candidate. Using high-concurrency DNS resolvers, we filter out the noise and only present you with resolvable, live targets.
4. Whois Intelligence
For ownership analysis, we perform recursive WHOIS lookups. Starting from the IANA root servers, we follow referrals down to the authoritative registrar to ensure accurate data.
5. Tech Fingerprinting
Our analysis engine scans HTTP headers, script tags, and HTML patterns. Using a weighted scoring system, we identify frameworks (React, Next.js), servers, and analytics tools with high confidence.
6. IP Intelligence
Finally, we enrich every result with deep IP data. By analyzing geolocation, ASN ownership, and ISP information, we give you the physical and logical context of your digital assets.