Everyone uses subfinder, amass, and assetfinder.

But I found more subdomains using certificate transparency than all three combined last week.

Try this:
curl -s "https://crt.sh/?q=%.target.com&output=json" | jq -r '.[].name_value' | sort -u

You're welcome.

#OSINT #Recon #Infosec #cyberSecurity