Subdomain Enumeration

Date: 2026-04-26 Sources: subfinder (passive), certspotter (cert transparency), amass (passive + stored DB) Active probing: none yet — Phase 2 Total unique subdomains: 75 (56 under corezoid.com, 19 under simulator.company)

corezoid.com (56)

Explicitly in-scope (per engagement letter)

Host	In-scope tag	Notes
`corezoid.com`	✓	Marketing / root
`www.corezoid.com`	✓ (wildcard)
`api.corezoid.com`	✓	Primary API
`admin.corezoid.com`	✓	Tenant admin (HAR provided)
`account.corezoid.com`	✓	Auth / SSO
`jira.corezoid.com`	✓	Atlassian Jira
`openapi.corezoid.com`	✓	OpenAPI spec host
`vpn.corezoid.com`	✓	VPN endpoint (fingerprint only)
`superadmin.corezoid.com`	✓	Not found in passive recon — check DNS direct

Discovered under `*.corezoid.com` (all in-scope via wildcard)

Production / customer-facing:

apigw.corezoid.com — API Gateway
connect.corezoid.com — likely integration endpoint
doc.corezoid.com — documentation
market.corezoid.com — marketplace?
book.corezoid.com — scheduling/booking?
mc.corezoid.com — management console?
ws.corezoid.com — WebSocket endpoint?

Admin / operator: ⚠️ High interest

admin-pre.corezoid.com — pre-prod admin
admin-oleg.dev.corezoid.com — named-developer subdomain — often forgotten
new.corezoid.com — new admin UI?
pre.corezoid.com — pre-prod
dev.corezoid.com — dev environment
sandbox.corezoid.com — sandbox env
4ages.sandbox.corezoid.com — customer-specific sandbox?

Git / CI / infra: ⚠️ High interest

git.corezoid.com — internal git?
gitlab-mambu.corezoid.com — customer-branded GitLab (Mambu) — auth scope?
registry.gitlab-mambu.corezoid.com — Docker registry
confluence-ferma.corezoid.com — customer-branded Confluence (Ferma) — auth scope?
eks.corezoid.com — EKS cluster endpoint?
k8s.dev.corezoid.com — k8s API in dev — if internet-exposed, critical
dev-devops.corezoid.com
zrok-dev.corezoid.com — zrok (tunneling) dev

Environment / deployment artifacts:

corezoid-6102-aws.corezoid.com, corezoid-6102-azure.corezoid.com, corezoid-6102-gcp.corezoid.com — version 6.10.2 multi-cloud deployments
syncapi.corezoid-6102-aws.corezoid.com + azure/gcp — sync API per cloud
test.corezoid69-aws.corezoid.com + azure/gcp — version 6.9 test deployments
syncapi.test.corezoid69-aws.corezoid.com + azure/gcp
apigw-develop.eks.corezoid.com, apigw-pre.eks.corezoid.com
connect-apigw-dev.eks.corezoid.com, connect-apigw-pre.eks.corezoid.com

Workflow / tracking:

track.dev.corezoid.com, track.pre.corezoid.com, track-ai.dev.corezoid.com — tracking/analytics
app-questionnaire.dev.corezoid.com
corezoid-ma.dev.corezoid.com — mobile app?
syncapi-ma.dev.corezoid.com
mw-dev-common-1.corezoid.com — MW dev instance
wu-test-iframe.corezoid.com, wu-ua-1.stage.corezoid.com — iframe widgets

simulator.company (19)

Explicitly in-scope

Host	Notes
`simulator.company`	Root
`doc.simulator.company`	Documentation
`mw.simulator.company`	Middleware (HAR provided)
`sim.simulator.company`	Simulator UI/app

Discovered under `*.simulator.company`

CDN layer (likely fronted):

cdn-mw.simulator.company
cdn-sim-mw.simulator.company
cdn-sim-dev.simulator.company, cdn-sim-dev2.simulator.company
cdn-sim-pre.simulator.company, cdn-sim-test.simulator.company

Environments:

connect-dev.simulator.company
sim-mw.simulator.company
doc-dev.simulator.company, doc-pre.simulator.company
console.simulator.company — admin console?

Infra / other:

eks.simulator.company — EKS
widget.simulator.company
sip-mono-dev-123.simulator.company — SIP service (telephony?) — numbered instance, likely dev/staged
sip-viber-dev-123.simulator.company — SIP-Viber integration dev

Phase 1 observations

Immediate attack surface candidates (for Phase 2 prioritization)

Priority	Host	Rationale
🔴 P0	`admin-oleg.dev.corezoid.com`	Named-developer dev subdomain — frequently misconfigured, forgotten
🔴 P0	`k8s.dev.corezoid.com`	Potentially exposed Kubernetes API
🔴 P0	`gitlab-mambu.corezoid.com` + registry	Customer-branded GitLab — RCE-class surface (CVE-2021-22205 etc.)
🔴 P0	`confluence-ferma.corezoid.com`	Confluence — CVE-2022-26134, CVE-2023-22515 class bugs
🔴 P0	`jira.corezoid.com`	Jira — multiple high-impact CVEs
🟠 P1	`admin-pre.corezoid.com`, `new.corezoid.com`	Admin UIs (non-prod may have weaker auth)
🟠 P1	`zrok-dev.corezoid.com`	zrok tunnel — if misconfigured, bypasses perimeter
🟠 P1	`corezoid-6102-{aws,azure,gcp}` + `corezoid69-{aws,azure,gcp}`	Version-labeled deployments — version disclosure + old versions possibly unpatched
🟠 P1	`eks.corezoid.com`, `eks.simulator.company`	Potentially direct k8s API endpoints
🟠 P1	`sip-mono-dev-123`, `sip-viber-dev-123`	Numbered instances (123 suggests sequential) — enumerable, dev-grade
🟡 P2	`mc.corezoid.com`, `ws.corezoid.com`, `connect.corezoid.com`	Primary product endpoints — fully audited in Phase 3/4
🟡 P2	All CDN-fronted `simulator.company` hosts	Behind CDN — origin IP discovery attempt

Gaps to resolve in Phase 2

superadmin.corezoid.com was listed in engagement scope but not found in passive recon — direct A/AAAA lookup needed to confirm existence
Origin IPs behind CDN-fronted hosts (several cdn-* names) — try dig +short, historical DNS, SSL cert SAN inspection
No passive data on port exposure yet — Phase 2 job

Tools that ran

Tool	Output	Status
subfinder	`recon/raw/subfinder-{corezoid,simulator}.txt`	✅ 69 hits
certspotter API	`recon/raw/certspotter-{corezoid,simulator}.txt`	✅ 42 hits
amass enum -passive	`recon/raw/amass-corezoid-clean.txt`	✅ 11 (DB-confirmed resolving)
amass (simulator.company)	—	⚠️ interrupted at 89% before hitting simulator domain; stored DB was empty
crt.sh	—	❌ 502 Bad Gateway throughout Phase 1 (upstream service issue)

Next phase

Phase 2 — Active recon. Awaiting CTO go-ahead per phase-gated RoE. Will run:

httpx probe across all 75 subdomains: status, title, tech fingerprint, TLS grab
nmap -Pn -sV --top-ports 1000 on the P0 list (13 hosts)
nmap -Pn -sV -p 443 --script ssl-cert on all 75 for SAN harvest (origin IP discovery + more subdomains from certs)
Confirmation of superadmin.corezoid.com via direct DNS
Content discovery (/robots.txt, /.well-known/security.txt, /sitemap.xml) on top 20 live hosts