# Subdomain Radar โ€” Passive OSINT Enumeration (`saregaa/subdomain-scraper`) Actor Discover subdomains silently. No brute-force โ€” pure OSINT from 5 passive sources with DNS resolve, HTTP probing & takeover detection. - **URL**: https://apify.com/saregaa/subdomain-scraper.md - **Developed by:** [Saregaa](https://apify.com/saregaa) (community) - **Categories:** Developer tools, SEO tools, Automation - **Stats:** 2 total users, 1 monthly users, 100.0% runs succeeded, 0 bookmarks - **User rating**: No ratings yet ## Pricing from $1.00 / 1,000 results This Actor is paid per event. You are not charged for the Apify platform usage, but only a fixed price for specific events. Learn more: https://docs.apify.com/platform/actors/running/actors-in-store#pay-per-event ## What's an Apify Actor? Actors are a software tools running on the Apify platform, for all kinds of web data extraction and automation use cases. In Batch mode, an Actor accepts a well-defined JSON input, performs an action which can take anything from a few seconds to a few hours, and optionally produces a well-defined JSON output, datasets with results, or files in key-value store. In Standby mode, an Actor provides a web server which can be used as a website, API, or an MCP server. Actors are written with capital "A". ## How to integrate an Actor? If asked about integration, you help developers integrate Actors into their projects. You adapt to their stack and deliver integrations that are safe, well-documented, and production-ready. The best way to integrate Actors is as follows. In JavaScript/TypeScript projects, use official [JavaScript/TypeScript client](https://docs.apify.com/api/client/js.md): ```bash npm install apify-client ``` In Python projects, use official [Python client library](https://docs.apify.com/api/client/python.md): ```bash pip install apify-client ``` In shell scripts, use [Apify CLI](https://docs.apify.com/cli/docs.md): ````bash # MacOS / Linux curl -fsSL https://apify.com/install-cli.sh | bash # Windows irm https://apify.com/install-cli.ps1 | iex ```bash In AI frameworks, you might use the [Apify MCP server](https://docs.apify.com/platform/integrations/mcp.md). If your project is in a different language, use the [REST API](https://docs.apify.com/api/v2.md). For usage examples, see the [API](#api) section below. For more details, see Apify documentation as [Markdown index](https://docs.apify.com/llms.txt) and [Markdown full-text](https://docs.apify.com/llms-full.txt). # README ## ๐Ÿ” Subdomain Enumeration Toolkit **Passive subdomain discovery with DNS validation, HTTP probing, and takeover detection.** Built for security researchers, bug bounty hunters, and penetration testers who need fast, reliable subdomain enumeration without noisy brute-force traffic. --- ### โœจ What it does For each target domain the Actor: 1. **Collects subdomains** from 5 passive OSINT sources simultaneously 2. **Resolves DNS** โ€” finds the live IP address for each subdomain 3. **Probes HTTP/HTTPS** โ€” checks status code, page title, server header, and redirects 4. **Detects takeover risks** โ€” flags subdomains pointing to unclaimed cloud services --- ### ๐Ÿ—‚๏ธ Sources | Source | Type | API key needed | | ------------------------ | ----------------------------- | --------------- | | **Certspotter** | Certificate Transparency logs | No | | **HackerTarget** | Passive DNS archive | No | | **RapidDNS** | Passive DNS archive | No | | **AlienVault OTX** | Threat intelligence | Free (optional) | | **URLScan.io** | Internet scan archive | No | > All sources are passive โ€” no direct scanning, no brute-force, no traffic to the target. --- ### ๐Ÿ›ก๏ธ Takeover detection Automatically checks 30+ services for dangling CNAME records: GitHub Pages ยท Heroku ยท AWS S3 ยท AWS CloudFront ยท Azure Web Apps ยท Azure Blob ยท Netlify ยท Webflow ยท Shopify ยท Fastly ยท Zendesk ยท Ghost ยท GitBook ยท WP Engine ยท Surge ยท Bitbucket ยท Tumblr ยท and more. Each finding is labeled as `high` (dangling โ€” no IP) or `medium` (resolves but CNAME points to a cloud service). --- ### โš™๏ธ Input | Field | Type | Default | Description | | -------------------- | -------- | --------- | ------------------------------------------------------------------------ | | `domains` | string[] | โ€” | **Required.** Target domains, e.g. `example.com` | | `otxApiKey` | string | โ€” | OTX API key for extra results.[Get free key โ†’](https://otx.alienvault.com) | | `doResolve` | boolean | `true` | Resolve DNS A records | | `doProbe` | boolean | `true` | HTTP/HTTPS probe per live host | | `doTakeover` | boolean | `true` | Subdomain takeover detection | | `probeTimeoutSecs` | integer | `7` | Timeout per HTTP probe request | | `maxConcurrency` | integer | `30` | Parallel DNS/HTTP workers | | `useApifyProxy` | boolean | `false` | Route probes through Apify residential proxies | --- ### ๐Ÿ“ฆ Output Each subdomain is saved as one row in the dataset: ```json { "domain": "tesla.com", "subdomain": "api.tesla.com", "sources": ["Certspotter", "RapidDNS"], "dns_resolves": true, "dns_ip": "23.62.104.69", "http_status": 200, "http_title": "Tesla API", "http_server": "nginx", "http_redirect": "", "is_live": true, "takeover_risk": "none", "takeover_service": "", "scanned_at": "2026-05-30T12:00:00+00:00" } ```` `takeover_risk` values: `none` / `medium` / `high` A **RUN\_METADATA** record is also saved to the Key-Value Store: ```json { "total_domains": 1, "total_subdomains": 308, "live_http": 291, "takeover_high": 2, "takeover_medium": 5, "scanned_at": "2026-05-30T12:00:00+00:00" } ``` *** ### ๐Ÿ’ก Example use cases - **Bug bounty recon** โ€” map the full attack surface before starting an engagement - **Penetration testing** โ€” discover forgotten staging, dev, and internal subdomains - **Takeover hunting** โ€” find orphaned subdomains pointing to unclaimed Heroku apps, S3 buckets, GitHub Pages - **Competitor intelligence** โ€” understand a company's infrastructure layout - **Attack surface monitoring** โ€” run on a schedule to catch newly created subdomains *** ### ๐Ÿ’ฐ Pricing This Actor uses **Pay-Per-Event** billing: | Event | Cost | | ------------------------ | ------------------------------ | | Actor start | **$0.05** flat per run | | Per discovered subdomain | **$0.001** per subdomain | **Example:** scanning `tesla.com` and finding 308 subdomains costs `$0.05 + 308 ร— $0.001 = $0.358`. *** ### ๐Ÿ”‘ OTX API key (recommended) AlienVault OTX significantly increases subdomain coverage โ€” in tests it added 100+ unique subdomains on top of other sources. 1. Register free at **[otx.alienvault.com](https://otx.alienvault.com)** 2. Go to **Settings โ†’ API Key** 3. Paste the key into the `otxApiKey` input field Free tier: **10,000 requests/hour**. *** ### ๐Ÿ–ฅ๏ธ Local testing ```bash ## Install dependencies pip install -r requirements.txt ## Create input mkdir -p storage/key_value_stores/default cat > storage/key_value_stores/default/INPUT.json << 'JSON' { "domains": ["example.com"], "otxApiKey": "your_key_here", "doProbe": true, "doTakeover": true } JSON ## Run python src/main.py ``` Results are saved to `storage/datasets/default/`. *** ### ๐Ÿ“‹ Memory requirements - **512 MB** โ€” sufficient for most single-domain runs - **1024 MB** โ€” recommended for 10+ domains or large domains with 500+ subdomains *** ### โš ๏ธ Legal notice Use only on domains you own or have **explicit written permission** to test. The author is not responsible for misuse. This tool performs passive reconnaissance only โ€” it does not send any traffic directly to the target. # Actor input Schema ## `domains` (type: `array`): List of domains to enumerate. Example: example.com ## `otxApiKey` (type: `string`): AlienVault OTX API key for additional passive DNS results. Free key at https://otx.alienvault.com โ†’ Settings โ†’ API Key. Without key OTX source is skipped. ## `doResolve` (type: `boolean`): Resolve each subdomain to an IP address. ## `doProbe` (type: `boolean`): Check which subdomains respond to HTTP/HTTPS. Collects status code, page title, and server header. ## `doTakeover` (type: `boolean`): Detect potential subdomain takeovers via CNAME fingerprints (GitHub Pages, Heroku, AWS S3, Azure, Netlify, and 25+ more). ## `probeTimeoutSecs` (type: `integer`): Max seconds to wait for HTTP response per subdomain. ## `maxConcurrency` (type: `integer`): Number of parallel DNS/HTTP workers. ## `useApifyProxy` (type: `boolean`): Route HTTP probe requests through Apify residential proxies. Improves reliability for heavily protected targets. ## Actor input object example ```json { "domains": [ "example.com" ], "doResolve": true, "doProbe": true, "doTakeover": true, "probeTimeoutSecs": 7, "maxConcurrency": 30, "useApifyProxy": false } ``` # Actor output Schema ## `results` (type: `string`): No description ## `runMetadata` (type: `string`): No description # API You can run this Actor programmatically using our API. Below are code examples in JavaScript, Python, and CLI, as well as the OpenAPI specification and MCP server setup. ## JavaScript example ```javascript import { ApifyClient } from 'apify-client'; // Initialize the ApifyClient with your Apify API token // Replace the '' with your token const client = new ApifyClient({ token: '', }); // Prepare Actor input const input = { "domains": [ "example.com" ] }; // Run the Actor and wait for it to finish const run = await client.actor("saregaa/subdomain-scraper").call(input); // Fetch and print Actor results from the run's dataset (if any) console.log('Results from dataset'); console.log(`๐Ÿ’พ Check your data here: https://console.apify.com/storage/datasets/${run.defaultDatasetId}`); const { items } = await client.dataset(run.defaultDatasetId).listItems(); items.forEach((item) => { console.dir(item); }); // ๐Ÿ“š Want to learn more ๐Ÿ“–? Go to โ†’ https://docs.apify.com/api/client/js/docs ``` ## Python example ```python from apify_client import ApifyClient # Initialize the ApifyClient with your Apify API token # Replace '' with your token. client = ApifyClient("") # Prepare the Actor input run_input = { "domains": ["example.com"] } # Run the Actor and wait for it to finish run = client.actor("saregaa/subdomain-scraper").call(run_input=run_input) # Fetch and print Actor results from the run's dataset (if there are any) print("๐Ÿ’พ Check your data here: https://console.apify.com/storage/datasets/" + run["defaultDatasetId"]) for item in client.dataset(run["defaultDatasetId"]).iterate_items(): print(item) # ๐Ÿ“š Want to learn more ๐Ÿ“–? Go to โ†’ https://docs.apify.com/api/client/python/docs/quick-start ``` ## CLI example ```bash echo '{ "domains": [ "example.com" ] }' | apify call saregaa/subdomain-scraper --silent --output-dataset ``` ## MCP server setup ```json { "mcpServers": { "apify": { "command": "npx", "args": [ "mcp-remote", "https://mcp.apify.com/?tools=saregaa/subdomain-scraper", "--header", "Authorization: Bearer " ] } } } ``` ## OpenAPI specification ```json { "openapi": "3.0.1", "info": { "title": "Subdomain Radar โ€” Passive OSINT Enumeration", "description": "Discover subdomains silently. No brute-force โ€” pure OSINT from 5 passive sources with DNS resolve, HTTP probing & takeover detection.", "version": "0.0", "x-build-id": "Sm2RVmk5oUacK0qfK" }, "servers": [ { "url": "https://api.apify.com/v2" } ], "paths": { "/acts/saregaa~subdomain-scraper/run-sync-get-dataset-items": { "post": { "operationId": "run-sync-get-dataset-items-saregaa-subdomain-scraper", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for its completion, and returns Actor's dataset items in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } }, "/acts/saregaa~subdomain-scraper/runs": { "post": { "operationId": "runs-sync-saregaa-subdomain-scraper", "x-openai-isConsequential": false, "summary": "Executes an Actor and returns information about the initiated run in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/runsResponseSchema" } } } } } } }, "/acts/saregaa~subdomain-scraper/run-sync": { "post": { "operationId": "run-sync-saregaa-subdomain-scraper", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for completion, and returns the OUTPUT from Key-value store in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } } }, "components": { "schemas": { "inputSchema": { "type": "object", "required": [ "domains" ], "properties": { "domains": { "title": "Target domains", "type": "array", "description": "List of domains to enumerate. Example: example.com", "items": { "type": "string" } }, "otxApiKey": { "title": "OTX API Key (optional)", "type": "string", "description": "AlienVault OTX API key for additional passive DNS results. Free key at https://otx.alienvault.com โ†’ Settings โ†’ API Key. Without key OTX source is skipped." }, "doResolve": { "title": "Resolve DNS", "type": "boolean", "description": "Resolve each subdomain to an IP address.", "default": true }, "doProbe": { "title": "HTTP probe", "type": "boolean", "description": "Check which subdomains respond to HTTP/HTTPS. Collects status code, page title, and server header.", "default": true }, "doTakeover": { "title": "Takeover detection", "type": "boolean", "description": "Detect potential subdomain takeovers via CNAME fingerprints (GitHub Pages, Heroku, AWS S3, Azure, Netlify, and 25+ more).", "default": true }, "probeTimeoutSecs": { "title": "HTTP probe timeout (seconds)", "minimum": 3, "maximum": 30, "type": "integer", "description": "Max seconds to wait for HTTP response per subdomain.", "default": 7 }, "maxConcurrency": { "title": "Max concurrency", "minimum": 5, "maximum": 100, "type": "integer", "description": "Number of parallel DNS/HTTP workers.", "default": 30 }, "useApifyProxy": { "title": "Use Apify Proxy", "type": "boolean", "description": "Route HTTP probe requests through Apify residential proxies. Improves reliability for heavily protected targets.", "default": false } } }, "runsResponseSchema": { "type": "object", "properties": { "data": { "type": "object", "properties": { "id": { "type": "string" }, "actId": { "type": "string" }, "userId": { "type": "string" }, "startedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "finishedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "status": { "type": "string", "example": "READY" }, "meta": { "type": "object", "properties": { "origin": { "type": "string", "example": "API" }, "userAgent": { "type": "string" } } }, "stats": { "type": "object", "properties": { "inputBodyLen": { "type": "integer", "example": 2000 }, "rebootCount": { "type": "integer", "example": 0 }, "restartCount": { "type": "integer", "example": 0 }, "resurrectCount": { "type": "integer", "example": 0 }, "computeUnits": { "type": "integer", "example": 0 } } }, "options": { "type": "object", "properties": { "build": { "type": "string", "example": "latest" }, "timeoutSecs": { "type": "integer", "example": 300 }, "memoryMbytes": { "type": "integer", "example": 1024 }, "diskMbytes": { "type": "integer", "example": 2048 } } }, "buildId": { "type": "string" }, "defaultKeyValueStoreId": { "type": "string" }, "defaultDatasetId": { "type": "string" }, "defaultRequestQueueId": { "type": "string" }, "buildNumber": { "type": "string", "example": "1.0.0" }, "containerUrl": { "type": "string" }, "usage": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "integer", "example": 1 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } }, "usageTotalUsd": { "type": "number", "example": 0.00005 }, "usageUsd": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "number", "example": 0.00005 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } } } } } } } } } ```