Subdomain Enumeration Deep-Dive: Beyond subfinder

Last updated: April 26, 2026

Subdomain enumeration is the first step in external reconnaissance. Most pentesters run subfinder and stop. Senior practitioners layer passive sources, certificate transparency logs, DNS brute-forcing with smart wordlists, JS-file analysis, and cloud-specific enumeration. The goal: a comprehensive subdomain map that surfaces the forgotten test environments, internal-by-mistake-public services, and shadow IT that mature OSINT discovers.

Sources of subdomains

Passive (no contact with target)

• Certificate transparency logs — every SSL certificate issued is publicly logged. crt.sh, Censys, Google CT.
• DNS database aggregators — DNSDB, SecurityTrails, BinaryEdge, VirusTotal Passive DNS
• Search engines — site:target.com queries on Google, Bing
• Web archives — archive.org, archive.today for historical subdomains
• Project Discovery’s chaos.projectdiscovery.io — public dataset
• Threat-intel platforms — AlienVault OTX, IBM X-Force

Active (touches target’s DNS)

• DNS brute-force with smart wordlists (commonspeak, jhaddix all.txt)
• Permutation generation — apply common patterns (dev-, test-, staging-, qa-, mobile-) to known subdomains
• VHost discovery — host-header probing against IPs that respond differently per Host
• DNS zone transfer — rare but devastating when AXFR succeeds

The practitioner stack

# Passive sources
subfinder -d target.com -all -recursive -o passive.txt
amass enum -passive -d target.com -src -o amass-passive.txt
chaos -d target.com -silent -o chaos.txt

# Certificate transparency
curl -s "https://crt.sh/?q=%25.target.com&output=json" | jq -r '.[].name_value' | sort -u > ct.txt

# Permutation
gotator -sub passive.txt -perm patterns.txt -depth 1 | shuffledns -d target.com -resolvers resolvers.txt -o perm.txt

# DNS brute-force
puredns bruteforce wordlist.txt target.com -r resolvers.txt -o brute.txt

# Combine + dedupe
cat passive.txt amass-passive.txt chaos.txt ct.txt perm.txt brute.txt | sort -u > all-subs.txt

# Resolve and probe
cat all-subs.txt | shuffledns -d target.com -resolvers resolvers.txt | httpx -silent -o live-subs.txt

The non-obvious sources

Linked / referenced subdomains in JS files

Modern web apps reference API subdomains in JavaScript bundles. Tools that extract these:

• katana — JS-aware crawling
• LinkFinder / SecretFinder — extract endpoints and secrets from JS

katana -u https://target.com -d 5 -jc -o crawled-urls.txt
cat crawled-urls.txt | grep -oP "[a-z0-9-]+\.target\.com" | sort -u

Cloud-asset patterns

Organisations name S3 buckets, Azure containers, GCP buckets after their domain. Run permutation against:

• S3: target.com.s3.amazonaws.com, target-prod.s3.amazonaws.com
• Azure: target.blob.core.windows.net
• GCP: storage.googleapis.com/target-bucket/

Tools: cloudenum, S3Scanner, aws-bucket-finder.

Newer-cloud services

• Heroku — target.herokuapp.com
• Vercel — target.vercel.app
• Netlify — target.netlify.app
• Firebase — target.firebaseapp.com
• GitHub Pages — target.github.io

Each has its own subdomain-takeover risk if the underlying service has been deactivated but DNS still points to it.

The subdomain takeover hunt

Subdomain takeover happens when a CNAME points to an external service that’s been deactivated. Attacker registers the deactivated service (e.g. claims an unclaimed Heroku app) and now owns content served from cname.target.com.

Tools:

• subjack — fingerprints known takeover patterns
• subzy — modern takeover scanner
• nuclei takeover templates — community-maintained signatures

cat all-subs.txt | subjack -ssl -timeout 10 -o takeover-candidates.txt

The compounding effect

Each subdomain found leads to:

• A new HTTP service to test
• A possible API or admin interface
• Revealed technology stack
• Possibly forgotten test environments with weaker security
• Cloud-asset exposure if they share infrastructure naming

A 200-subdomain enumeration result for a target compared to a 30-subdomain result is the difference between a partial assessment and a complete one. The 170 missing subdomains are where the bug lives.

Defender perspective

• Run subdomain enumeration against yourself quarterly. Surprise findings represent shadow IT or forgotten infrastructure.
• Subscribe to ASM products that continuously monitor your external attack surface.
• Maintain DNS hygiene — periodic CNAME audit, deprecate stale records before deactivating services.

The takeaway

Subdomain enumeration is the highest-ROI early step in any external assessment. The 30-subdomain result is the average; the 200-subdomain result is what mature OSINT produces. Layer passive + active + cloud + JS-aware sources for completeness. Defenders running this against themselves catch shadow IT before attackers do.