Skip to main content

Subdomain enumeration

Usage

We know many security researchers want to keep their current workflow and just use Profundis as a subdomain enumeration tool. We tried to make the usage of this feature as simple as possible.

You can perform a subdomain enumeration

  • Directly from the web UI and get a CSV, JSON or TXT file ;
  • Using a curl request (see below).
warning

The subdomains enumeration API endpoint returns all the subdomains for a given domain. To avoid wasting your results quota in a single query you can first run a DNS search to identify the number of items you are going to retrieve.

You can use the following curl command. Replace example.com by the domain of your choice. The domain parameter accepts domain names (e.g. example.com), not wildcard values (e.g. *.example.com). Note that you can also specify subdomains like api.domain.com if you expect to see other subdomains behind this value like sub.api.domain.com.

See how to generate an API key here.

API_KEY=xxx
curl "https://api.profundis.io/api/v2/common/data/subdomains" \
  -H "X-API-KEY: $API_KEY" \
  -H "Accept: text/event-stream" \
  -N \
  -X POST \
  -d '{
    "domain": "example.com"
  }'

Frequent questions

The API returned less results than what I see in the UI

The DNS search UI page shows all DNS records and their historical resolutions (all IP addresses or hostnames for CNAMEs). However, when you use the subdomain enumeration API endpoint, we perform deduplication on the host value to provide clean output without duplicates.

What happens when I reach my quota?

We will return an error message saying that you reached your quota. It will be JSON formated as below so that you can easily detect it in your automated workflow.

{"code":"Q2012","message":"You have exceeded your subdomains enumeration quota for this month."}