CyberCheatsheets

Subdomain Enumeration Cheat Sheet

Find subdomains via passive sources, DNS brute force, certificate transparency, and permutation — then probe which are live.

Reconnaissance & OSINTattack-surfacebug-bountydnsreconsubdomain-enumerationUpdated 2026-06-17

Overview

Subdomain enumeration expands the attack surface: every subdomain is a potential entry point. Combine passive sources (no traffic to the target), active DNS brute force, certificate transparency, and permutation/alteration. Finish by probing which hosts actually respond. This is the backbone of bug-bounty recon.

Authorized testing only. Enumerate only domains you own or are in scope for. Unauthorized scanning is illegal.

Passive (no traffic to target)

Aggregate passive sources (fast, low-noise)

subfinder -d example.com -all -silent

Broad passive enumeration

amass enum -passive -d example.com

Quick passive collector

assetfinder --subs-only example.com

Certificate transparency via crt.sh

curl -s 'https://crt.sh/?q=%25.example.com&output=json' | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u

Active DNS brute force

VHOST/subdomain fuzzing with ffuf

ffuf -u https://FUZZ.example.com -w subdomains.txt

gobuster DNS mode

gobuster dns -d example.com -w subdomains-top1million.txt

Fast brute force with live resolution

dnsx -d example.com -w wordlist.txt -resp

Amass active brute force

amass enum -active -brute -d example.com

Permutation / alteration

Generate permutations (dev1, staging-, etc.) and resolve

cat subs.txt | dnsgen - | dnsx -silent

Alteration scanning for hidden subs

gotator -sub subs.txt -perm words.txt -depth 1 | dnsx -silent

Resolve & validate

Keep only subdomains that resolve

cat subs.txt | dnsx -silent -a -resp

Mass-resolve with wildcard filtering

puredns resolve subs.txt -r resolvers.txt

Probe live hosts

Find live web hosts with titles and tech

cat subs.txt | httpx -silent -title -status-code -tech-detect

Recon-to-scan pipeline in one line

subfinder -d example.com -silent | httpx -silent | nuclei -silent

Screenshot live hosts for quick triage

cat live.txt | httpx -screenshot

Tips

  • Always combine passive + active + permutation — no single source finds everything.
  • Filter DNS wildcards (puredns/dnsx) or you'll drown in false positives.
  • Pipe subfinder → httpx → nuclei for an end-to-end recon-to-vuln pipeline.
  • Re-run periodically: new subdomains appear constantly, and fresh ones are often the weakest.

References

Aide-mémoires similaires