🛡️ Methodology Checklist
- Passive enumeration: crt.sh, Shodan, VirusTotal passive DNS
- Zone transfer attempt against all NS records
- Active brute-force with quality wordlist (SecLists subdomains)
- Virtual host fuzzing with ffuf for unlisted vhosts
- Permutation generation with altdns
- DNS resolution of all candidates with massdns or dnsx
- Dedup and prioritise: internal, staging, vpn, mail subdomains first
🎯 Operational Context
Use when: Starting web recon — map all in-scope subdomains via passive CT logs + active DNS brute before any application testing.
Think Dumber First: subfinder -d target.com -all takes 30 seconds and finds what weeks of manual searching misses. Run it first, always. Then validate with dnsx before crawling anything.
Skip when: Single-domain scope with no subdomain enumeration permitted.
⚡ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
curl -s "https://crt.sh/?q=[DOMAIN]&output=json" | jq -r '.[] | .name_value' | sort -u | Extract subdomains from CT logs |
curl -s "https://crt.sh/?q=[DOMAIN]&output=json" | jq -r '.[] | select(.name_value | contains("dev")) | .name_value' | sort -u | Filtered CT log query (e.g., dev subdomains) |
dig axfr @[NAMESERVER] [DOMAIN] | Zone transfer attempt (active) |
dnsenum --enum [DOMAIN] -f [WORDLIST] -r | Brute-force subdomains with dnsenum |
gobuster vhost -u http://[DOMAIN] -w [WORDLIST] --append-domain | VHost fuzzing |
gobuster vhost -u http://[DOMAIN] -w [WORDLIST] --append-domain -t 50 | VHost fuzzing with 50 threads |
🔬 Deep Dive & Workflow
Why Subdomains Matter
Subdomains are often less secured than the main domain and can host:
- Dev/Staging environments — relaxed security, debug modes, test data
- Hidden login portals — admin panels, employee portals
- Legacy applications — forgotten apps running unpatched software
- Sensitive info — exposed configs, internal docs, backups
Keywords to prioritize: dev, test, staging, api, admin, vpn, internal, backup
Passive Enumeration (Stealthy)
| Method | Description |
|---|---|
| Certificate Transparency (CT) Logs | Public SSL cert repos — check SAN field for listed subdomains |
| Search Engine Dorks | site:example.com -www filters for subdomains |
| Online Aggregators | VirusTotal, Censys, Shodan — crawled DNS history |
CT Logs advantage: Reveals historical subdomains that no longer resolve but may still have vulnerable servers. Completely passive — no target contact.
Active Enumeration (Intrusive)
| Method | Tools |
|---|---|
| Zone Transfers (AXFR) | dig axfr |
| Brute-Force | dnsenum, ffuf, gobuster, amass, puredns |
CT Log Extraction (Fastest Exam Method)
# All subdomains
curl -s "https://crt.sh/?q=[DOMAIN]&output=json" | jq -r '.[] | .name_value' | sort -u
# Clean wildcards
sed -i 's/\*\.//g' results.txt && sort -u results.txt -o results.txtRun this before any brute-force — often finds internal/dev subdomains not in wordlists.
Strategy (Exam)
- Passive first — CT logs + search dorks (no alerts triggered)
- Check CNAMEs — may point to external services vulnerable to subdomain takeover
- Dictionary attack —
subdomains-top1million-110000.txt(SecLists) - Analyze results — focus on
dev,test,staging,api,admin,vpn
🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| subfinder returns few results | Missing API keys | Configure ~/.config/subfinder/provider-config.yaml with Shodan, VirusTotal, SecurityTrails keys |
| amass enum hangs indefinitely | Default timeout too long | Use amass enum -passive -d target.com -timeout 30 for passive-only quick run |
| dnsx resolves everything to same IP | CDN or load balancer | Expected behavior — IP clustering means CDN; look for origin IPs via SSRF or misconfigured headers |
| CT log search returns expired/revoked certs | crt.sh includes all history | Filter: https://crt.sh/?q=%.target.com&output=json and check not_after field |
| Subdomain takeover false positive | CNAME points to unclaimed service | Verify with subjack or nuclei -t takeovers/ before reporting |
📝 Reporting Trigger
Finding Title: Subdomain Enumeration Reveals Expanded Attack Surface Impact: Discovery of undocumented subdomains may expose internal applications, legacy services, and admin interfaces not subject to the same security controls as the primary domain. Root Cause: Lack of subdomain lifecycle management; subdomains created for temporary projects or tests are never decommissioned or secured. Recommendation: Implement DNS zone auditing and certificate transparency monitoring alerts. Decommission unused subdomains. Apply equivalent security controls (WAF, auth, TLS) to all subdomains.