How do you find subdomains for github.com?

We utilize passive Open Source Intelligence (OSINT) techniques, primarily querying Certificate Transparency (CT) logs, search engine indexes, and public DNS datasets to locate subdomains without actively brute-forcing the target servers.

What is a Subdomain Takeover on github.com?

A takeover occurs when a subdomain of github.com has a DNS record pointing to a decommissioned third-party service (like an expired AWS S3 bucket). An unauthorized actor can claim that bucket and serve malicious content on the legitimate subdomain.

Why are there hidden subdomains on github.com?

Large organizations frequently spin up temporary subdomains for development ('dev.github.com'), testing ('staging.github.com'), or third-party integrations ('help.github.com'). These are often forgotten and left unpatched, creating a shadow IT risk.

github.com Subdomain Enumeration & internet-facing assets Mapping

Mapping the Footprint of github.com

While the main website (`www.github.com`) is heavily defended by web application firewalls and security teams, subdomains often host forgotten or unmonitored infrastructure. Finding these subdomains is the foundational first step in any compliance audit or Bug Bounty engagement.

The Danger of Shadow IT

"Shadow IT" refers to servers and applications deployed without the knowledge of the central security team. By enumerating the subdomains of github.com, researchers frequently discover exposed administrative panels (`admin.github.com`), legacy API versions (`v1-api.github.com`), or vulnerable staging environments containing debug code.

Investigation Workflows

Port Scanning: Once a list of subdomains is generated, the next step is running a port scan against each unique IP to identify running services.
CNAME Resolution: Analyzing the DNS records of each subdomain to check for Subdomain Takeover configuration risks on services like AWS, GitHub Pages, or Heroku.

Frequently Asked Questions

Will this scan trigger security alerts on github.com?

No. ReconShield uses completely passive techniques. We query third-party databases and public logs, meaning no traffic is sent directly to github.com during the enumeration phase.

Why are some subdomains offline?

A subdomain may exist in historical DNS records or CT logs but the underlying server may have been decommissioned. Only a live DNS resolution can confirm if the subdomain is currently active.

Can wildcard certificates hide subdomains?

Yes. If an organization exclusively uses a wildcard certificate (*.github.com), individual subdomains will not be recorded in Certificate Transparency logs, requiring active brute-forcing to discover them.

github.com Subdomains

Live Enumeration