Subdomain Enumeration

Subdomain Enumeration is the process of discovering subdomains belonging to a target domain during reconnaissance. Subdomains often expose forgotten services, development environments, or internal applications with weaker security.

Enumeration Techniques

Passive Methods

• Certificate Transparency logs (crt.sh)
• DNS aggregators (VirusTotal, SecurityTrails)
• Search engine dorking
• Archive.org historical data
• GitHub/GitLab code search

Active Methods

• DNS zone transfers (if misconfigured)
• DNS brute forcing with wordlists
• Recursive subdomain discovery
• Virtual host enumeration

Common Tools

# Passive enumeration
subfinder -d example.com
amass enum -passive -d example.com
assetfinder example.com

# Active brute forcing
gobuster dns -d example.com -w wordlist.txt
ffuf -u http://FUZZ.example.com -w wordlist.txt

# DNS zone transfer attempt
dig axfr @ns1.example.com example.com

High-Value Targets

dev.example.com      # Development environment
staging.example.com  # Pre-production
admin.example.com    # Admin panels
api.example.com      # API endpoints
jenkins.example.com  # CI/CD systems
jira.example.com     # Issue trackers
vpn.example.com      # VPN gateways

See Also

• Directory Bruteforcing
• Google Dorking
• Fingerprinting