> For the complete documentation index, see [llms.txt](https://viperone.gitbook.io/pentest-everything/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://viperone.gitbook.io/pentest-everything/everything/everything-web/sub-domain-enumeration.md).

# Sub Domain Enumeration

## Google Dorking

Google dorks can be used to enumerate host subdomains. For example searching for Microsoft.com subdomains we can use the minus - symbol to tell Google to remove URL results for particular strings.

![](/files/NS0WmMql5qBmmcl1qn8Y)

Every time a sub domain is found it can then be excluded from the next search

```
microsoft.com -www -docs -infrastructuremap
```

![](/files/UC773PUvC2Auyn1ohP17)

## Tools

### Amass

```bash
amass enum -d <domain>
```

![](/files/xEcenXsOfSlWRF9m5PVl)

### DNSRecon

```bash
# Quick brute force
dnsrecon -t brt -v -d <Domain>

# With Wordlist
dnsrecon -t brt -D <Wordlist> -v -d <Domain>
```

![](/files/JTARWcXXBXXVtdq75iTb)

### Sublist3r

```bash
# Default Search
sublist3r -d <Domain> -v

# With brute force
```

### Wfuzz

```
wfuzz -c -f sub-fighter -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://love.htb" -H "Host: FUZZ.love.htb" --hl 125
```

## Web Tools

### Cert.sh

{% embed url="<https://crt.sh>" %}

Searching a domain name in Cert.sh can help identify when SSL Certificates have been issued to a particular domain and subdomains.

![](/files/EQFyNTECk49ydZELwZj1)

### DNSdumpster

[DNSdumpster](https://dnsdumpster.com) is a great tool for DNS and host enumeration. We even get a nice downloadable graph and can even export discovered hosts directly to `.xlsx`.

![](/files/u4V4pX9rX0yOMuYXj02h)

### VirusTotal

VirusTotal can be used to look up sub domains of a host: <https://www.virustotal.com/gui/home/search>

```
https://www.virustotal.com/gui/domain/<Domain>/relations
```

![](/files/9FbdTVEjeGkGXrp39x8h)

## Virtual Hosts

Some subdomains aren't always hosted in publicly accessible DNS results, such as development versions of a web application or administration portals.

Web servers can host multiple websites under the same IP. The web server is able to differentiate between requests by the value in the **Host** header of a request. It is possible to take advantage of this by fuzzing the host header for discovery.

### Fuff

```bash
ffuf -w <Wordlist> -H "Host: FUZZ.acmeitsupport.thm" -u <IP>
```
