Tutorials

Common Search Patterns

MerkleMap's search functionality allows you to discover subdomains and SSL/TLS certificates across the internet. Here are some common search patterns to get you started:

1. Default search behavior: By default, MerkleMap interprets search terms as *query*, meaning that a wildcard (*) is automatically added at the start and end of the search term. For example, searching for example will match subdomains like example.com, www.example.com, dev.example.org, etc.

This default behavior is disabled if:

• The exact match operator = is used.
• At least one wildcard (*) is manually specified in the search query.

2. Searching for subdomains of a specific domain: To find subdomains of a particular domain, enter the domain name in the search query field. For example, to find subdomains of example.com, use the following search query: example.com

3. Using wildcards: MerkleMap supports the use of wildcards (*) in search queries. This allows you to find subdomains that match a specific pattern. For instance, to find subdomains starting with "dev" for example.com, use the following search query: dev*.example.com

4. Exact matches: If you want to search for an exact subdomain, prefix your search query with =. This ensures that MerkleMap returns only the exact match. For example, to find the exact subdomain api.example.com, use the following search query: =api.example.com

5. Finding instances of a specific keyword: MerkleMap can help you find subdomains containing a specific keyword. For instance, to find subdomains that include the word "jira", use the following search query: jira This will return subdomains like jira.example.com, dev-jira.example.org, etc.

Automating Searches

MerkleMap provides an API that enables you to automate your searches and integrate MerkleMap's functionality into your own tools and scripts. Here's an example of how to use the MerkleMap API to automate searches:

1. API Endpoint: The MerkleMap search API endpoint is:

https://api.merklemap.com/search

2. API Parameters: The API supports the following query parameters:

• query: The search query (e.g., example.com).
• page: The page number for paginated results.
• stream_progress: Set to true to get the search progress in the response stream.
• stream: Set to true to get the search results in the response stream. Pagination is ignored in this mode.

3. Example API Request: Here's an example API request using curl to search for subdomains of example.com:

curl -N -G https://api.merklemap.com/search \
-d query=example.com \
-d page=1

4. API Response Format: The API response is returned as a JSON object by default. However, when stream=true and/or stream_progress=true are used, the response is returned as a Server-Sent Events (SSE) stream.

• JSON Response:

{
    "count": 9588,
    "results": [
        {
            "domain": "3.example.com",
            "subject_common_name": "1.example.com",
            "not_before": 1726168444
        },
        {
            "domain": "www.2.example.com",
            "subject_common_name": "www.2.example.com",
            "not_before": 1726130923
        },
        ...
    ]
}

• SSE Stream Response:

data: {"progress_percentage":10.0}

data: {"progress_percentage":20.0}

data: {"domain":"example.com","not_before":1726168444,"subject_common_name":"example.com"}

data: {"progress_percentage":30.0}

data: {"domain":"www.example.com","not_before":1726130923,"subject_common_name":"www.example.com"}

...

By leveraging the MerkleMap API, you can automate your searches, integrate MerkleMap into your existing tools, and build custom solutions tailored to your specific needs.

These tutorials provide a starting point for exploring MerkleMap's search capabilities. Feel free to experiment with different search patterns, use wildcards, and automate your searches to unleash the full potential of MerkleMap in your subdomain enumeration and certificate transparency exploration efforts.