How to Perform Subdomain Enumeration: Top 10 Tools

How to Perform Subdomain Enumeration

Are you wondering the best way to find subdomains? 

Learning how to perform subdomain enumeration is crucial, especially if you're part of a penetration testing engagement or doing reconnaissance as part of a bug bounty.

This isn't just a technical task; it's a way to look into a domain's structure. Unveiling hidden subdomains could be key to assessing a wider attack surface.

This article will briefly explain subdomains and why they are important and should not be ignored. 

Finally, we will introduce you to tools designed to conduct subdomain enumeration. We will demo tools you can use via the command line or web. Most will be passive, while a couple are classified as active.

Let’s begin.  

The Importance of Subdomain Enumeration in an Engagement

Why is subdomain enumeration an important part of recon in an engagement? Before answering this question, let’s briefly talk about what subdomains are. 

What Are Subdomains?

A subdomain is the part of a domain before the registered domain name. For instance, in "mail.example.com," "mail" is the subdomain, and "example.com" is the registered domain.

Subdomains allow owners to delegate control of different parts of their domain to different people or applications. For example, they could have "support.example.com" and "blog.example.com" as separate subdomains with separate purposes. 

Subdomains must always start with a hostname before the registered domain. Common hostnames used for subdomains include "www," "mail," "vpn," "dev," "admin," etc. 

Using subdomains can help organize larger or multiple domains and divide them logically for users. For example, many organizations use specific subdomains like "careers.example.com" to list job opportunities and provide the ability to apply online or "dev.example.com." where companies may stage or test new website functionality in development.

Subdomains can function similarly to independent valid domains regarding hosting and DNS configurations. They have DNS records, directing them to unique IP addresses or specific server directories. 

Why Look For Subdomains?

Let’s discuss the importance of performing subdomain enumeration.

When engaging in a penetration test, you must follow a methodology that includes the steps you need to perform and in which order to perform them.

Penetration test

The process typically begins with initial planning and preparation, followed by the second crucial step: reconnaissance. This phase involves gathering as much information as possible about the target and laying the groundwork for subsequent technical steps.

One of the key elements when working on a web or external/internal penetration test is subdomain enumeration. Enumeration is the process of identifying all the subdomains associated with a company's domain.

This same methodology can be helpful when doing recon for bug bounties.

So, what are some important aspects of performing this type of enumeration?

It expands the attack surface.

Any subdomains discovered become new potential vectors for attack. Finding more subdomains means more angles from which to test for vulnerabilities. Things like administrative interfaces, test servers, or other apps may run on subdomains. 

It reveals more information.

Each subdomain provides more information about the target organization's domain structure, technologies used, naming conventions, etc. This information helps you build a more accurate profile of the target environment.

It helps bypass security controls. 

Some penetration testing activities may get blocked or detected by outward-facing web application firewalls or intrusion detection systems. If more relaxed security is placed on certain internal or obscure subdomains, you may be able to leverage those to bypass certain controls.

It uncovers hidden assets.

In some engagements, the client may not have provided you with a full scope of all Internet-facing assets. Enumerating subdomains can reveal web apps, servers, databases, or other assets the client was unaware of. Finding these alerts the client about the assets they need to protect.

The Best Subdomain Enumeration Tools

What tools are available that perform subdomain enumeration? Here are ten highly effective options.

1. Google Dorking

Google Dorking is a passive subdomain enumeration technique using Google's advanced search operators, like "site:" to find information about a target, including subdomains. It’s a way of leveraging Google's indexing to discover subdomains that are publicly accessible or have been indexed by Google at some point​​.

2. Sublist3r

A Python-based tool designed to enumerate subdomains using OSINT. Sublist3r gathers information from various search engines and third-party services like VirusTotal and ReverseDNS​​.

3. Amass

Amass is an in-depth attack surface mapping and asset discovery tool. It can operate in both passive and active modes. In passive mode, it aggregates data from various public sources​​. It can also connect to outside services using API keys.

4. Recon-ng

A full-featured reconnaissance framework with API integration, similar in look and feel to the Metasploit Framework, aimed at reducing the time spent on a reconnaissance phase. Recon-ng has various modules, including those for finding subdomains, though its primary use isn't limited to subdomain enumeration. 

5. SubDomainizer

SubDomainizer is primarily designed to uncover hidden subdomains associated with a given URL. This is achieved by analyzing inline JavaScript files, it searches for any references to subdomains. It can also identify URLs related to various cloud storage services.

6. Pentest Tools Subdomain Finder

Part of the suite provided by Pentest Tools, this tool specifically focuses on discovering subdomains of a given domain. It's a web-based service that gathers data from various public sources.

7. crt.sh

A simple yet powerful tool that leverages certificate transparency logs to find subdomains. crt.sh searches SSL/TLS certificates to find domain names and subdomains, providing an extensive list based on certificates issued​​.

8. Shodan

Shodan is not a traditional subdomain enumeration tool but can be used to discover subdomains hosting internet-facing services. It scans the internet and indexes information from exposed devices and services, which can include subdomain information.

9. PureDNS

A domain resolver and subdomain brute forcing tool that efficiently handles wildcard subdomains and avoids DNS poisoning. PureDNS is primarily used for actively querying DNS servers to resolve or brute force subdomains.

10. ffuf (Fuzz Faster U Fool)

ffuf is a fast web fuzzer written in Go and used for brute forcing. It can discover subdomains by brute forcing them with a given wordlist. It's an active tool that directly sends requests to the target's servers.

How to Perform Subdomain Enumeration

Let's show you how some of the above tools can be used to find subdomains. 

For our demos, we are using only domains that are part of a public bug bounty program and where subdomains are part of the scope per program policies. 

Ensure you only use these tools on domains you are allowed to test on. Before beginning testing, ensure you thoroughly read and understand program authorization and out-of-scope rules.

If you're conducting a penetration test, it's imperative that you fully understand and adhere to the rules of engagement, which outline the scope, boundaries, and permissible methods of your testing activities.

Some of the following tools require you to download and run them locally from your machine. Operating systems like Kali Linux or Parrot OS are often preferred for this purpose due to their collection of pre-installed tools.

Google Dorking

One of the simplest ways to start looking for subdomains is by using Google, specifically a Google Dork. We will use the following dork for our demo to find subdomains associated with our target.

site:*.domain.com -www

Let’s break it down. 

site:domain.com: This part of the dork tells Google to search only within domain.com.

The asterisk (*): This is a wildcard that matches all subdomains of domain.com. It only looks for any subdomains like subdomain.domain.com.

-www: This part excludes any results containing www. The minus sign (-) is used to negate a search term, so in this case, it filters out results that include www.

Google Dorking

Sublist3r

Sublist3r is a user-friendly tool that offers customization through various flags. These allow for functionalities like saving results to a file or scanning discovered subdomains for specific TCP ports

To search for subdomains of a specific domain, we use the following command with the '-d' flag to denote the target domain for enumeration.

sublist3r -d domain.com

Sublist3r

Amass

Another tool to have in your arsenal is OWASP’s Amass. It can be a very powerful tool to help you locate information. For our demo, we are only showing you the most basic usage of its functionality. As mentioned above, it can connect to other services with its API integration, making it even better.

Simply enter amass enum -passive -d domain.com -o subdomains.txt, which saves the output to a file. 

Amass

Once you have your output file, you can clean it up with sed and grep to create a nice list of subdomains for further recon. 

cat output.txt | sed 's/\x1b\[[0-9;]*m//g' | grep -oP '(?<=\s)[a-zA-Z0-9.-]*\.(com)' > cleaned_subdomains.txt

Create a nice list of subdomains

Recon-ng

Recon-ng, the all-in-one reconnaissance tool for OSINT, can perform various tasks, including gathering emails. However, in this instance, we will focus on using it to identify subdomains. We will quickly walk you through setting it up to perform this task. 

Start Recon-ng from the command line with:

recon-ng

Recon-ng

From this point, let’s continue with the default workspace. Our next task is to install the module we need to use, and you can search for it with the command:

marketplace search

Marketplace search

The one we are interested in is hackertarget.

Hackertarget

Ours is already installed. To install the module, simply enter marketplace install hackertarget. To load the module and begin using it, enter modules load hackertarget.

Now we can quickly set up the module and enumerate subdomains. To check what options need to be set, enter info. For this module, you only need to set the SOURCE option, which is the domain you want to enumerate. 

options set SOURCE domain.com

Then type run

Options set SOURCE domain.com

Once the scan finishes, you can enter show hosts, and you will be presented with all the subdomains found.

Subdomains found

SubDomainizer

SubDomainizer is a tool that not only performs subdomain enumeration but can also find other secrets, such as API keys. It’s an easy-to-use tool with simple syntax to get it up and running. Simply enter the following command to get a nice clean list of subdomains.

python3 SubDomainizer.py -u https://www.domain.com   

python3 SubDomainizer.py

Pentest Tools Subdomain Finder

A simple web-based tool that allows you to do subdomain enumeration quickly. You can perform scans without an account, but if you want access to more scans and more tools, they do have a free account you can sign up for. 

Enter your desired domain here, and it will perform a light scan. 

Pentest Tools Subdomain Finder

You will then be presented with your results. 

Output

crt.sh

Here is a simple way to gather subdomains by utilizing certificate transparency. This approach is based on the principle that all SSL/TLS certificates are logged and made publicly accessible.

Simply head to crt.sh and enter your domain. 

Crt.sh

Select “Search” to generate a list of subdomains for your target domain. For command-line enthusiasts, similar functionality can be accessed using tools like CTFR.

Command-line enthusiasts

Shodan

Shodan can locate subdomains and offers both web-based and command-line interfaces. To find subdomains using the web interface, visit https://www.shodan.io/domain/domain.com, replacing “domain.com” with the domain you are investigating.

Shodan

To use Shodan from the command line, type shodan domain domain.com, replacing domain.com with the domain you wish to search. 

For guidance on setting up Shodan and exploring its other features, see How to Use Shodan for Pentesting: A Step-By-Step Guide.

Setting up Shodan

PureDNS

PureDNS can perform fast subdomain enumeration by enabling thousands of simultaneous DNS requests per second using public resolvers. To find subdomains, enter puredns bruteforce mywordlist.txt -r resolvers.txt domain.com -l 5000

The command instructs PureDNS to conduct a brute force subdomain enumeration for domain.com, using a list of potential subdomain names from mywordlist.txt and performing DNS lookups through a set of DNS resolvers provided in resolvers.txt. It limits the rate of DNS queries to 5000 per second. 

PureDNS

Once complete, you will be shown the output.

PureDNS output

ffuf

The final tool on our list is ffuf, which, similar to PureDNS, employs a more active approach to enumeration. It takes a given wordlist and checks each entry by making HTTP/S requests, thereby determining which subdomains exist.

You can use the following command, which will fuzz for subdomains, save the output file as HTML, and set a delay of two seconds between requests.

ffuf  -w wordlist -u https://FUZZ.domain.com -of html -o result -p 2

ffuf

Conclusion

You should now understand how to perform subdomain enumeration and which tools you can use. 

Once you have your list of subdomains, your next step should be to check which ones are active or “alive.” After confirming which subdomains are valid, you can proceed to the scanning phase, where you'll conduct more in-depth enumeration and analysis of these subdomains.

If you want to enhance your cyber security career, join our Accelerator program today. Learn more about penetration testing or bug bounties with some of our courses and take advantage of other perks, such as our career roadmap.

Frequently Asked Questions

Level Up in Cyber Security: Join Our Membership Today!

vip cta image
vip cta details
  • Richard Dezso

    Richard is a cyber security enthusiast, eJPT, and ICCA who loves discovering new topics and never stops learning. In his home lab, he's always working on sharpening his offensive cyber security skills. He shares helpful advice through easy-to-understand blog posts that offer practical support for everyone. Additionally, Richard is dedicated to raising awareness for mental health. You can find Richard on LinkedIn, or to see his other projects, visit his Linktree.

>