Subdomain Enumeration
Passive, active, and brute-force discovery of subdomains for each in-scope root.
Discovery is where you expand a short scope list into the real attack surface. A
client hands you example.com and three CIDRs; by the end of discovery you want
every subdomain, every resolving host, and every live IP that belongs to them.
The pipeline is a funnel — each stage produces input for the next, and every candidate gets filtered against your scope blacklist before it moves forward:
seed roots ─▶ subdomain enumeration ─▶ DNS resolution ─▶ host discovery ─▶ live hosts
│ (passive+active) (which resolve) (which are up)
└──◀── certificate transparency & reverse DNS feed new roots back in ◀──┘
Keep looping: cert harvesting and reverse DNS routinely turn up new root domains.
Add the in-scope ones back to scope-domains.txt and re-run enumeration.
Discovery is “done” when a full loop produces nothing new.
Before enumerating subdomains, fingerprint each root. It’s cheap, passive, and orients everything that follows.
while read -r domain; do
mkdir -p "recon/domains/$domain"
whois "$domain" | tee "recon/domains/$domain/whois.txt"
for rec in A MX NS TXT SOA; do
dig +noall +answer "$domain" "$rec"
done | tee "recon/domains/$domain/dig.txt"
# DMARC / SPF often leak infra and partner domains
dig +short TXT "_dmarc.$domain" | tee "recon/domains/$domain/dmarc.txt"
done < scope-domains.txt
What I’m looking for in the output:
If the client owns IP space, look up their ASN (whois -h whois.radb.net <ip>
or bgp.he.net) and pull the announced prefixes.
amass intel -asn <ASN> automates this. The CIDRs you recover become new entries
in scope-ips.txt.
Continue to Subdomain Enumeration.
Passive, active, and brute-force discovery of subdomains for each in-scope root.
Resolve enumerated names to IPs at scale, separate live from dead, and turn resolved addresses into IP scope.
Pull hostnames out of live TLS certificates to find assets nothing else surfaces.
Find which IPs in scope are actually alive before you spend time on full port scans.