Recon

Related

Subdomain discovery

SSL/TLS Certificates

Find subdomains via ssl-certificates. E.g. using crt.sh

Google

Exclude default www subdomain and look for any other subdomains.
1
-site:www.domain.com site:*.domain.com
Copied!

dnsrecon

1
dnsrecon -t brt -d <domain>
Copied!

Sublist3r

Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT. Sublist3r
1
/sublist3r.py -d <domain>
Copied!

Non-public DNS

E.g. private DNS server or specified locally in /etc/hosts

fuff

See also Webserver scanning
1
ffuf -w <wordlist-file> -H "Host: FUZZ.domain.com" -u http://<ip>
Copied!