A small bash script to gather all certificate sub-domains from crt.sh and save them to a file

crt.sh

#!/bin/bash
#
# crt.sh sub-domain check by 1N3@CrowdShield
# https://crowdshield.com 
#

OKBLUE='\033[94m'
OKRED='\033[91m'
OKGREEN='\033[92m'
OKORANGE='\033[93m'
RESET='\e[0m'
TARGET="$1"

if [ -z $TARGET ]; then
	echo -e "$OKRED            _         _     $RESET"
	echo -e "$OKRED   ___ _ __| |_   ___| |__  $RESET"
	echo -e "$OKRED  / __| '__| __| / __| '_ \ $RESET"
	echo -e "$OKRED | (__| |  | |_ _\__ \ | | |$RESET"
	echo -e "$OKRED  \___|_|   \__(_)___/_| |_|$RESET"
  	echo ""
	echo -e "$OKRED [+] by 1N3@CrowdShield$RESET"
	echo -e "$OKRED [+] https://crowdshield.com$RESET"
	echo -e "$OKRED [-] Usage: crt.sh <target>$RESET"
	exit
fi

if [[ $TARGET = "--help" ]]; then
	echo -e "$OKRED            _         _     $RESET"
	echo -e "$OKRED   ___ _ __| |_   ___| |__  $RESET"
	echo -e "$OKRED  / __| '__| __| / __| '_ \ $RESET"
	echo -e "$OKRED | (__| |  | |_ _\__ \ | | |$RESET"
	echo -e "$OKRED  \___|_|   \__(_)___/_| |_|$RESET"
  	echo ""
	echo -e "$OKRED [+] by 1N3@CrowdShield$RESET"
	echo -e "$OKRED [+] https://crowdshield.com$RESET"
	echo -e "$OKRED [-] Usage: crt.sh <target>$RESET"
	exit
fi

echo -e "$OKRED            _         _     $RESET"
echo -e "$OKRED   ___ _ __| |_   ___| |__  $RESET"
echo -e "$OKRED  / __| '__| __| / __| '_ \ $RESET"
echo -e "$OKRED | (__| |  | |_ _\__ \ | | |$RESET"
echo -e "$OKRED  \___|_|   \__(_)___/_| |_|$RESET"
echo ""
echo -e "$OKRED [+] by 1N3@CrowdShield$RESET"
echo -e "$OKRED [+] https://crowdshield.com$RESET"
echo -e "$OKRED + -- ----------------------------=[Gathering Certificate Subdomains]=-------- -- +$RESET"
curl -s https://crt.sh/?q=%25.$TARGET > /tmp/curl.out
cat /tmp/curl.out | grep $TARGET | grep TD | sed -e 's/<//g' | sed -e 's/>//g' | sed -e 's/TD//g' | sed -e 's/\///g' | sed -e 's/ //g' | sed -n '1!p' | sort -u > $TARGET-crt.txt
cat $TARGET-crt.txt
echo -e "$OKRED [+] Domains saved to: $TARGET-crt.txt"
echo -e "$OKRED + -- ----------------------------=[Done!]=----------------------------------- -- +$RESET"

Simpler would be to use pup:

$ curl -fsSL "https://crt.sh/?CN=%25.linux.com&exclude=expired" | pup 'td :contains(".linux.com") text{}' | sort -n | uniq -c | sort -rn | column -t
4  w.linux.com
4  video.linux.com
4  store.linux.com
4  smtp.linux.com
4  shop.linux.com
4  jp.linux.com
3  archive15.linux.com
2  aws-le-test.linux.com

Simpler would be to use pup:

$ curl -fsSL "https://crt.sh/?CN=%25.linux.com&exclude=expired" | pup 'td :contains(".linux.com") text{}' | sort -n | uniq -c | sort -rn | column -t
4  w.linux.com
4  video.linux.com
4  store.linux.com
4  smtp.linux.com
4  shop.linux.com
4  jp.linux.com
3  archive15.linux.com
2  aws-le-test.linux.com

How can one write the output into a file.

Simpler would be to use pup:

$ curl -fsSL "https://crt.sh/?CN=%25.linux.com&exclude=expired" | pup 'td :contains(".linux.com") text{}' | sort -n | uniq -c | sort -rn | column -t
4  w.linux.com
4  video.linux.com
4  store.linux.com
4  smtp.linux.com
4  shop.linux.com
4  jp.linux.com
3  archive15.linux.com
2  aws-le-test.linux.com

How can one write the output into a file.

curl -fsSL "https://crt.sh/?q=%25.domain-name.com&exclude=expired" | pup 'td :contains(".domain-name.com") text{}' | sort -n | uniq -c | sort -rn | column -t | cut -c 5- > domains.txt

What about third level subdomains?How can I get more level subdomains?

curl -fsSL "https://crt.sh/?q=%25.howtohack.tech&exclude=expired" | pup 'td :contains(".howtohack.tech") text{}' | sort -n | uniq -c | sort -rn | column -t | awk '{ print $2 }'

echo "Enter the domain name"
read TARGET
curl -fsSL "https://crt.sh/?q=%25.$TARGET&exclude=expired" | pup "td :contains(".$TARGET")" text{} | sort -n | uniq -c | sort -rn | column -t > $TARGET-crt.txt

this bash script will get you the subdomains result from the crt.sh website