Subdomain Enumeration

Overview

scan4all provides comprehensive subdomain enumeration capabilities through integration with subfinder and ksubdomain. It automatically discovers subdomains from SSL certificates, performs DNS brute-forcing, and intelligently correlates findings to expand the attack surface.

Subdomain Discovery Sources

SSL Certificate Analysis

Automatic subdomain extraction from SSL/TLS certificates:

// Extracts DNS names from SSL certificates
func GetSSLDNS(host string) ([]string, error)

When scanning a target, scan4all:

Connects to port 443
Extracts all DNS names from the certificate
Includes wildcard domains (*.example.com)
Adds discovered subdomains to scan queue

Enable Subdomain Enumeration

Subdomain enumeration is disabled by default due to performance impact. Enable it explicitly when needed.

# Enable subfinder integration
EnableSubfinder=true ./scan4all -host example.com

# Enable ksubdomain for faster brute-forcing
EnableKsubdomain=true ./scan4all -host example.com

Configuration

config.json Settings

{
  "ParseSSl": true,
  "EnableSubfinder": false,
  "EnableKsubdomain": true,
  "KsubdomainRegxp": "([0-9a-zA-Z\\-]+\\.[0-9a-zA-Z\\-]+)$"
}

Parameter	Default	Description
`ParseSSl`	`true`	Enable SSL certificate DNS extraction
`EnableSubfinder`	`false`	Enable subfinder passive enumeration
`EnableKsubdomain`	`true`	Enable ksubdomain DNS brute-forcing
`KsubdomainRegxp`	Pattern	Regex to filter valid subdomains

Setting ParseSSl=false disables deep SSL analysis. This is useful when you only want to scan known targets without subdomain discovery.

Subfinder Integration

Passive Subdomain Discovery

Subfinder queries multiple passive sources:

Certificate Transparency logs
Search engines
DNS databases
Archive services

# Enable subfinder
EnableSubfinder=true ./scan4all -host example.com -v

Wildcard Domain Handling

When a wildcard domain is found (*.example.com):

if "*." == domain[:2] {
    // Automatically enumerate subdomains
    subdomains := subfinder.DoSubfinder([]string{domain[2:]})
    // Add results to scan queue
}

Wildcard domains trigger automatic subfinder enumeration when EnableSubfinder=true.

Ksubdomain Integration

High-Performance DNS Brute-Forcing

ksubdomain provides ultra-fast subdomain enumeration using raw packet manipulation:

# Enable ksubdomain
EnableKsubdomain=true ./scan4all -host example.com

Dictionary Configuration

ksubdomain supports custom wordlists:

# Using built-in dictionary
./scan4all -host example.com

# Custom dictionary via ksubdomain flags
# (Requires direct ksubdomain configuration)

Multi-Level Domain Enumeration

Enumerate multiple subdomain levels:

# 2-level enumeration (default): sub.example.com
level=2 ./scan4all -host example.com

# 3-level enumeration: sub.sub2.example.com
level=3 ./scan4all -host example.com

Skip Wildcard Domains

# Skip domains with wildcard DNS records
skip-wild=true ./scan4all -host example.com

NS Record Integration

Use domain-specific nameservers for better accuracy:

# Read and use NS records from target domains
ns=true ./scan4all -host example.com

SSL Certificate Mining

Automatic DNS Extraction

scan4all automatically processes SSL certificates to discover:

Subject Alternative Names (SAN): All domain names in certificate
Common Name (CN): Primary domain name
Wildcard Domains: Triggers further enumeration

// From pkg/domain.go
func GetSSLDNS(host string) ([]string, error) {
    conf := &tls.Config{
        InsecureSkipVerify: true,
    }
    conn, _ := tls.Dial("tcp", host+":443", conf)
    certs := conn.ConnectionState().PeerCertificates
    
    for _, cert := range certs {
        for _, dnsName := range cert.DNSNames {
            // Extract all DNS names
        }
    }
}

Certificate Information Extracted

DNS Names (SAN entries)
IP Addresses
Email Addresses
URI Domains
Permitted/Excluded DNS Domains

Workflow

Subdomain Discovery Process

Example: Complete Enumeration

# Step 1: Enable subdomain features
export EnableSubfinder=true
export EnableKsubdomain=true
export ParseSSl=true

# Step 2: Run comprehensive scan
./scan4all -host example.com -v

# Process:
# 1. Connect to example.com:443
# 2. Extract SSL certificate DNS names
# 3. Find *.example.com wildcard
# 4. Run subfinder on example.com
# 5. Run ksubdomain brute-force
# 6. Scan all discovered subdomains

Domain Intelligence

Multiple IP Handling

scan4all automatically detects when a domain resolves to multiple IPs:

// Automatically scans all IPs associated with a domain
// All IPs undergo port scanning
// Results correlated back to domain

Smart Processing

When multiple domains resolve to the same IP, scan4all merges port scans to improve efficiency and reduce redundant traffic.

Caching

Subdomain results are cached to avoid duplicate enumeration:

// Check cache before enumeration
data, err := util.Cache1.Get(domain)
if err == nil {
    // Use cached results
    json.Unmarshal(data, &subdomains)
    return subdomains
}

// Perform enumeration and cache
util.PutAny[[]string](domain, results)

Performance Considerations

Speed vs. StealthSubdomain enumeration can be:

Slow: Subfinder queries multiple sources
Noisy: ksubdomain sends many DNS queries
Detectable: May trigger rate limiting or alerts

Use appropriate timing for your scenario.

Optimization Tips

Disable When Unnecessary

# Skip subdomain enumeration for known targets
ParseSSl=false EnableSubfinder=false ./scan4all -l known_urls.txt

Use Cached Results

# Results are automatically cached
# Subsequent scans use cache

Custom Wordlists
- Use targeted wordlists for specific industries
- Reduce dictionary size for faster scans

Output

Subdomain Results

Discovered subdomains are automatically:

Added to the scan queue
Undergo port scanning
Tested for vulnerabilities
Included in final reports

{
  "domain": "example.com",
  "subdomains": [
    "www.example.com",
    "api.example.com",
    "admin.example.com",
    "dev.example.com"
  ],
  "source": "ssl,subfinder,ksubdomain"
}

Advanced Usage

Regex Filtering

Control which subdomains are processed:

{
  "KsubdomainRegxp": "([0-9a-zA-Z\\-]+\\.[0-9a-zA-Z\\-]+)$"
}

This regex:

Matches standard domain patterns
Filters invalid characters
Extracts clean subdomain names

Integration with Other Tools

# Export subdomains for other tools
./scan4all -host example.com -o results.json

# Extract subdomain list
jq -r '.subdomains[]' results.json > subdomains.txt

# Use with other scanners
cat subdomains.txt | other-scanner

Troubleshooting

No Subdomains Found

# Verify SSL is accessible
curl -k https://example.com

# Check if EnableSubfinder is set
echo $EnableSubfinder

# Enable debug output
./scan4all -host example.com -v

Rate Limiting

# Reduce ksubdomain rate
# Adjust in ksubdomain configuration

# Or disable ksubdomain
EnableKsubdomain=false ./scan4all -host example.com

DNS Resolution Failures

# Use custom DNS resolvers
# Configure in config.json
{
  "naabu_dns": {},
  "resolvers": ["8.8.8.8", "1.1.1.1"]
}

Best Practices

Start Conservative: Enable features incrementally
Monitor Performance: Watch for slow enumeration
Respect Rate Limits: Avoid aggressive scanning of public services
Use Caching: Leverage cached results for repeat scans
Validate Results: Verify discovered subdomains are active

Advanced Topics

Development

Best Practices

Documentation Index

​Overview

​Subdomain Discovery Sources

​SSL Certificate Analysis

​Enable Subdomain Enumeration

​Configuration

​config.json Settings

​Subfinder Integration

​Passive Subdomain Discovery

​Wildcard Domain Handling

​Ksubdomain Integration

​High-Performance DNS Brute-Forcing

​Dictionary Configuration

​Multi-Level Domain Enumeration

​Skip Wildcard Domains

​NS Record Integration

​SSL Certificate Mining

​Automatic DNS Extraction

​Certificate Information Extracted

​Workflow

​Subdomain Discovery Process

​Example: Complete Enumeration

​Domain Intelligence

​Multiple IP Handling

Smart Processing

​Caching

​Performance Considerations

​Optimization Tips

​Output

​Subdomain Results

​Advanced Usage

​Regex Filtering

​Integration with Other Tools

​Troubleshooting

​No Subdomains Found

​Rate Limiting

​DNS Resolution Failures

​Best Practices

​See Also

Overview

Subdomain Discovery Sources

SSL Certificate Analysis

Enable Subdomain Enumeration

Configuration

config.json Settings

Subfinder Integration

Passive Subdomain Discovery

Wildcard Domain Handling

Ksubdomain Integration

High-Performance DNS Brute-Forcing

Dictionary Configuration

Multi-Level Domain Enumeration

Skip Wildcard Domains

NS Record Integration

SSL Certificate Mining

Automatic DNS Extraction

Certificate Information Extracted

Workflow

Subdomain Discovery Process

Example: Complete Enumeration

Domain Intelligence

Multiple IP Handling

Caching

Performance Considerations

Optimization Tips

Output

Subdomain Results

Advanced Usage

Regex Filtering

Integration with Other Tools

Troubleshooting

No Subdomains Found

Rate Limiting

DNS Resolution Failures

Best Practices

See Also