Subdomain Enumeration

Subdomain Enumeration

Well, subdomain enumeration is important when you are hunting on wildcard enable scope programs. If you are able to get unique subdomains that other miss then it's a good chance for you to get some bugs

General Methodology

  • Passive

  • Active

  • Permutation


In this stage you have to use as much resources as you can to passivly gather subdomains Now a days it's not that much hard to do with community standard tools that usages API keys


  • Subfinder

  • Amass

  • Assetfinder

  • Findomain


In this stage you have to perform bruteforcing on your target host to see if the word from your wordlist resolve as valid subdomain or not


  • ShuffleDNS

  • Aiodnsbrute


In this stage you have to play around the subdomains. Now do changed with the words and see still it resolve as valid or not


Convert domains into ip address

while read l; do ip=$(dig +short $l|grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"|head -1);echo "[+] '$l' => $ip";echo $ip >> ips.txt;done < domains.txt

we will use masscan for faster results

masscan -p1-65535 -iL ips.txt --max-rate 1800 -oG output.log

or you can use Naabu, RustScan.


  • AltDNS

  • DNSGen + ShuffleDNS

Reference & Resources

Theres a lot you can do. For now just mentioning communty standard approaches. Will be updating it regularly depending on the methodology comes out.


An automated framework can be used to automate those whole workflow


Mehedi Hasan Remon Rishi Choudhary

Last updated