logo

Subdomain Enumeration: The Recon Step Everyone Must Master

Cyfotok Admin

Thumbnail

🧠 What Is Subdomain Enumeration?

Subdomain enumeration is the process of finding valid subdomains belonging to a target domain (e.g., login.example.com, dev.example.com, mail.example.com).

It’s a crucial step in reconnaissance β€” because subdomains often:

  • Reveal hidden apps, staging servers, or admin panels.
  • Expose forgotten or misconfigured systems.
  • Lead to vulnerabilities like subdomain takeovers, open directories, outdated software, etc.

βš™οΈ Types of Subdomain Enumeration

There are three major approaches:

1. Passive enumeration

Collects subdomains from public sources (certificate transparency logs, search engines, GitHub, Shodan, VirusTotal) without querying the target directly. Pros: stealthy, fast, low-cost. Cons: can be outdated and misses internal/new hosts. When to use: early recon, scoping, stealthy OSINT.

2. Active enumeration

Directly queries DNS and services: DNS lookups, zone-transfer attempts, brute-forcing names, and HTTP probes to validate hosts. Pros: more complete and verifies live services. Cons: noisy β€” may trigger alarms and must only be used with permission. When to use: authorised pentests or detailed verification.

3. Hybrid enumeration

Start passive to build a baseline, then run targeted active checks on promising candidates. This balances coverage and noise. Best practice: detect wildcard DNS, rate-limit probes, validate results with HTTP checks, and always follow rules of engagement.

Short, practical tip: always begin passive, enrich selectively, and document your methods β€” it makes findings reliable and easy to act on.

🧩 Passive Subdomain Enumeration

  1. Search Engines

    • Google Dork:

      site:*.example.com -www

      Filters out the main domain and shows indexed subdomains.

  2. Certificate Transparency Logs

    • Websites like crt.sh or Censys.io

    • Query:

      %.example.com

      Finds subdomains from SSL/TLS certificates.

  3. Threat Intelligence Databases

  4. Passive Tools

    • Sublist3r

      sublist3r -d example.com

      Sources: Google, Bing, Baidu, Yahoo, and others.

    • Assetfinder

      assetfinder --subs-only example.com

    • Amass (Passive mode)

      amass enum -passive -d example.com

πŸš€ Active Subdomain Enumeration

Systematically trying possible subdomain names using a wordlist.

Tool: dnsx, amass, or subfinder

Example:

subfinder -d example.com -w /usr/share/wordlists/subdomains.txt

or with amass:

amass enum -brute -d example.com -src -w subdomains.txt

Common wordlists:

  • SecLists/Discovery/DNS/subdomains-top1million-5000.txt
  • all.txt from assetnote

If DNS misconfiguration allows it, you can extract all subdomains from a zone.

Command:

dig axfr example.com @ns1.example.com

If successful, you’ll see a full zone dump.

(Note: this is rare and often fixed, but it’s a big win when it works.)

dnsenum example.com

Performs:

  • DNS record collection
  • Zone transfer checks
  • Brute-forcing with wordlists

🧠 Hybrid Tools (Passive + Active)

amass enum -active -brute -src -d example.com -w wordlist.txt -o amass.txt

Features:

  • Integrates passive sources + active scans
  • Recursive subdomain discovery
  • Outputs in multiple formats

  1. Find subdomains:

    subfinder -d example.com -o subs.txt

  2. Check which are alive:

    httpx -l subs.txt -o alive.txt


knockpy example.com

Performs brute-force + DNS resolution and caches found results.

πŸ” Validating Subdomains (Check if they are alive)

After collecting subdomains, verify which are active (responding with HTTP/HTTPS):

cat subs.txt | httpx -silent -o alive.txt

Output example:

https://admin.example.com
https://api.example.com
https://staging.example.com

πŸ” Detecting Subdomain Takeover

Occurs when a subdomain (e.g., blog.example.com) points to an external service (GitHub Pages, AWS S3, etc.) that’s no longer claimed.

  • Use tools:

    subjack -w subs.txt -t 100 -timeout 30 -ssl -v -c fingerprints.json

    or

    nuclei -l subs.txt -t takeover-detection.yaml

πŸ“¦ Automating Everything (One-Line Workflow)

subfinder -d example.com -o sub.txt
amass enum -passive -d example.com -o amass.txt
cat sub.txt amass.txt | sort -u | dnsx -silent | httpx -silent -o alive.txt

This workflow:

  1. Gathers subdomains.
  2. De-duplicates.
  3. Resolves live ones.

πŸ“Š Visualization & Mapping

You can visualize relationships between discovered assets using:

  • Amass viz

    amass viz -d3 -dir amass_output

  • Maltego (for manual visual mapping).

🧰 Recommended Toolkit Summary

ToolTypeDescription
Sublist3rPassiveFast subdomain discovery from search engines
SubfinderPassiveReliable, integrates multiple APIs
AmassHybridAdvanced recursive and brute-forcing engine
DnsxActiveDNS resolver and validator
HttpxActiveLive host checking
KnockpyHybridSubdomain brute-forcer
SubjackActiveSubdomain takeover detector

πŸ”Ž Practical Example: Full Workflow

Target: example.com

# 1️⃣ Passive Recon
subfinder -d example.com -o subs1.txt
amass enum -passive -d example.com -o subs2.txt

# 2️⃣ Combine + Remove duplicates
cat subs1.txt subs2.txt | sort -u > all_subs.txt

# 3️⃣ DNS resolution
dnsx -l all_subs.txt -silent -o resolved.txt

# 4️⃣ Check live subdomains
httpx -l resolved.txt -silent -o alive.txt

# 5️⃣ Check for subdomain takeovers
subjack -w alive.txt -t 100 -ssl -c fingerprints.json -v

πŸ’‘ Tips for Professionals

  • Always respect scope and authorization β€” get permission before scanning!
  • Use API keys with tools like subfinder or amass for more sources.
  • Schedule regular scans to track new subdomains.
  • Save and compare historical data to spot infrastructure changes.

🧰 Bonus: GUI Tools

  • Spyse β€” Web-based subdomain & asset discovery.
  • PentestTools.com β€” Easy online recon.
  • OWASP Amass GUI integrations (Burp, Recon-ng).

βš”οΈ Real-World Usage Scenario

If you were pentesting cyfotok.academy, enumeration might reveal:

admin.cyfotok.academy
portal.cyfotok.academy
staging.cyfotok.academy
mail.cyfotok.academy
api.cyfotok.academy

Then:

  • Check for outdated CMS (/wp-login.php, /admin)
  • Look for misconfigured services (CORS, DNS)
  • Detect old dev environments (staging, test servers)

Frequently Asked Questions (FAQs)

Q1: Is subdomain enumeration legal? A: Passive enumeration using public sources is generally legal. Active scanning (DNS brute force, probing) requires authorization. Always confirm scope and permission.

Q2: Which tool should I learn first? A: Start with Amass (aggregation + passive) and httpx for probing. They form a strong base. cyberxsociety.com

Q3: How do I deal with wildcard DNS records? A: Detect by resolving many random subdomains; if they all resolve the same, treat them as wildcard and filter accordingly. Then focus on known or validated hosts.

Q4: Are certificate transparency logs always reliable? A: CT logs are extremely useful but can include stale or misissued certificates; always validate findings with DNS and HTTP probes. sidxparab.gitbook.io

Q5: How often should I run subdomain enumeration? A: For active orgs, at least weekly passive checks plus immediate alerts on new CT certificates; active scans can be run less frequently or on demand.

Q6: Can defenders use the same tools to monitor the org? A: Yes β€” combine passive collectors, CT monitoring, and API-driven inventory (e.g., SecurityTrails) to create continuous visibility. securitytrails.com

Q7: How do I prioritize findings? A: Prioritize hosts exposing login pages, APIs, or admin interfaces β€” these typically yield higher-impact vulnerabilities.

← Back to Posts