Subdomain Scanner: Uncover Hidden Threats

Author: Pallab Jyoti Borah | Date: June 2025

Subdomain Reconnaissance

Discovering subdomains is the foundation of attack surface mapping. Hidden subdomains can expose forgotten or insecure services. In this blog, we’ll walk through powerful tools and techniques used to uncover them.

1. Subfinder

Subfinder is a fast passive subdomain enumeration tool by ProjectDiscovery.

subfinder -d example.com -o subdomains.txt

2. Amass

Amass supports passive, active, and brute-force enumeration with graph analysis.

amass enum -passive -d example.com

3. Shodan

Shodan can find subdomains and exposed services. Useful for finding real-time IPs.

https://www.shodan.io/search?query=hostname%3Aexample.com

4. Censys

Censys reveals subdomains with SSL and infrastructure insights.

https://search.censys.io/certificates?q=example.com

5. Gau + Waybackurls

Get old and archived subdomains or URLs via gau and wayback:

gau example.com | tee urls.txt
waybackurls example.com > wayback.txt

6. GitHub Recon

Find hardcoded subdomains in public GitHub repos.

github-subdomains -d example.com -t YOUR_GITHUB_TOKEN

7. FOFA

FOFA is a Chinese threat intel platform. You can query subdomains using dork:

domain="example.com"

Final Thoughts

Using a mix of passive and active techniques increases coverage. Combine tools, validate live hosts, and map the full attack surface before starting exploitation.

Recent Posts

Advanced Red Team Recon

Explore deep recon techniques and stealth enumeration steps.

Read More →

Azure AD Privilege Escalation

Understand and exploit cloud misconfigs to escalate privileges.

Read More →

WAF Bypass Techniques

Bypass web application firewalls using encoding and evasion tricks.

Read More →

DevSecOps Pipeline Security

Secure your CI/CD pipeline with proper secrets management & tools.

Read More →