Subdomain Enumeration Techniques

Aug 21, 2025

Overview

This lecture explains various subdomain enumeration techniques for security reconnaissance, highlighting methods, tools, and platforms to uncover hidden assets for ethical hacking.

Subdomain Discovery Techniques

  • CRT.sh enables discovery of recent and historical subdomains by querying their certificate transparency logs.
  • Use simple scripts and the sort command to filter and deduplicate subdomain lists from CRT.sh.
  • Project Discovery’s Chaos platform allows direct downloads of subdomains from bug bounty scopes and public sources, with a CLI for automation.
  • Altrax tool with Chaos generates subdomain permutations beyond existing entries.
  • Utilize Seclists’ DNS wordlists to create keyword-based permutations for broader coverage.
  • DNSX and HTTPX tools confirm which subdomains are live and active.

Automated and Advanced Methods

  • Amass provides comprehensive passive subdomain enumeration; use specific commands for clean, unique outputs and try active scans as needed.
  • ASN-based discovery uses Amass intel to identify organization’s ASN and IP ranges, revealing associated domains often missed.
  • GitHub Subdomains tool scrapes public GitHub repos for subdomains, storing results for later analysis (GitHub API key recommended).
  • The Wayback Machine’s CDX API retrieves archived, potentially forgotten subdomains.
  • VirusTotal API can fetch subdomains and IPs, followed by HTTPX for live host identification.
  • Alien Vault and URLScan facilitate the discovery and validation of domains and IPs, combinable with DNSX/HTTPX.

Brute Forcing and Uncommon Tactics

  • Use FFUF for subdomain brute-forcing with custom wordlists to find non-indexed or hidden subdomains; apply rate limiting to avoid server blocks.
  • WHOIS lookup identifies registered emails; reverse WHOIS services find all domains tied to an email for expanded reconnaissance.
  • Export discovered domains and use HTTPX to detect which are live for further manual investigation.

Post-Enumeration Steps

  • Scan all popular ports (not just 80, 443) with HTTPX to identify services like dashboards and admin panels.
  • Aquatone automates homepage screenshotting to visually inspect a large number of targets.
  • Nuclei automates vulnerability scanning by setting batch size and concurrency for rapid, parallel analysis.

Key Terms & Definitions

  • Subdomain Enumeration — The process of identifying all subdomains associated with a primary domain.
  • Passive Source — Information obtained without directly interacting with the target domain.
  • Brute Forcing — Systematically guessing subdomains using wordlists.
  • ASN (Autonomous System Number) — Unique identifier for a network on the internet, useful for finding related assets.

Action Items / Next Steps

  • Practice each subdomain enumeration method with proper authorization.
  • Review the use of DNSX, HTTPX, Aquatone, and Nuclei for post-enumeration.
  • Await the upcoming recon checklist article for advanced methodology details.

Full transcript