Subdomain & Port Scanning Guide

In cybersecurity, discovering what’s hidden beneath a domain is often the first step in uncovering security risks. Techniques like subdomain enumeration, port scanning, and HTTP server detection help ethical hackers and security experts analyze network vulnerabilities effectively.

Subdomain Enumeration ​

Subdomain enumeration is the process of finding hidden or forgotten subdomains of a website - for example, admin.example.com or test.example.com.

These hidden subdomains may expose:

• Development environments
• Admin panels
• Misconfigured servers

Popular Tools:

• Sublist3r
• Amass
• Assetfinder

Tip: Always verify discovered subdomains for live services before scanning further.

---

Port Scanning ​

Once you know the target, the next step is port scanning - identifying which network ports are open and what services are running on them.

Example Tools:

• Nmap - the classic, detailed scanner
• Masscan - for fast, wide scans

Example Command:
nmap -p 1-65535 -T4 -A -v <target>

This helps detect open ports like 22 (SSH), 80 (HTTP), or 443 (HTTPS), revealing entry points attackers might exploit.

---

HTTP Web Server Detection ​

After finding live hosts, security testers identify HTTP web servers and analyze their configurations.

What You Can Learn:

• Server type (e.g., Apache, Nginx, IIS)
• Framework versions (e.g., PHP, Node.js)
• Potential misconfigurations

Tools to Try:

• WhatWeb
• Wappalyzer
• Nikto

These tools reveal technologies in use and help locate outdated or vulnerable components.

---

Why These Techniques Matter ​

Together, these three steps create a foundation for penetration testing:

1. Find hidden subdomains.
2. Identify open ports.
3. Analyze web server configurations.

They give cybersecurity professionals a full picture of a system’s exposure - helping fix weaknesses before hackers can exploit them.