🔍 Part 1: Subdomain Enumeration
Complete guide to finding all subdomains of your target
⚠️ Only test domains you own or have permission to test
Enter Target Domain:
Current: example.com
📌 What is Subdomain Enumeration?
Subdomain enumeration is the process of finding all subdomains associated with a domain. This helps discover hidden applications, test environments, and forgotten services.
Subdomain enumeration is the process of finding all subdomains associated with a domain. This helps discover hidden applications, test environments, and forgotten services.
🤖 Automated Enumeration Tools
Subfinder
subfinder -d example.com -all -recursive -o subfinder.txt
Fast subdomain discovery using multiple data sources (Google, VirusTotal, AlienVault, etc.)
Assetfinder
assetfinder --subs-only example.com > assetfinder.txt
Find domains and subdomains associated with a given domain
Sublist3r
sublist3r -d example.com -e baidu,yahoo,google,bing,ask,netcraft,virustotal,threatcrowd,crtsh,passivedns -v -o sublist3r.txt
OSINT-based subdomain enumeration using search engines
Amass (Passive)
amass enum -passive -d example.com | cut -d']' -f 2 | awk '{print $1}' | sort -u > amass.txt
In-depth attack surface mapping using passive sources
Amass (Active)
amass enum -active -d example.com -o amass_active.txt
Active enumeration with DNS resolution
🌐 Certificate & Archive Sources
Certificate Transparency (crt.sh)
curl -s https://crt.sh/?q=%.example.com\&output=json | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u > crtsh.txt
Find subdomains from SSL certificate logs
Wayback Machine
curl -s "http://web.archive.org/cdx/search/cdx?url=*.example.com/*&output=text&fl=original&collapse=urlkey" | sed -e 's_https*://__' -e "s/\/.*//" | sort -u > wayback.txt
Historical subdomains from web archives
SecurityTrails
curl -s "https://api.securitytrails.com/v1/domain/example.com/subdomains?apikey=YOUR_API_KEY" | jq -r '.subdomains[]' | awk '{print $1".example.com"}' > securitytrails.txt
API-based subdomain discovery (requires API key)
⚡ Bruteforce & Permutation
FFUF Subdomain Bruteforce
ffuf -u "https://FUZZ.example.com" -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -mc 200,301,302 -ac
Bruteforce subdomains using wordlist
DNS Bruteforce with Gobuster
gobuster dns -d example.com -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -t 50
Fast DNS bruteforcing
Alterx Permutations
echo example.com | alterx -enrich | dnsx -silent
Generate and resolve subdomain permutations
📊 Processing & Validation
Merge All Results
cat *.txt | sort -u > all_subdomains.txt
Combine and deduplicate all discovered subdomains
DNS Resolution Check
cat all_subdomains.txt | dnsx -silent -a -resp-only > resolved_subdomains.txt
Check which subdomains actually resolve to IPs
HTTP Probing
cat resolved_subdomains.txt | httpx -silent -ports 80,443,8080,8443 -status-code -title -tech-detect > alive_subdomains.txt
Find live web servers among resolved subdomains
📦 Installation Commands
# Install Go tools
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
go install -v github.com/tomnomnom/assetfinder@latest
go install -v github.com/ffuf/ffuf@latest
go install -v github.com/projectdiscovery/dnsx/cmd/dnsx@latest
go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest
go install -v github.com/projectdiscovery/alterx/cmd/alterx@latest
# Install Python tools
git clone https://github.com/aboul3la/Sublist3r.git
cd Sublist3r
pip install -r requirements.txt
# Install with apt
sudo apt update
sudo apt install amass gobuster jq -y
💡 Pro Tips
- ✓ Always use multiple tools - each tool finds different subdomains
- ✓ Get API keys for best results (SecurityTrails, VirusTotal, Shodan)
- ✓ Use the -all flag with subfinder for maximum coverage
- ✓ Check certificate transparency logs regularly - new subdomains appear daily
- ✓ Save your results in a Wordlist for future reference
Next Post: Part 2 - ASN & IP Discovery ▶️