Subdomain Enumeration Methodology Discussion!

Hello Everyone
Welcome to webs3c, today let’s discuss subdomain enumeration methodology.
In general, we do 3 step DNS enumeration for subdomains

  • Passive
  • Active
  • Permuted

Through these processes, different hunters use different tools, wordlist, and methodologies. The reason I created this topic is to know how you do subdomain enumeration and if we can improve our methodology together!

  • Do you perform all passive, active & permuted enumeration
  • Which tools do you use for each process
  • Which wordlist you use is it public or your own custom wordlist
  • Do you monitor for new subdomains
  • How much time do you spend in general on subdomain enumeration

Let’s start with mine, I do all passive, active & permuted enumeration
for passive enumeration, I use Assetfinder, Subfinder, Amass, Findomain
for active enumeration, I use Puredns & Dmut for permuted enumeration
and FFUF for fuzzing over interesting pattern

generally, I use all.txt, I tried to build target-specific wordlist and subdomain monitoring but ended up getting too many junks. currently experimenting with this effective custom wordlist and subdomain monitoring process

I spend a good amount of time over DNS enumeration. I recheck all valid subdomains if I can approach for 3rd or 4th level subdomains.

example: if I have I try to fuzz at the demo with other similar words may lead
to be honest it’s so hard to manually look over subdomains for an interesting pattern. but I found many vulns by just playing with the names!


I would say that there are some other techniques not as well known as the ones described above, but I find quite interesting the collection of subdomains during the TLS handshake, pulling the Google Analytics ID’s relationships or scraping the source code of the websites and their JS :slight_smile:

1 Like

awww that’s so cool. will add those techniques to my methodology
thanks for sharing :heart:

1 Like