How to Perform Subdomain Enumeration: Top 10 Tools (2024)

Are you wondering the best way to find subdomains?

Learning how to perform subdomain enumeration is crucial, especially if you're part of a penetration testing engagement or doing reconnaissance as part of a bug bounty.

This isn't just a technical task; it's a way to look into a domain's structure. Unveiling hidden subdomains could be key to assessing a wider attack surface.

This article will briefly explain subdomains and why they are important and should not be ignored.

Finally, we will introduce you to tools designed to conduct subdomain enumeration. We will demo tools you can use via the command line or web. Most will be passive, while a couple are classified as active.

Let’s begin.

Table Of Contents

  1. The Importance of Subdomain Enumeration in an Engagement
  2. The Best Subdomain Enumeration Tools
  3. How to Perform Subdomain Enumeration
  4. Conclusion
  5. Frequently Asked Questions

The Importance of Subdomain Enumeration in an Engagement

Why is subdomain enumeration an important part of recon in an engagement? Before answering this question, let’s briefly talk about what subdomains are.

What Are Subdomains?

A subdomain is the part of a domain before the registered domain name. For instance, in "," "mail" is the subdomain, and "" is the registered domain.

Subdomains allow owners to delegate control of different parts of their domain to different people or applications. For example, they could have "" and "" as separate subdomains with separate purposes.

Subdomains must always start with a hostname before the registered domain. Common hostnames used for subdomains include "www," "mail," "vpn," "dev," "admin," etc.

Using subdomains can help organize larger or multiple domains and divide them logically for users. For example, many organizations use specific subdomains like "" to list job opportunities and provide the ability to apply online or "" where companies may stage or test new website functionality in development.

Subdomains can function similarly to independent valid domains regarding hosting and DNS configurations. They have DNS records, directing them to unique IP addresses or specific server directories.

Why Look For Subdomains?

Let’s discuss the importance of performing subdomain enumeration.

When engaging in a penetration test, you must follow a methodology that includes the steps you need to perform and in which order to perform them.

The process typically begins with initial planning and preparation, followed by the second crucial step: reconnaissance. This phase involves gathering as much information as possible about the target and laying the groundwork for subsequent technical steps.

One of the key elements when working on a web or external/internal penetration test is subdomain enumeration. Enumeration is the process of identifying all the subdomains associated with a company's domain.

This same methodology can be helpful when doing recon for bug bounties.

So, what are some important aspects of performing this type of enumeration?

It expands the attack surface.

Any subdomains discovered become new potential vectors for attack. Finding more subdomains means more angles from which to test for vulnerabilities. Things like administrative interfaces, test servers, or other apps may run on subdomains.

It reveals more information.

Each subdomain provides more information about the target organization's domain structure, technologies used, naming conventions, etc. This information helps you build a more accurate profile of the target environment.

It helps bypass security controls.

Some penetration testing activities may get blocked or detected by outward-facing web application firewalls or intrusion detection systems. If more relaxed security is placed on certain internal or obscure subdomains, you may be able to leverage those to bypass certain controls.

It uncovers hidden assets.

In some engagements, the client may not have provided you with a full scope of all Internet-facing assets. Enumerating subdomains can reveal web apps, servers, databases, or other assets the client was unaware of. Finding these alerts the client about the assets they need to protect.

The Best Subdomain Enumeration Tools

What tools are available that perform subdomain enumeration? Here are ten highly effective options.

1. Google Dorking

Google Dorking is a passive subdomain enumeration technique using Google's advanced search operators, like "site:" to find information about a target, including subdomains. It’s a way of leveraging Google's indexing to discover subdomains that are publicly accessible or have been indexed by Google at some point​​.

Explore the Power of Google Dorking

Google Dorks Cheat Sheet: How to Hack Using Google

The Top 15 Google Dorking Commands You Need To Know

2. Sublist3r

A Python-based tool designed to enumerate subdomains using OSINT. Sublist3r gathers information from various search engines and third-party services like VirusTotal and ReverseDNS​​.

3. Amass

Amass is an in-depth attack surface mapping and asset discovery tool. It can operate in both passive and active modes. In passive mode, it aggregates data from various public sources​​. It can also connect to outside services using API keys.

4. Recon-ng

A full-featured reconnaissance framework with API integration, similar in look and feel to the Metasploit Framework, aimed at reducing the time spent on a reconnaissance phase. Recon-ng has various modules, including those for finding subdomains, though its primary use isn't limited to subdomain enumeration.

5. SubDomainizer

SubDomainizer is primarily designed to uncover hidden subdomains associated with a given URL. This is achieved by analyzing inline JavaScript files, it searches for any references to subdomains. It can also identify URLs related to various cloud storage services.

6. Pentest Tools Subdomain Finder

Part of the suite provided by Pentest Tools, this tool specifically focuses on discovering subdomains of a given domain. It's a web-based service that gathers data from various public sources.


A simple yet powerful tool that leverages certificate transparency logs to find subdomains. searches SSL/TLS certificates to find domain names and subdomains, providing an extensive list based on certificates issued​​.

8. Shodan

Shodan is not a traditional subdomain enumeration tool but can be used to discover subdomains hosting internet-facing services. It scans the internet and indexes information from exposed devices and services, which can include subdomain information.

9. PureDNS

A domain resolver and subdomain brute forcing tool that efficiently handles wildcard subdomains and avoids DNS poisoning. PureDNS is primarily used for actively querying DNS servers to resolve or brute force subdomains.

10. ffuf (Fuzz Faster U Fool)

ffuf is a fast web fuzzer written in Go and used for brute forcing. It can discover subdomains by brute forcing them with a given wordlist. It's an active tool that directly sends requests to the target's servers.

How to Perform Subdomain Enumeration

Let's show you how some of the above tools can be used to find subdomains.

For our demos, we are using only domains that are part of a public bug bounty program and where subdomains are part of the scope per program policies.

Ensure you only use these tools on domains you are allowed to test on. Before beginning testing, ensure you thoroughly read and understand program authorization and out-of-scope rules.

If you're conducting a penetration test, it's imperative that you fully understand and adhere to the rules of engagement, which outline the scope, boundaries, and permissible methods of your testing activities.

Some of the following tools require you to download and run them locally from your machine. Operating systems like Kali Linux or Parrot OS are often preferred for this purpose due to their collection of pre-installed tools.

Google Dorking

One of the simplest ways to start looking for subdomains is by using Google, specifically a Google Dork. We will use the following dork for our demo to find subdomains associated with our target.

site:* -www

Let’s break it down. This part of the dork tells Google to search only within

The asterisk (*): This is a wildcard that matches all subdomains of It only looks for any subdomains like

-www: This part excludes any results containing www. The minus sign (-) is used to negate a search term, so in this case, it filters out results that include www.


Sublist3r is a user-friendly tool that offers customization through various flags. These allow for functionalities like saving results to a file or scanning discovered subdomains for specific TCP ports.

To search for subdomains of a specific domain, we use the following command with the '-d' flag to denote the target domain for enumeration.

sublist3r -d


Another tool to have in your arsenal is OWASP’s Amass. It can be a very powerful tool to help you locate information. For our demo, we are only showing you the most basic usage of its functionality. As mentioned above, it can connect to other services with its API integration, making it even better.

Simply enter amass enum -passive -d -o subdomains.txt, which saves the output to a file.

Once you have your output file, you can clean it up with sed and grep to create a nice list of subdomains for further recon.

cat output.txt | sed 's/\x1b\[[0-9;]*m//g' | grep -oP '(?<=\s)[a-zA-Z0-9.-]*\.(com)' > cleaned_subdomains.txt


Recon-ng, the all-in-one reconnaissance tool for OSINT, can perform various tasks, including gathering emails. However, in this instance, we will focus on using it to identify subdomains. We will quickly walk you through setting it up to perform this task.

Start Recon-ng from the command line with:


From this point, let’s continue with the default workspace. Our next task is to install the module we need to use, and you can search for it with the command:

marketplace search

The one we are interested in is hackertarget.

Ours is already installed. To install the module, simply enter marketplace install hackertarget. To load the module and begin using it, enter modules load hackertarget.

Now we can quickly set up the module and enumerate subdomains. To check what options need to be set, enter info. For this module, you only need to set the SOURCE option, which is the domain you want to enumerate.

options set SOURCE

Then type run

Once the scan finishes, you can enter show hosts, and you will be presented with all the subdomains found.


SubDomainizer is a tool that not only performs subdomain enumeration but can also find other secrets, such as API keys. It’s an easy-to-use tool with simple syntax to get it up and running. Simply enter the following command to get a nice clean list of subdomains.

python3 -u

Pentest Tools Subdomain Finder

A simple web-based tool that allows you to do subdomain enumeration quickly. You can perform scans without an account, but if you want access to more scans and more tools, they do have a free account you can sign up for.

Enter your desired domain here, and it will perform a light scan.

You will then be presented with your results.

Here is a simple way to gather subdomains by utilizing certificate transparency. This approach is based on the principle that all SSL/TLS certificates are logged and made publicly accessible.

Simply head to and enter your domain.

Select “Search” to generate a list of subdomains for your target domain. For command-line enthusiasts, similar functionality can be accessed using tools like CTFR.


Shodan can locate subdomains and offers both web-based and command-line interfaces. To find subdomains using the web interface, visit, replacing “” with the domain you are investigating.

To use Shodan from the command line, type shodan domain, replacing with the domain you wish to search.

For guidance on setting up Shodan and exploring its other features, see How to Use Shodan for Pentesting: A Step-By-Step Guide.


PureDNS can perform fast subdomain enumeration by enabling thousands of simultaneous DNS requests per second using public resolvers. To find subdomains, enter puredns bruteforce mywordlist.txt -r resolvers.txt -l 5000

The command instructs PureDNS to conduct a brute force subdomain enumeration for, using a list of potential subdomain names from mywordlist.txt and performing DNS lookups through a set of DNS resolvers provided in resolvers.txt. It limits the rate of DNS queries to 5000 per second.

Once complete, you will be shown the output.


The final tool on our list is ffuf, which, similar to PureDNS, employs a more active approach to enumeration. It takes a given wordlist and checks each entry by making HTTP/S requests, thereby determining which subdomains exist.

You can use the following command, which will fuzz for subdomains, save the output file as HTML, and set a delay of two seconds between requests.

ffuf -w wordlist -u -of html -o result -p 2


You should now understand how to perform subdomain enumeration and which tools you can use.

Once you have your list of subdomains, your next step should be to check which ones are active or “alive.” After confirming which subdomains are valid, you can proceed to the scanning phase, where you'll conduct more in-depth enumeration and analysis of these subdomains.

If you want to enhance your cyber security career, join our Accelerator program today. Learn more about penetration testing or bug bounties with some of our courses and take advantage of other perks, such as our career roadmap.


How to Perform Subdomain Enumeration: Top 10 Tools (22)


How to Perform Subdomain Enumeration: Top 10 Tools (24)

Learn Website Hacking / Penetration Testing From Scratch


How to Perform Subdomain Enumeration: Top 10 Tools (26)

Frequently Asked Questions

What is the best tool for subdomain enumeration?

There is no one best tool for subdomain enumeration. Each tool has its benefits, and a well-rounded approach includes using many tools and is the key to successfully finding as many subdomains as possible.

Is subdomain enumeration passive or active?

This depends on what tool or technique you are using. Most subdomain enumeration is classified as passive as it doesn’t interact with the target in any way. Tools like Sublist3r,, and Google Dorking are passive tools, while Amass can operate passively and actively. Tools like ffuf or PureDNS actively interact with the target.

Can Nmap perform subdomain enumeration?

Nmap can perform a form of subdomain enumeration using the DNS brute script, part of its Nmap Scripting Engine (NSE). The “dns-brute” script is specifically designed to enumerate DNS subdomains by trying each entry from a wordlist of known subdomains and seeing if they resolve.

Level Up in Cyber Security: Join Our Membership Today!

How to Perform Subdomain Enumeration: Top 10 Tools (27)
How to Perform Subdomain Enumeration: Top 10 Tools (28)


  • How to Perform Subdomain Enumeration: Top 10 Tools (29)

    Richard Dezso

    Richard is a cyber security enthusiast, eJPT, and ICCA who loves discovering new topics and never stops learning. In his home lab, he's always working on sharpening his offensive cyber security skills. He shares helpful advice through easy-to-understand blog posts that offer practical support for everyone. Additionally, Richard is dedicated to raising awareness for mental health. You can find Richard on LinkedIn, or to see his other projects, visit his Linktree.

How to Perform Subdomain Enumeration: Top 10 Tools (2024)


Which is the best tool for subdomain enumeration? ›

The Best Subdomain Enumeration Tools
  • Amass. ...
  • Recon-ng. ...
  • SubDomainizer. ...
  • Pentest Tools Subdomain Finder. ...
  • ...
  • Shodan. ...
  • PureDNS. A domain resolver and subdomain brute forcing tool that efficiently handles wildcard subdomains and avoids DNS poisoning. ...
  • ffuf (Fuzz Faster U Fool)
May 13, 2024

What is subdomain enumeration? ›

Subdomain enumeration is the process of listing out all the valid subdomains that are part of the larger domain.

What is the enumeration tool for subdomains in Ubuntu? ›

altdns (subdomain discovery tool)

Altdns is a security tool to discover subdomains. It generates permutations, alterations, and mutations of subdomains. The generated names can also be tested by performing DNS lookups. An enumeration tool like Altdns is useful during penetrating testing assignments.

Which of the following is an active subdomain enumeration technique? ›

Active Subdomain Enumeration

Techniques might include brute-forcing subdomains, making DNS requests, or using certificate transparency logs. While this method can yield more results than passive enumeration, it's more intrusive and can be detected by the target.

Which tool can be used for enumeration? ›

NetBIOS Enumeration: NetBIOS is a protocol that allows devices on a network to share resources and communicate with each other. NetBIOS enumeration is querying a device to identify what NetBIOS resources are available. This can be done using tools like nbtstat and net view.

What is the best tool to check subdomain takeover? ›

Subdominator is a dependable and fast open-source command-line interface tool to identify subdomain takeovers.

What is Osint subdomain enumeration? ›

OSINT (Sublist3r)

Sublist3r is a popular open-source tool used for subdomain enumeration. It works by querying various search engines and DNS databases to identify subdomains associated with a particular domain name.

Is subdomain enumeration legal? ›

This type of subdomain enumeration is resource-intensive and may have legal and ethical implications since sending large requests to a target domain is required. Because of its intrusive nature, active subdomain enumeration may trigger security alerts.

What is an amass tool? ›

This package contains a tool to help information security professionals perform network mapping of attack surfaces and perform external asset discovery using open source information gathering and active reconnaissance techniques.

What do you use for enumeration? ›

To create an enum, use the enum keyword, followed by the name of the enum, and separate the enum items with a comma:
  • enum Level { LOW, MEDIUM, HIGH. };
  • enum Level myVar;
  • enum Level myVar = MEDIUM;

What is DNS enumeration? ›

DNS enumeration is a critical process in cybersecurity that uncovers all DNS records associated with a domain, providing valuable insights for security professionals and cybercriminals alike. By detailing hostnames, IP addresses, and DNS record types, it reveals a domain's footprint and potential vulnerabilities.

What is the command to find subdomains? ›

You can find DNS records using the nslookup command in the command line. It shows all DNS records for a given domain, including a list of subdomains.

What is subdomain enumeration tool? ›

Sub-domain enumeration is the process of finding sub-domains for one or more domains. It helps to broader the attack surface, find hidden applications, and forgotten subdomains. Note: Vulnerabilities tend to be present across multiple domains and applications of the same organization.

What is a common example of a subdomain? ›

While a subdomain will appear before your TLD, a subdirectory link will include the subdirectory name after the original TLD. For example: Subdomain example: Subdirectory example:

What is subdomain scraping? ›

SubScraper is a subdomain enumeration tool that uses a variety of techniques to find subdomains of a given target. Subdomain enumeration is especially helpful during penetration testing and bug bounty hunting to uncover an organization's attack surface.

Which tool is used for DNS enumeration? ›

The examples of tool that can be used for DNS enumeration are NSlookup, DNSstuff, American Registry for Internet Numbers (ARIN), and Whois. To enumerate DNS, you must have understanding about DNS and how it works.

Which SSL certificate is best for subdomains? ›

If you have, a main domain and its first level of subdomains then, a wildcard SSL would be a good choice. On contrary, if there are different levels of subdomains and domains then, a multi-domain SSL would be a good choice.

What is better for SEO subdomain or subdirectory? ›

If Google treats subdomains separately, then ranking signals related to expertise, authority, and trust might not be shared between them. Based on experiences like this, many SEOs think Google does treat them differently in a way that makes subdirectories generally better for performance.


Top Articles
Latest Posts
Article information

Author: Mrs. Angelic Larkin

Last Updated:

Views: 6378

Rating: 4.7 / 5 (47 voted)

Reviews: 86% of readers found this page helpful

Author information

Name: Mrs. Angelic Larkin

Birthday: 1992-06-28

Address: Apt. 413 8275 Mueller Overpass, South Magnolia, IA 99527-6023

Phone: +6824704719725

Job: District Real-Estate Facilitator

Hobby: Letterboxing, Vacation, Poi, Homebrewing, Mountain biking, Slacklining, Cabaret

Introduction: My name is Mrs. Angelic Larkin, I am a cute, charming, funny, determined, inexpensive, joyous, cheerful person who loves writing and wants to share my knowledge and understanding with you.