Subdomain enumeration

Given a bare domain (example.com), returns every subdomain we can find — live or dead, internal or external. Essential first step for attack-surface monitoring.

Sources

Pentestas queries and merges:

• Certificate transparency — crt.sh, Cert Spotter
• Passive DNS — SecurityTrails, VirusTotal, RiskIQ PassiveTotal
• Active brute-force — wordlist of ~120,000 common subdomain labels
• Wayback Machine — historical URLs
• Google / Bing dorks — SERP extraction for site:-prefixed queries
• ASN sweep — PTR records across IP ranges you own (Enterprise)

Sources are deduped + scored; each finding carries the list of sources that confirmed it.

Enrichment

Every discovered subdomain is then:

• DNS resolved — A + AAAA records.
• Live-checked — HTTP(S) probe with a realistic User-Agent; status + server + title.
• Port-scanned — common ports (22, 80, 443, 3000, 8080, 8443) by default; full scan on request.
• WAF fingerprinted — Cloudflare, Akamai, AWS WAF, etc.
• Takeover-checked — DNS points at a deprovisioned SaaS (Heroku, S3, GitHub Pages, Azure, Netlify) → flagged.

Usage

UI

New scan → Subdomain enumeration → enter domain → start.

API

curl -X POST https://app.pentestas.com/api/subdomain-scan \
  -H "X-API-Key: aa_..." \
  -d '{"domain":"example.com"}'

Returns a list of {subdomain, ip, alive, status, source, open_ports}.

Public (anonymous) variant

Unauthenticated + rate-limited at 10/hour per IP:

curl "https://app.pentestas.com/api/public/subdomain?domain=example.com"

Good for a quick recon pass; Pro+ required for CSV export + CI-triggerable scans.

Subdomain takeover

A dedicated check compares each discovered subdomain's DNS target against known fingerprints for ~80 SaaS providers. If blog.example.com points at example.github.io but the GitHub Pages site no longer exists, you get a CRITICAL takeover finding — anyone can claim the name and serve arbitrary content under your domain.

Typical output

For a medium company, expect 100–2,000 subdomains. Common buckets:

• www, mail, api, app, admin
• Environment variants: staging.api.example.com, dev.app.example.com
• Vendor-managed: status.example.com (Statuspage), help.example.com (Zendesk), jobs.example.com (Greenhouse)
• Forgotten / abandoned: old.example.com, beta2019.example.com — these are where takeovers live
• Internal-mistaken-for-external: internal-admin.example.com resolving publicly when it shouldn't

See also

• Cloud storage scan — pair with this for full external asset discovery
• Web app scan — take interesting subdomains and run a full scan