VOOZH about

URL: https://apify.com/advx/attack-surface-recon

โ‡ฑ Attack Surface Recon: Subdomain & HTTP Tech Discovery ยท Apify

๐Ÿ‘ Attack Surface Recon: Subdomain Discovery + HTTP Fingerprint avatar

Attack Surface Recon: Subdomain Discovery + HTTP Fingerprint

Under maintenance

Pricing

Pay per usage

Go to Apify Store

Attack Surface Recon: Subdomain Discovery + HTTP Fingerprint

Under maintenance

Map a domain's external attack surface. Passive subdomain enumeration with subfinder, HTTP fingerprint with httpx: status, title, server, technology stack, TLS issuer and IP. One dataset row per responding host. For recon, asset discovery and security audits.

Pricing

Pay per usage

Rating

0.0

(0)

Developer

๐Ÿ‘ Sevastian Z

Sevastian Z

Maintained by Community

Actor stats

0

Bookmarked

1

Total users

0

Monthly active users

22 days ago

Last modified

Share

Map a domain's external attack surface in one run. Pass a registrable domain, get back every subdomain that responds on HTTP/S, fingerprinted: status code, title, server header, detected technology stack, TLS issuer, IP.

Built on the Project Discovery toolchain (subfinder + httpx). Wrapped for people who do not want to install Go binaries to run a recon scan.

What it does

  • Passive subdomain enumeration with subfinder. Queries public sources (Certificate Transparency, CommonCrawl, DNS dumps, search engines). No DNS brute force, no scraping of the target.
  • HTTP fingerprint with httpx. For each discovered host, follow redirects and capture: status code, page title, Server header, detected technologies (Wappalyzer-style), TLS certificate issuer and validity, IP.
  • One row per responding host in the dataset. Easy to filter, export or feed into a vulnerability scanner.

Input

FieldTypeDescription
domainstring, requiredRegistrable domain, e.g. example.com
{"domain":"example.com"}

Output

FieldDescription
hostdiscovered hostname
urlfinal URL after redirects
status_codeHTTP status
titleHTML title element
webserverServer response header
techdetected technology stack (Wappalyzer signatures)
ipresolved IP
tls_issuerTLS certificate issuer organization
tls_subject_cnTLS certificate subject CN
tls_not_afterTLS certificate expiry
content_lengthresponse body length

Pricing

Free. You pay only the standard Apify platform usage (compute) for your own runs.

Use cases

  • External asset discovery and inventory.
  • Pre-engagement recon for pentesting and bug bounty.
  • Continuous attack-surface monitoring (run on a schedule).
  • Mergers / acquisitions due diligence on a target's exposed surface.

Related: catch impersonation, not just exposure

This actor maps your own surface. Attackers also register lookalike and typosquatted domains to impersonate brands. To detect those, scan with Lookalike / Typosquat Domain Scan and use the free Certificate Transparency Subdomain Search.

Notes

Probing is HTTP/S only, with rate limiting. No port scanning, no exploitation. Run against domains you are authorized to test.

You might also like

Subdomain Finder - Discover Subdomains via CT Logs

logiover/subdomain-finder

Discover every subdomain of any domain using Certificate Transparency logs (crt.sh). Fast bulk subdomain enumeration for security recon, attack-surface mapping, asset discovery and SEO. No API key โ€” export to CSV or JSON.

Subdomain Discovery API

crawland/subdomain-discovery-api

Paginated subdomain enumeration for any registered domain โ€” DNS records, registrar, WHOIS, vendor reputation, and category labels per subdomain, served from the Crawland threat-intelligence backend.

Real Subdomain Finder

onescales/real-subdomain-finder

Discover every subdomain for any domain. Queries 40+ OSINT sources including cert transparency, DNS archives & web scanners. Results enriched with DNS validation, HTTP probing, and subdomain takeover detection. Simple Subdomain Lookup that works!

51

5.0

Entity Attack Surface MCP Server

ryanclinton/entity-attack-surface-mcp

Corporate cyber exposure intelligence via the Model Context Protocol. This MCP server orchestrates 11 data sources to discover and score an organization's digital attack surface -- from DNS and SSL infrastructure to technology vulnerabilities and CISA Known Exploited Vulnerabilities.

Subdomain Radar โ€” Passive OSINT Enumeration

saregaa/subdomain-scraper

Discover subdomains silently. No brute-force โ€” pure OSINT from 5 passive sources with DNS resolve, HTTP probing & takeover detection.

Subdomain Finder - Discover Every Subdomain Of A Domain

thirdwatch/subdomain-finder

Discover every subdomain for any apex domain. Merges 4 sources: certificate transparency (crt.sh), HackerTarget, RapidDNS, plus DNS bruteforcing of common names. Verifies each is live via DNS + HTTP probe.