Skip to main content

Subdomain discovery and attack surface report

Subdomain discovery and attack surface report

Overview

This workflow automates comprehensive subdomain enumeration and attack surface mapping by combining passive and active reconnaissance techniques with service fingerprinting, SSL/TLS analysis, and CVE correlation. It generates a detailed HTML report that enables penetration testers to quickly identify and prioritize high-value targets during security assessments.

How It Works

  1. Passive Subdomain Discovery: Executes subfinder to gather subdomains from passive sources including certificate transparency logs, DNS databases, and search engines without directly interacting with target infrastructure.
  2. Active DNS Enumeration: Launches gobuster-dns to perform brute-force subdomain discovery using comprehensive wordlists, identifying additional subdomains not found through passive methods.
  3. Subdomain Consolidation: Aggregates results from both passive and active discovery phases using scripting agent to create a unified list of all identified subdomains, eliminating duplicates.
  4. Service Fingerprinting: Initiates Nmap scans against all discovered subdomains to identify open ports, running services, service versions, and technology stack across the complete attack surface.
  5. SSL/TLS Security Assessment: Executes testssl.sh against all HTTPS services discovered during scanning to assess SSL/TLS configurations, weak cipher suites, certificate issues, and protocol vulnerabilities.
  6. Technology Extraction: Processes Nmap and testssl results through scripting agent to extract detailed technology information, software versions, and service banners for vulnerability correlation.
  7. CVE Database Query: Queries vulnerability databases using identified technologies and versions to map known CVEs and security weaknesses to discovered services.
  8. Report Generation: Compiles all findings including subdomain data, service information, SSL/TLS vulnerabilities, and associated CVEs into a comprehensive HTML report with organized sections for easy navigation.
  9. Email Notification: Delivers the generated HTML report to designated recipients via email for immediate review and penetration testing planning.

Who is this for?

  • Penetration testers conducting external security assessments and requiring comprehensive target reconnaissance
  • Red team operators identifying optimal entry points and attack vectors during security exercises
  • Security consultants performing attack surface analysis and vulnerability assessments for clients
  • Bug bounty hunters discovering and prioritizing targets within authorized scope boundaries
  • Security teams evaluating organizational external exposure before planned penetration tests

What problem does this workflow solve?

  • Eliminates manual reconnaissance overhead by automating subdomain discovery and fingerprinting processes, reducing assessment preparation time from days to hours
  • Provides comprehensive attack surface visibility through combined passive and active discovery techniques with detailed service analysis
  • Enables rapid target prioritization through automated CVE correlation, allowing immediate identification of systems with known vulnerabilities
  • Standardizes reconnaissance methodology across security assessments, ensuring consistent coverage and reducing risk of missed attack vectors
  • Delivers actionable intelligence through structured HTML reporting that facilitates efficient penetration testing planning and execution