Skip to main content


Enumerating DNS Subdomains

Be it for CTFs, real life™ pentests, threat intel, etc. DNS subdomain enumeration is a very important task. There are many different tools and techniques for it.

Just ask

dig axfr

No, it won’t work :)


Use Google: search for site:*

There are more places to search: search engines, Netcraft, DNSdumpster, VirusTotal, SSL Certificates…

Bing used to allow searches like ip: returning domains for a scpecific IP address. Unfortunately it does not work any more :(

But there is

% curl ''


There is a load of bruteforcing tools:

  • altdns. Subdomain discovery through alterations and permutations.
  • OWASP amass. The OWASP Amass Project performs network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques including DNS, Scraping, Certificates, APIs and web archives.
  • dnstwist. See what sort of trouble users can get in trying to type your domain name. Find lookalike domains that adversaries can use to attack you. Can detect typosquatters, phishing attacks, fraud, and brand impersonation. Useful as an additional source of targeted threat intelligence.
  • sublist3r. Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting. Sublist3r enumerates subdomains using many search engines such as Google, Yahoo, Bing, Baidu and Ask. Sublist3r also enumerates subdomains using Netcraft, Virustotal, ThreatCrowd, DNSdumpster and ReverseDNS.

amass is really complete, there is an extensive tutorial here: and deserves a full post (someday).


In a context where you do not have a real DNS the best option may be fuzzing. But not only that; this technique makes possible to discover non-indexed (for whatever reason) subdomains, working subdomains behind a wildcard (*, etc.

Btw, is it different from “bruteforcing”? Nah, not really.


ffuf is a very fast multithreaded fuzzer written in go, so you can install by running go get or just get it from the github page.


$ ffuf -w subdomains-top1million-5000.txt -H "Host: FUZZ.forge.htb" -u http://forge.htb -fc 302

This code will run through the wordlist provided with -w, modify the host header and exclude results with a 302 return code. You can filter (include/exclude) by status, size, words, lines… configure the rate and number of threads, etc.


Quite similar to ffuf, this would be the equivalent syntax:

wfuzz -u http://forge.htb -w subdomains-top1million-5000.txt -H "Host: FUZZ.forge.htb" --hc 302

ffuf vs wfuzz speed

The two commands compared. ffuf is 4 times faster (with default configurations as seen above)!

Program Time
ffuf 0m7,045s
wfuzz 0m28,253s


comments powered by Disqus