Why Subdomain Enumeration Matters
Subdomain enumeration is the process of discovering all subdomains associated with a target domain. During penetration testing reconnaissance, subdomains often expose forgotten systems, development environments, and legacy applications—each potentially vulnerable to attack. A single organization might own hundreds of subdomains, many unknown to security teams. Comprehensive enumeration ensures no attack surface remains unexplored.
This reconnaissance technique is passive when using public databases and active DNS queries, making it one of the safest initial steps in authorized penetration testing. Understanding multiple enumeration approaches provides redundancy and increases discovery completeness.
Passive Subdomain Enumeration Methods
Certificate Transparency Logs
SSL/TLS certificates reveal subdomains in the Subject Alternative Name (SAN) field. Search certificate databases for historical entries.
crt.sh Method:
Visit https://crt.sh/ in your browser and search for your target domain:
example.com
Alternatively, use curl to retrieve certificates programmatically:
curl -s "https://crt.sh/?q=example.com&output=json" | jq '.[] | .name_value'
This reveals all subdomains found in certificates issued for the target domain.
DNS Brute-Force with Wordlists
Test common subdomain names against authoritative DNS servers:
# Using dig
for sub in www api admin mail dev staging; do
dig +short $sub.example.com @8.8.8.8
done
# Using host
for sub in $(cat subdomains.txt); do
host $sub.example.com 8.8.8.8
done
Create wordlists from common subdomain patterns:
# Basic common subdomains
echo -e "www\napi\nadmin\nmail\ndev\nstaging\nftp\nmail2" > basic-subs.txt
# Or use pre-built wordlists
wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/DNS/subdomains-top1million-5000.txt
WHOIS Enumeration
Historical DNS records and WHOIS data sometimes reveal subdomains:
whois example.com
Look for:
- Nameservers
- Administrative contacts
- Historical registrations
- Related domains
Automated Subdomain Discovery Tools
Sublist3r
Sublist3r combines multiple enumeration techniques in a user-friendly tool. Installation:
git clone https://github.com/aboul3la/Sublist3r.git
cd Sublist3r
sudo pip install -r requirements.txt
Basic usage:
python3 sublist3r.py -d example.com
With multiple sources:
python3 sublist3r.py -d example.com -t 10 -e google,bing,yahoo,baidu
Saving results:
python3 sublist3r.py -d example.com -o subdomains.txt
Sublist3r queries:
- Google
- Bing
- Yahoo
- Baidu
- Ask.com
- Netcraft
- Virustotal
- ThreatCrowd
- DNSDumpster
OWASP Amass
Amass is a powerful subdomain enumeration framework supporting extensive data sources:
# Installation
sudo snap install amass
# Basic enumeration
amass enum -d example.com
Comprehensive enumeration with output:
amass enum -d example.com -o subdomains.txt
Using specific data sources:
amass enum -d example.com -src censys,certspotter,crtsh,shodan,threatcrowd,virustotal
Active DNS resolution:
amass enum -d example.com -dns-validation
Amass integrates with APIs from:
- Censys
- Certspotter
- Certificate Transparency logs
- Shodan
- Threat Crowd
- VirusTotal
- And many others
Subfinder
Subfinder is a fast, simple tool focused on speed:
# Installation
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
# Basic scan
subfinder -d example.com
# Save results
subfinder -d example.com -o subs.txt
# Use resolver list for faster resolution
subfinder -d example.com -r resolvers.txt
Subfinder queries passive sources without DNS resolution, making it extremely fast.
Advanced Enumeration Techniques
Google Dorking for Subdomains
Use search operators to find indexed subdomains:
site:*.example.com
site:example.com -site:www.example.com
site:*.example.com intitle:"admin" OR intitle:"dashboard"
Shodan and Search Engines
Search IP address databases and SSL certificates:
# Using Shodan API
curl "https://api.shodan.io/dns/domain/example.com?key=YOUR_API_KEY"
# Using public Shodan interface
# Visit shodan.io and search: org:"Company Name" OR hostname:example.com
DNS Zone Transfer Attacks
If the target allows zone transfers, retrieve all DNS records:
# Attempt zone transfer
dig @ns1.example.com example.com axfr
# Using host command
host -l example.com ns1.example.com
Zone transfers are rarely allowed but occasionally reveal subdomains when misconfigured.
Reverse DNS Lookup
Perform reverse DNS on IP ranges associated with the domain:
# Find IP ranges
nslookup example.com
# Reverse lookup known IPs
for ip in 192.168.1.{1..254}; do
host $ip | grep -v "not found"
done
Practical Subdomain Enumeration Workflow
Combine multiple tools for maximum coverage:
Step 1: Certificate transparency
curl -s "https://crt.sh/?q=example.com&output=json" | jq '.[] | .name_value' | sort -u > ct-subs.txt
Step 2: OWASP Amass with validation
amass enum -d example.com -dns-validation -o amass-subs.txt
Step 3: Sublist3r for additional sources
python3 sublist3r.py -d example.com -t 10 -o sublist3r-subs.txt
Step 4: Combine and deduplicate
cat ct-subs.txt amass-subs.txt sublist3r-subs.txt | sort -u > all-subdomains.txt
Step 5: Verify active subdomains
# Quick verification
while read sub; do
ping -c 1 -W 1 $sub 2>/dev/null && echo "Active: $sub"
done < all-subdomains.txt
# Or use httprobe for web services
cat all-subdomains.txt | httprobe -c 50 > active-subdomains.txt
Integrating with Nmap and Port Scanning
Once you have subdomains, scan them for open ports:
# Convert subdomains to IP addresses
while read sub; do
host $sub | grep "has address" | awk '{print $4}'
done < all-subdomains.txt > ips.txt
# Scan discovered IPs
nmap -iL ips.txt -p 22,80,443,3306,5432,8080,8443 -oA results
Using Paid Services
For comprehensive enumeration, consider:
- VirusTotal: Free API with 4 requests/minute; submit domains for subdomain scanning
- Shodan: Commercial API with extensive database of internet-connected devices
- Censys: Certificate and host scanning database with free tier
API Integration Example
# VirusTotal API (free tier)
curl -s "https://www.virustotal.com/api/v3/domains/example.com/subdomains?limit=40" \
-H "x-apikey: YOUR_API_KEY" | jq '.data[] | .id'
Output Analysis and Next Steps
After enumeration, analyze results:
- Prioritize active subdomains: Which subdomains resolve and have web servers?
- Identify technologies: Run Wappalyzer or similar tools to identify software
- Categorize by purpose: admin, api, mail, dev, staging, etc.
- Assess sensitivity: Which subdomains likely contain sensitive information?
- Plan detailed testing: Schedule vulnerability scanning and manual testing
Best Practices for Subdomain Enumeration
Document sources: Track which tools discovered which subdomains for comprehensive reporting.
Verify results: Some tools may report false positives; confirm via DNS lookup.
Use multiple techniques: No single tool finds all subdomains; combination approaches provide better coverage.
Respect rate limiting: Aggressive enumeration may trigger security monitoring.
Check DNS records: Look for A, AAAA, MX, TXT, and CNAME records for complete picture.
Track results over time: Subdomains change; re-enumerate periodically during extended assessments.
Conclusion
Comprehensive subdomain enumeration is fundamental to thorough reconnaissance. By combining passive certificate research, automated discovery tools, and active DNS validation, you identify substantially all subdomains associated with a target organization. This expanded attack surface often reveals forgotten systems and legacy applications—the most likely targets for vulnerability discovery.
Practice these techniques in your lab environment using intentionally vulnerable applications. During authorized assessments, apply a comprehensive enumeration approach combining multiple tools and data sources for maximum coverage and confidence in your findings.