Recon

Related

Bug bounty/Tools

Subdomain discovery

SSL/TLS Certificates

Find subdomains via ssl-certificates. E.g. using crt.sh

Google

Exclude default www subdomain and look for any other subdomains.

-site:www.domain.com site:*.domain.com

dnsrecon

dnsrecon -t brt -d <domain>

Sublist3r

Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT. Sublist3r

/sublist3r.py -d <domain>

Non-public DNS

E.g. private DNS server or specified locally in /etc/hosts

fuff

See also Webserver scanning

ffuf -w <wordlist-file> -H "Host: FUZZ.domain.com" -u http://<ip>