Subdomain enumeration expands the attack surface by discovering additional hosts (apps, admin portals, dev/staging environments) that may expose different vulnerabilities than the main domain.
Methods covered: OSINT (CT logs + search engines), DNS bruteforce, automated OSINT tooling, and Virtual Host discovery.
Certificate Transparency (CT) logs are public records of issued SSL/TLS certificates. They often contain historical subdomains and internal naming patterns.
dev, staging, admin, api, assets, etc.Tip: CT logs can include expired certs — still useful to discover old or forgotten hosts.
Search engines can reveal subdomains through indexed links. Narrow results using site: filters.
Example query:
site:*.example.com -site:www.example.com
DNS bruteforce tries common subdomain names from a wordlist. It’s noisy at scale, so use it deliberately and prefer curated lists.
Example:
dnsrecon -d example.com -D /path/to/wordlist.txt -t brtTools like Sublist3r automate OSINT-based discovery (search engines, passive sources). Use them as a fast first pass.
Example:
sublist3r -d example.comSome subdomains don’t resolve publicly. If multiple vhosts live on the same IP, the server selects the site based on the Host header. We can fuzz it with a wordlist.
ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt \
-H "Host: FUZZ.example.com" \
-u http://MACHINE_IP-fs.ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt \
-H "Host: FUZZ.example.com" \
-u http://MACHINE_IP \
-fs {size}What to look for: status code changes, different titles, different response sizes, redirects, unique headers.