Searching SubDomains with

Posted on April 24th, 2018

I have stressed the importance of searching subdomains for several years. Online services for this come and go, and application-based solutions such as Knock and SubBrute have various levels of success. One of the more robust options is the website The following example should help explain the power of this free service.

After the recent Southwest flight emergency landing, I was seeking any hidden pages at the domain that could reveal additional information about the company. I was not expecting to find anything related to the incident, but grew curious to what content might be behind the curtain of the standard website which allows for flight searching. I navigated to and entered as the domain. The direct URL for this is as follows.

I was presented with almost 200 subdomains for, a portion of which appear below.

These results include hyperlinks to the subdomains, the IP addresses of the servers hosting the content, and the country of origin. I found the following subdomains of interest, including a brief summary of the intelligence gleaned from the find. forwards to the permission policy of the Responsys marketing company at I can now assume that Southwest sends marketing communications (spam) through this company. presents an option for opting-out of Southwest’s advertisement cookie placement. I don’t know how effective that would be, but interesting that they have the option. possesses little information, but confirms that Southwest uses the NCR ticketing platform API for their passenger ticketing solution. This would be beneficial to an internal social engineering test. forwards to Southwest’s investor portal, identifying an annual operating income of $3.5B. connects to some type of API for Southwest. I did not dig too deep into that. Another option is at allows for search of lost baggage tickets if you know the last name and an incident number. and offer a mobile test site of a previous app build, but it appears to connect to live data. When is slow due to demand during a snow storm, I know where I will try.

I then started receiving a lot of “Access Denied” subdomains without a prompt for credentials. Those would be very interesting targets during an internal audit.

Nothing here is super sensitive or interesting, but it shows that there is almost always valuable details that are not visible on the main landing page. I think subdomains should be a mandatory step during any research into a domain name.


Filed under OSINT, Search |


Recent Posts