Overview
scan4all provides comprehensive subdomain enumeration capabilities through integration with subfinder and ksubdomain. It automatically discovers subdomains from SSL certificates, performs DNS brute-forcing, and intelligently correlates findings to expand the attack surface.Subdomain Discovery Sources
SSL Certificate Analysis
Automatic subdomain extraction from SSL/TLS certificates:- Connects to port 443
- Extracts all DNS names from the certificate
- Includes wildcard domains (*.example.com)
- Adds discovered subdomains to scan queue
Enable Subdomain Enumeration
Configuration
config.json Settings
| Parameter | Default | Description |
|---|---|---|
ParseSSl | true | Enable SSL certificate DNS extraction |
EnableSubfinder | false | Enable subfinder passive enumeration |
EnableKsubdomain | true | Enable ksubdomain DNS brute-forcing |
KsubdomainRegxp | Pattern | Regex to filter valid subdomains |
Setting
ParseSSl=false disables deep SSL analysis. This is useful when you only want to scan known targets without subdomain discovery.Subfinder Integration
Passive Subdomain Discovery
Subfinder queries multiple passive sources:- Certificate Transparency logs
- Search engines
- DNS databases
- Archive services
Wildcard Domain Handling
When a wildcard domain is found (*.example.com):Ksubdomain Integration
High-Performance DNS Brute-Forcing
ksubdomain provides ultra-fast subdomain enumeration using raw packet manipulation:Dictionary Configuration
ksubdomain supports custom wordlists:Multi-Level Domain Enumeration
Enumerate multiple subdomain levels:Skip Wildcard Domains
NS Record Integration
Use domain-specific nameservers for better accuracy:SSL Certificate Mining
Automatic DNS Extraction
scan4all automatically processes SSL certificates to discover:- Subject Alternative Names (SAN): All domain names in certificate
- Common Name (CN): Primary domain name
- Wildcard Domains: Triggers further enumeration
Certificate Information Extracted
- DNS Names (SAN entries)
- IP Addresses
- Email Addresses
- URI Domains
- Permitted/Excluded DNS Domains
Workflow
Subdomain Discovery Process
Example: Complete Enumeration
Domain Intelligence
Multiple IP Handling
scan4all automatically detects when a domain resolves to multiple IPs:Smart Processing
When multiple domains resolve to the same IP, scan4all merges port scans to improve efficiency and reduce redundant traffic.
Caching
Subdomain results are cached to avoid duplicate enumeration:Performance Considerations
Optimization Tips
-
Disable When Unnecessary
-
Use Cached Results
-
Custom Wordlists
- Use targeted wordlists for specific industries
- Reduce dictionary size for faster scans
Output
Subdomain Results
Discovered subdomains are automatically:- Added to the scan queue
- Undergo port scanning
- Tested for vulnerabilities
- Included in final reports
Advanced Usage
Regex Filtering
Control which subdomains are processed:- Matches standard domain patterns
- Filters invalid characters
- Extracts clean subdomain names
Integration with Other Tools
Troubleshooting
No Subdomains Found
Rate Limiting
DNS Resolution Failures
Best Practices
- Start Conservative: Enable features incrementally
- Monitor Performance: Watch for slow enumeration
- Respect Rate Limits: Avoid aggressive scanning of public services
- Use Caching: Leverage cached results for repeat scans
- Validate Results: Verify discovered subdomains are active
See Also
- SSL Analysis - Deep dive into SSL certificate processing
- Configuration - Complete configuration options
- Performance Tuning - Optimization strategies