Skip to content
NEW: automatically exploit Confluence OGNL injection with Sniper

Find Subdomains

Discover subdomains and determine the attack surface of an organization.

Sample Report | Use Cases | Technical Details

Need to see the full results?

Unlock the full power and feature of our Find Subdomains! Compare pricing plans and discover more tools and features.

Sample Report

Here is a Find Subdomains sample report:

  • Includes discovered subdomains and their IP addresses
  • Includes network information
  • Click on subdomain name to access the HTTP server
  • Further Scan with other tools

Download Sample Report

Sample report

Find Subdomains - Use Cases

Allows you to discover subdomains of a target domain and to determine the attack surface of a target organization. Find systems which are less protected and more vulnerable to attacks.

Discover Attack Surface

Find which systems are exposed to the Internet and constitute your organization's attack surface. Development, test, backup or less-known applications are usually an easy target for attackers and they can be the entry point of an attacker to your organization.

Asset Inventory

This is a great way to perform an independent asset inventory and to check if the 'official' list of systems exposed to the Internet corresponds with the reality. The results will allow you to update your internal documentation and decomission legacy systems or upgrade the old ones.

Real-Time Discovery

The results of Find Subdomains are obtained in real-time and no caching mechanism is used. This allows us to always have up-to date results. Furthermore, the DNS resolution of the subdomains is also performed in real-time and only the valid results are shown.

Technical Details


Finding subdomains is an important step in the information gathering phase of a penetration test. Subdomains are interesting because they point to various (less-known) applications and indicate different external network ranges used by the target company.

For instance, points to IP and points to IP Now you know two different IP ranges possibly owned by your target organization and you can extend the attack surface.

Furthermore, subdomains sometimes host 'non-public' applications (e.g. test, development, restricted) which are usually less secure than the public/official applications so they can be the primary attack targets.


Parameter Description
Domain name The target domain name (ex.,, etc), which will be searched for subdomains
Include IP information This option instructs the tool to do whois queries to determine the network owners and country for each IP address

How it works

This tool uses multiple techniques to find subdomains such as:
  • DNS records (NS, MX, TXT, AXFR)
  • DNS enumeration based on a specially chosen wordlist
  • Public search engine queries
  • Word mutation techniques
  • Searching in SSL certificates
  • Parsing HTML links
  • Reverse DNS on target IP ranges