Subdomains

Subdomains

Subdomains Section Filters

At the top of the Subdomains page, there is a filter bar with multiple dropdowns to help narrow down the results and focus on specific assets. The following filters are available:

1. Domain

Filters results based on the main domain.

Example: Selecting example.com will display only its associated subdomains.

2. Subdomain

Focuses results on a specific subdomain.

Example: Selecting api.example.com will isolate that subdomain's data.

3. IP

Displays subdomains that resolve to a specific IP address.

Example: If both www.example.com and vpn.example.com resolve to 104.18.16.64, only those will be shown.

4. Port

Filters based on open ports discovered during the scan.

Example: Selecting port 443 shows subdomains using HTTPS.

5. Cloud

Filters subdomains by their cloud service provider.

Example: Only display subdomains hosted on Cloudflare, AWS, or Azure.

6. PTR

Filters based on reverse DNS records (PTR).

Example: If an IP resolves back to example.cloudflare.net, this filter will include it.

7. CNAME

Filters subdomains based on CNAME records.

Example: If app.example.ps points to example.azurewebsites.net, this filter highlights such links.

8. More

Includes additional advanced filtering options:

  • Subdomain Status (Live / Dormant)

  • Scan Status

  • Technology Stack (e.g., WordPress, Bootstrap)

  • Service Provider (e.g., Azure, Cloudflare)

  • Geolocation (Country / City)

If a Subdomain Is Not Visible

Some subdomains may not appear in the main list due to applied filters, sync delays, or data availability. In such cases, use the following option:

Manage Subdomains

Clicking Manage Subdomains opens a complete management panel where you can:

  • View all discovered subdomains, even if filtered out in the main view

  • Add a new subdomain manually → once a new subdomain is added, the system automatically performs a full scan and generates a Security Rating for that subdomain.

  • Rescan an individual subdomain

  • Delete subdomains from the list

  • Search across all entries (regardless of page filters)

This feature ensures full visibility and control over your subdomain inventory.

Subdomain Card

Each subdomain is displayed as a card containing technical and security information.

  1. Thumbnail Preview

    A visual screenshot of the subdomain homepage (if available).

  2. Subdomain Name

    Example: www.example.com. Status tags may also appear here (e.g., Active, Dormant).

  3. IP Address & Hosting Provider

    Displays the resolved IP and associated organization (e.g., Cloudflare, Inc.).

  4. Location

    Shows the server’s geolocation with country and city.

  5. Open Ports

    Example: 80, 443, 2052, and a count of additional ports. Each indicates protocol access.

  6. Detected Technologies

    Tags like Bootstrap, HTTP/3, WordPress (6.6.1), and more.

  7. Last Scan Timestamp

    Indicates when the last scan was performed (e.g., “5 months ago”).

  8. Rescan Button

    Allows you to manually trigger an updated scan for that subdomain.

Subdomain Card – Right Panel (Security)

  1. Security Rating

    A visual gauge showing a score from 0–100%. Green = strong posture, red = poor.

  2. Certificate Status

    Shows number of valid SSL/TLS certificates (e.g., 1 Valid).

  3. Web Application Firewall (WAF)

    Indicates if a WAF is protecting the asset (e.g., Cloudflare WAF active).

  4. Security Headers

    Shows the number of missing or misconfigured HTTP headers (e.g., 20 Missed).

  5. More Details

    Button that expands into a detailed technical and security report.

Subdomain – More Details View

When you click More Details on any subdomain card, a comprehensive technical and security profile of that subdomain is displayed. This section provides deeper context to understand risks, hosting details, and potential exposures.

1. General Information

  • Domain/Subdomain: The exact asset being analyzed (e.g., www.example.com).

  • Hosting Provider: The organization managing the hosting infrastructure (e.g., Cloudflare, Inc.).

  • Region: Geographic location of the hosting server. This helps correlate risks with jurisdiction or compliance requirements.

  • PTR Record (Reverse DNS): The reverse lookup name tied to the IP address. If none is detected, it is marked as N/A.

2. Certificate Issues:

Number of SSL/TLS certificate problems such as expiration, weak ciphers, or misconfiguration.

3. Security Rating:

A calculated percentage (0–100%) reflecting the overall security posture of the subdomain. Higher percentages indicate stronger configurations.

3. IP and Risk Indicators

  • IP Address: The resolved IP associated with the subdomain.

  • Risk Score: A numeric rating of potential malicious or suspicious behavior linked to this IP.

  • Confidence Level: Indicates how certain AttackMetricx is about the collected data (Low, Medium, High).

  • ASN (Autonomous System Number): Identifies the network block the IP belongs to, tied to a specific provider.

  • Organization (ORG): The company or entity owning the ASN.

  • Flags: Contextual security attributes about the IP:

    • Proxy – Detects if the IP is operating behind a known proxy service.

    • TOR – Identifies if the IP is part of the TOR anonymity network.

    • Known Attacker – Flags IPs listed in attacker feeds or threat intelligence sources.

    • Bot – Indicates whether the IP is associated with automated or malicious bot activity.

    • VPN Feeds – Detects if the IP is part of commercial/public VPN services (not Virtual Private Network in general use, but IPs listed in VPN intelligence feeds).

    • Private – Shows whether the IP belongs to private ranges or anonymization services.

4. Ports Section

The Ports Section provides a detailed breakdown of the network services exposed by each subdomain. AttackMetricx goes beyond simple enumeration, delivering both TCP and UDP visibility enriched with contextual security data.

  • External Ports: Total count of open TCP ports identified on the subdomain.

  • UDP Ports: AttackMetricx also performs discovery on UDP services (e.g., DNS, SNMP), which are often overlooked but can be exploited if left exposed.

  • Risky Ports: Highlights ports that are frequently targeted or known to be insecure (e.g., FTP, RDP, Telnet).

  • HTTP Only: Flags services that are accessible only via HTTP without HTTPS a critical misconfiguration that leaves traffic unencrypted.

  • Cloud Detection: Identifies whether the service is hosted on a recognized cloud provider. If marked Undetected, no match was found in known cloud IP ranges.

  • Missed Headers: Shows the count of missing or misconfigured HTTP security headers, such as Strict-Transport-Security or X-Content-Type-Options. Missing these can expose applications to attacks like XSS and clickjacking.

⚠️ Note on Cloudflare Ports

Cloudflare supports a set of non-standard HTTP(S) ports by default, such as 2052, 2053, 2082, 2083, 2086, 2087, 2095, 2096, 8443, 8880. Their presence does not necessarily mean the origin server is exposing them, but that they are accessible through Cloudflare’s edge network.

When you click on a subdomain, AttackMetricx provides in-depth service details per port, including:

  • Active Service Identification: Shows the exact service or protocol running on the port (e.g., HTTPS, SSH, MySQL).

  • WAF Protection: Indicates whether the service is protected by a Web Application Firewall and the provider (e.g., Cloudflare WAF).

  • Certificate Status: Validates whether SSL/TLS certificates are correctly deployed and identifies certificate issues.

  • Security Headers Check: Verifies if proper HTTP security headers are implemented for web services on that port.

  • Request & Response Body: Displays raw HTTP request and response data, enabling analysts to verify how the service responds under real-world conditions.

  • Technology Fingerprinting: Detects technologies in use on the service (e.g., WordPress, PHP, Nginx, Bootstrap).

5. Screenshot Preview

A live snapshot of the subdomain’s homepage (if accessible), confirming whether the site is active and rendering content.

6. Technology Stack

Identifies technologies used by the subdomain (e.g., WordPress, PHP, Bootstrap, MySQL).

This is valuable because:

  • Outdated CMS or plugins may introduce CVEs.

  • Frameworks and libraries highlight potential attack vectors.

  • New protocols (e.g., HTTP/3) indicate modern adoption but require secure configurations.

7. Vulnerabilities

Displays vulnerabilities detected on the subdomain, classified by type and severity.

  • Passive Detection: Identifies known fingerprints and exposed meta-information.

  • Active Scanning: AttackMetricx runs its custom Vulnerability Scanning Engine, built with tailored tools, templates, and exploit checks, to validate risks beyond passive data.

  • Exploitable Flag: Shows whether the vulnerability is practically exploitable or informational only.

8. Certificates

Provides certificate details if available, including validity status, issuer, and expiration. Missing certificates or weak configurations are highlighted under Certificate Issues.

9. Web Application Firewall (WAF)

Indicates whether the subdomain is protected by a WAF and identifies the provider (e.g., Cloudflare WAF enabled).

10. HTTP Response Headers

Displays raw HTTP response headers from the server, including:

  • Date, Server, Content-Type, CF-RAY and more.

  • Highlights missing security headers such as:

    • Strict-Transport-Security (HSTS) – Prevents protocol downgrade attacks.

    • Content-Security-Policy (CSP) – Mitigates cross-site scripting.

    • X-Frame-Options – Protects against clickjacking.

    • X-XSS-Protection – Helps detect reflected XSS attacks.

Headers marked N/A indicate missing or improperly set policies.

11. HTTP Response

Shows the raw server response body and status (e.g., 200 OK).

This confirms the subdomain is live and serving valid content.

PreviousDomainsNextIPs

Last updated

Was this helpful?