Subdomain enumeration

Given a bare domain (example.com), returns every subdomain we can find — live or dead, internal or external. Essential first step for attack-surface monitoring.

Sources

Pentestas queries and merges:

• Certificate transparency — crt.sh log queries.
• Passive DNS aggregators — c99.nl subdomain finder, HackerTarget hostsearch.
• Active brute-force — wordlist of common subdomain labels resolved against the target's authoritative DNS.

Sources are deduped + scored; each finding carries the list of sources that confirmed it.

Wildcard DNS handling

Some domains are configured to resolve every label — random123.example.com, kjsdkfj.example.com, anything — to the same set of IPs. Without filtering, brute-force enumeration against those domains would return tens of thousands of garbage entries.

Before brute-force runs, Pentestas issues three random labels (<random-32-chars>.example.com) and records every IP they resolve to. That set is the wildcard fingerprint.

• Brute-force results that resolve only to the wildcard fingerprint are dropped — they're synthetic.
• Brute-force results that resolve to additional IPs (e.g., a CDN edge plus a real backend not in the wildcard set) are kept.
• Passive sources (CT logs, C99, HackerTarget) are kept regardless: a name observed in a real certificate or a third-party DB existed, even if it now resolves into the wildcard pool.

The result: clean lists on wildcard-DNS targets, no missed real subdomains.

Enrichment

Every discovered subdomain is then:

• DNS resolved — A + AAAA records.
• Live-checked — HTTP(S) probe with a realistic User-Agent; status + server + title.
• Port-scanned — common ports (22, 80, 443, 3000, 8080, 8443) by default; full scan on request.
• WAF fingerprinted — Cloudflare, Akamai, AWS WAF, etc.
• Takeover-checked — DNS points at a deprovisioned SaaS (Heroku, S3, GitHub Pages, Azure, Netlify) → flagged.

Usage

UI

New scan → Subdomain enumeration → enter domain → start.

API

curl -X POST https://app.pentestas.com/api/subdomain-scan \
  -H "X-API-Key: aa_..." \
  -d '{"domain":"example.com"}'

Returns a list of {subdomain, ip, alive, status, source, open_ports}.

Public (anonymous) variant

Unauthenticated + rate-limited at 10/hour per IP:

curl "https://app.pentestas.com/api/public/subdomain?domain=example.com"

Good for a quick recon pass; Pro+ required for CSV export + CI-triggerable scans.

Subdomain takeover

A dedicated check compares each discovered subdomain's DNS target against known fingerprints for ~80 SaaS providers. If blog.example.com points at example.github.io but the GitHub Pages site no longer exists, you get a CRITICAL takeover finding — anyone can claim the name and serve arbitrary content under your domain.

Typical output

For a medium company, expect 100–2,000 subdomains. Common buckets:

• www, mail, api, app, admin
• Environment variants: staging.api.example.com, dev.app.example.com
• Vendor-managed: status.example.com (Statuspage), help.example.com (Zendesk), jobs.example.com (Greenhouse)
• Forgotten / abandoned: old.example.com, beta2019.example.com — these are where takeovers live
• Internal-mistaken-for-external: internal-admin.example.com resolving publicly when it shouldn't

See also

• Cloud storage scan — pair with this for full external asset discovery
• Web app scan — take interesting subdomains and run a full scan