Look Up DNS Records
Query DNS records for any domain to inspect A, AAAA, MX, CNAME, TXT, and NS configurations.
Subdomain Security Scan
Enumerate subdomains, probe services, scan for takeover vulnerabilities, and capture visual evidence.
Subdomains are a frequent blind spot in security programs. Forgotten staging environments, deprecated services, and shadow IT subdomains often lack the security controls applied to primary domains. Subdomain takeover vulnerabilities, where attackers claim abandoned DNS entries, remain one of the most common attack vectors.
This workflow systematically discovers all subdomains, probes them for running services and technologies, scans for vulnerabilities with a focus on takeover conditions, and captures visual evidence of each live subdomain. The result is a complete inventory of your subdomain attack surface with actionable security findings.
Steps
1
Enumerate Subdomains
Discover all subdomains through DNS enumeration to identify the full scope of publicly accessible assets.
Input: Root domain to enumerate subdomains for.
Output: List of discovered subdomains with DNS record types and resolved IP addresses.
2
Probe Subdomain Services
Probe each discovered subdomain to identify running services, technologies, and potential subdomain takeover conditions.
Input: List of discovered subdomains to probe.
Output: Service details per subdomain including HTTP status, technologies, CDN detection, and takeover indicators.
3
Scan for Subdomain Vulnerabilities
Run vulnerability templates focused on subdomain-specific issues like takeovers, misconfigurations, and exposed panels.
Input: Live subdomains to scan with subdomain-focused templates.
Output: Vulnerabilities found per subdomain including takeover risks and exposed administrative interfaces.
4
Capture Visual Evidence
Take screenshots of each live subdomain to visually identify forgotten assets, default pages, and suspicious content.
Input: URLs of live subdomains to screenshot.
Output: Screenshots of each subdomain for visual review and documentation.
Benefits
- Discover forgotten or shadow IT subdomains before attackers do
- Detect subdomain takeover vulnerabilities from dangling DNS records
- Visual evidence helps identify abandoned or suspicious assets quickly
- Map the full subdomain attack surface for security hardening
Related Use Cases
Check DNS Propagation Status
Verify whether recent DNS changes have propagated and the new records are live.
Probe Security Headers
Check HTTP security headers across your web properties to identify missing protections like CSP, HSTS, and X-Frame-Options.
Discover Hidden Services
Find hidden or forgotten web services running on your infrastructure that may be exposed without your knowledge.
Run Automated Vulnerability Scans
Scan targets for known vulnerabilities using Nuclei's extensive template library.
Check for Known CVE Exposures
Detect whether your targets are affected by specific CVEs with publicly disclosed exploits.
Capture Full-Page Screenshots
Take full-page screenshots of any website, capturing everything from the header to the footer in one image.
Monitor Visual Changes
Capture periodic screenshots to detect and track visual changes on websites over time.