Subdomain Scanner

Find Subdomains and Systems Exposed to Web Attacks 

Find Subdomains and Systems Exposed to Web Attacks 

Contents of the Report

Here is what you can expect in Scantrics’ Subdomain Scanner report:
Subdomain Scanner

Use Cases for Subdomain Scanner

Find all subdomains with the Subdomain Scanner. By using the tool, organizations get to have an overview of their web assets because the Subdomain Scanner will be able to detect the server version of a particular subdomain without having to wait for too long as other tools do.

Subdomain Scanner provides the organization with insight on which server version should be updated to the latest version in order to countermeasure an attack before it is attempted by an attacker.

The Subdomain Scanner allows organization to find out where an attacker might launch a web attack by conducting information gathering on a target website located on another subdomain, which might be less secure from the main site. Development, test, backup and other lesser-known web applications are usually an easy entry point for attackers.

Thus, the Subdomain Scanner lets organizations view the same information from an attacker’s perspective. For example, organizations can use the tool to identify which subdomains are returning the server/software banner that contains service name and version. This will help the developer to fix the issue on the web server by configuring the particular web server not to provide any banner when scanned by the attacker.

Having lots of web applications might lead the organization to overlook websites it owns. Performing a scan via Subdomain Scanner allows the organization to check whether its ‘official’ list of web assets exposed to the Internet corresponds with reality.

Thus, the organization can determine and decommission any website that is unnecessary and should no longer be accessed publicly. Having legacy systems and unmaintained websites on the Internet might give attackers the chance to breach into the web server and steal any sensitive data without the knowledge of the organization.

Technical Details

Subdomain enumeration is the process of finding subdomains associated with the main domain. In order to conduct a penetration test, discovering subdomains is a vital step in the information gathering stage.

When a web developer wants to uncover vulnerabilities, subdomain enumeration can reveal a lot of hidden or forgotten subdomains. Most organizations will have multiple subdomains that serve different purposes according to the business process of the organization itself.

For instance, some organizations could have different admin and customer portals that might be accessed publicly via URL, such as or Sometimes, an organization might even have a hidden repository portal, such as, that could be less secure and contain sensitive information.

The Subdomain Scanner has two types of scans, which are Quick Scan and Full Scan.

What services are available under Quick Scan?

Quick Scan performs DNS resolution on the record and enumerates DNS.

What services are available under Full Scan?

Full Scan performs all the services of Quick Scan but with additional capabilities

  • Check certificate transparency
  • Check HTML links
  • Analyse SSL certificates
  • Gather data from Google and Bing search engines
  • Perform Rapid7 Project Sonar
  • Perform reverse DNS enumeration
  • Conduct Smart DNS search
Swipe right to see more detail »
Test Performed Quick Full
Quick Scan performs DNS resolution on the record and enumerates DNS. checked checked
Check for any known vulnerabilities on the server checked
Check certificate transparency checked
Check HTML links checked
Analyse SSL certificates checked
Gather data from Google and Bing search engines checked
Perform Rapid7 Project Sonar checked
Perform reverse DNS enumeration checked
Conduct Smart DNS search checked

How it works?

How it works

A target domain name is the parameter to be scanned by the Subdomain Scanner. The tool uses multiple techniques to discover subdomains such as:

Gathering the DNS Records (NS, MX, TXT, AXFR)

DNS Records consist of the IP address associated to each subdomain. Therefore, this tool will try to request DNS Zone Transfer of the target to gather all the records from the DNS server.

Performing DNS enumeration based on a specially chosen wordlist

The wordlist contains all the common name of subdomains that is usually used. The tool will brute-force the subdomain by trying each name listed on the wordlist one by one to see if any of the list returns a response when requested.

Querying on public search engines

The Subdomain Scanner will run queries on public search engines, such as Google or Bing, and gain the subdomains based on the results. For instance, if we type “” on Google Search, we may find any associated subdomains in the search results.

Applying word mutation techniques

The tool will mutate the common name of subdomain by changing some of the letters within the wording or by changing the order of the subdomain name.

Searching in SSL certificates

Websites that use wildcard SSL certificates allow this tool to find the associated subdomain. By scanning the SSL certificate, the tool will be able to gather the subdomains that use the same wildcard SSL certificate.

Parsing HTML links

This tool performs website crawling on the target domain to find if any HTML links (href) are pointing to another hostname instead of the same hostname. For example, might have an HTML link to However, this technique will only find the subdomain if it is inside the HTML href attribute.

Reverse DNS lookup on target IP ranges

The Subdomain Scanner will perform reverse DNS lookup on the target IP ranges to find the subdomains that might be residing on the target IP range and get the subdomains through the PTR record in the DNS.

Explore More of Our Tools