How to Discover a Website's Assets | Subdomains and IP Addresses

website recon


In a penetration test or security test process, the first step is to discover a website’s assets, including subdomains and IP addresses. These assets can provide different attack points and entry points into the website. In this article, we’ll discuss three web tools that can help you discover a website’s assets.

Discovering Subdomains with Subdomain Scan

One of the first steps in discovering a website’s assets is finding its subdomains. You can use command-line tools like Sublister or web tools like Subdomains Console and Subdomain Scan API by Hailbytes. In this article, we’ll focus on Subdomain Scan API, which can help you find subdomains of a website.

Let’s take Rapid API as an example. By using the Subdomain Scan API, we can find its subdomains, including and The tool also provides us with IP addresses associated with these subdomains.

Mapping Out a Website with SecurityTrails

After finding a website’s subdomains, you can use SecurityTrails to map out the website and get a general idea of what it’s about. SecurityTrails can provide you with IP records, NS records, and new records. You can also get more subdomains from SecurityTrails, giving you more entry points into the target.

In addition, SecurityTrails allows you to check the historical data of a domain, such as the hosting providers they’ve used in the past. This can help you find any footprints left behind and attack through that entry point. Historical data is also useful for finding the real IP address of a website, especially if it’s hidden behind a CDN like Cloudflare.

Discovering a Website's Real IP Address with Censys

Censys is another web tool you can use to discover a website’s assets. You can use it to find the real IP address of a domain by searching for it. For example, if we search for Rapid API on Censys, we can find its real IP address hosted on the Amazon Web Service.

By discovering a website’s real IP address, you can bypass the protection of a CDN like Cloudflare and attack the website directly. Additionally, Censys can help you find other servers that a domain is linked to.


In conclusion, discovering a website’s assets is an important step in a penetration test or security test process. You can use web tools like Subdomain Scan API, SecurityTrails, and Censys to find a website’s subdomains and IP addresses. By doing so, you can gain different attack points and entry points into the website.