Your main application might be locked down tight, but what about dev.company.com or blog.company.com?
Subdomain scanning (often called subdomain enumeration) is the process of mapping out an organization's entire digital footprint. Because companies frequently forget to monitor or patch their subdomains, these hidden assets like staging servers, employee portals, or deprecated APIs become prime targets for attackers.
To find these hidden assets, security professionals use tools that generally operate using two primary methods: Passive and Active discovery. Here is a breakdown of how they work and the industry-standard tools for each approach.
1. Passive Enumeration Tools
Passive tools are stealthy. They never interact directly with the target company's servers. Instead, they scrape public records, search engine caches, and Certificate Transparency (CT) logs to find traces of subdomains that have been registered or discussed online.
- OWASP Amass: This is the heavyweight champion of reconnaissance. Amass queries dozens of different external APIs, scrapes search engines, and analyzes certificates to build a massive, highly accurate map of a target's network. It is thorough but can be slow due to the volume of data it processes.
- Sublist3r: A classic, straightforward Python tool. It aggregates results from search engines (like Google and Bing) and security databases (like VirusTotal and Netcraft). It’s an excellent starting point for quick Open-Source Intelligence (OSINT) gathering.
- Assetfinder: Written in Go, this tool is incredibly fast and lightweight. It pulls subdomains from public sources like
crt.sh(which logs SSL/TLS certificates). Because it relies on simple text output, it is highly favored for chaining together in automated bash scripts. - Subfinder: Another blazing-fast tool written in Go by ProjectDiscovery. It uses passive sources and is designed to be highly modular and easily integrated into continuous security testing pipelines.
2. Active Enumeration Tools
Active tools are noisy. They interact directly with the target's DNS servers. The most common active method is brute-forcing, where the tool takes a massive dictionary of common subdomain names (e.g., admin, test, dev, mail) and rapidly asks the target's DNS server, "Does this exist?" over and over again.
- ffuf (Fuzz Faster U Fool): While technically a general-purpose web fuzzer,
ffufis incredibly fast at subdomain brute-forcing. When paired with a strong wordlist (like those from SecLists), it can uncover subdomains that were never logged in public certificates. - Knockpy: A dedicated Python tool built specifically to brute-force subdomains using a wordlist. It also checks for DNS zone transfers, a misconfiguration where a DNS server accidentally leaks its entire list of domains.
- DNSRecon: A robust script for deep DNS enumeration. It covers standard record checks, aggressive brute-forcing, and can even attempt to read cached DNS records to see what the server has resolved recently.
In cybersecurity, subdomains are notorious for harboring shadow IT, forgotten staging environments, and unpatched legacy services. Attackers know that security teams focus heavily on the main domain, making subdomains the perfect backdoor into your infrastructure. If you aren't actively mapping and scanning your subdomains, your attack surface is much larger than you think.
That’s why we’ve just rolled out a major upgrade to Axeploit.
You can now expand your security coverage with a single click. Just check the "Enable Subdomain Scan" box, and Axeploit takes care of the rest:
- Automated Service Detection & Scanning: It instantly identifies what's running on your subdomains whether it’s a forgotten WordPress blog, a mail server, or a staging dashboard and immediately checks them for known vulnerabilities.
- Deep API Discovery: If it detects custom services, Axeploit doesn't just stop at surface-level checks. It replicates our core main-domain engine: automatically creating accounts, mapping out hidden APIs, and hunting for complex vulnerabilities.
Stop leaving your side doors wide open. Get complete visibility across your entire attack surface without adding hours of manual reconnaissance to your workflow.
