This posts lists a few ways to enumerate subdomains.

Check registered domains via CA

Google Transparency Report tool: Use this to find domains and list certificates.

Use google search

This will exclude all results with “”, and include everything else. site:*

Brute forcing

Using ffuf

Fast web fuzzer written in Go.

  • Via direct subdomain

ffuf -w ~/infosec/SecLists/Discovery/DNS/namelist.txt -u
  • Via Host header in the request

# This enumerates via 'Host' header in the request
ffuf -w ~/infosec/SecLists/Discovery/DNS/namelist.txt -H "Host:" -u -fs 2395

Similar enumeration tools:

pip3 install dnsrecon
# Installation
pip3 install sublist3r