Home Pentest-Tools.com Logo
Information Gathering

Find Subdomains

Discover subdomains and determine the attack surface of an organization.

Scan type
  • Light scan



Sample Find Subdomains report

Here is a sample report from our Find Subdomains that gives you a taste of how our tools save you time and reduce repetitive manual work.

  • Includes discovered subdomains and their IP addresses

  • Includes network information

  • Click on subdomain name to access the HTTP server

  • Use results to run deeper scans with other tools

Find Subdomains of Domain Report Sample

How to use the pentesting tool

Use Cases for Find Subdomains

Allows you to discover subdomains of a target domain and to determine the attack surface of a target organization. Find systems which are less protected and more vulnerable to attacks.

  • Discover Attack Surface

    Find which systems are exposed to the Internet and constitute your organization's attack surface. Development, test, backup or less-known applications are usually an easy target for attackers and they can use them as entry points to compromise the organization.

  • Asset Inventory

    This is a great way to perform an independent asset inventory and to check if the 'official' list of systems exposed to the Internet corresponds with the reality. The results allow you to update your internal documentation and decommission legacy systems or upgrade old ones.

  • Real-Time Discovery

    Find Subdomains provides real-time results, with no caching mechanism used, so you always get up-to-date findings. The platform also performs the DNS resolution of subdomains in real-time and you only see valid results.

Better vulnerability discovery. Faster pentest reporting.

Get instant access to custom vulnerability scanners and automation features that simplify the pentesting process and produce valuable results. The platform helps you cover all the stages of an engagement, from information gathering to website scanning, network scanning, exploitation and reporting.

Pentest-Tools.com Find Subdomains Scanner Sample Report

Find Subdomains

Technical details

Finding subdomains is an important step in the information gathering phase of a penetration test. Subdomains are interesting because they point to various (less-known) applications and indicate different external network ranges used by the target company.

For instance, subdom1.company.com points to IP and subdom2.company.com points to IP Now you know two different IP ranges possibly owned by your target organization and you can extend the attack surface.

Furthermore, subdomains sometimes host 'non-public' applications (e.g. test, development, restricted) which are usually less secure than the public/official applications so they can be the primary attack targets.


Domain nameThe target domain name (e.g. oracle.com, yahoo.com etc.), which will be searched for subdomains.
Include IP informationThis option instructs the tool to do whois queries in order to determine the network owners and country for each IP address.

How it works

This tool uses multiple techniques to find subdomains such as:

  • DNS records (NS, MX, TXT, AXFR)
  • DNS enumeration based on a specially chosen wordlist
  • Public search engine queries
  • Word mutation techniques
  • Searching in SSL certificates
  • Parsing HTML links
  • Reverse DNS on target IP ranges