The Secret trick for subdomain Enumeration

3 min readMar 4, 2022

Probably the most covered topic in bug bounty hunting and web apps is subdomain enumeration.

Well, the traditional approach of Subdomain Enumeration consists of using a wordlist to Bruteforce. Basically, guess the subdomain. Let's cover the basics moving onto the advanced tricks I use for getting the secret subdomains.


Different enumeration methods involved in finding the subdomains which are :

  1. Bruteforce

OSINT-, Google Cert search

  1. Virtual hosts

1. We can find subdomains by utilizing search engines like

Make some advanced filters for finding subdomains.

  • site:*, by using this filter we can get all subdomains of a particular domain.
  • This is the method that we utilize for subdomains in real-time.

2. Bruteforce DNS is one of the enumeration methods used for finding commonly used subdomains.

Basically, we use a wordlist such as GITHUB TOP 1 MILLION SUB and brute force before the to try to guess the subdomains.

We can use popular several tools. A popular one is dnsrecon

dnsrecon -t brt -d

3. Automated OSINT is also another technique, a great tool for doing this is Sublist3r

./ -d


Some subdomains aren’t always hosted in publically accessible DNS results, such as development versions of a web application or administration portals. Instead, the DNS record could be kept on a private DNS server or recorded on the developer’s machines in their /etc/hosts file (or c:\windows\system32\drivers\etc\hosts file for Windows users) which maps domain names to IP addresses.

Because web servers can host multiple websites from one server when a website is requested from a client, the server knows which website the client wants from the Host header. We can utilize this host header by making changes to it and monitoring the response to see if we’ve discovered a new website.

Like with DNS Bruteforce, we can automate this process by using a wordlist of commonly used subdomains. This way of modifying the Host header is a brilliant way to get the domains from inside the hosts file.

ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -H “Host:” -u

This fuzzes the internal hosts file to get the Secret Suddomain.

Now here comes a problem, if we fuzz then we’ll get everything as 200 OK. In order to seperate the cream from the milk, or the secret from the rest of the domains, So lets say we get many replies, we note the false ones, they will all contain a specific length, lets say 3155.

FILTER:We now use -fs in ffuf to exclude the 3155 length:

ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -H “Host:” -u -fs {size}

Ex: If we take and size of other requests be 3122, the command would look like:

ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -H “Host:” -u -fs 3122

Now you understand, best ways to enumerate subdomains, make a list and go hack some webapps.

Protip: Use custom wordlists and definetly use the last virtual host method:) -Ravaan




Red Teamer/BBHH. APPLE HOF ADOBE HOF, Governments to fortune 500 companies, UN. Reaseacher/Malware. CVE Hunting. Bookworm. CEH(prac)