June 16, 2026

How to Find More Subdomains Than Everyone Else

Recon is a numbers game. Here is how to win it.

Masood Nfc

1 min read

Most hunters run one tool, get two hundred subdomains, and start testing. The hunters who eat well run six sources, get two thousand, and test the ones nobody else found. Subdomains are the front door to a target. More doors means more bugs.

Here is the full recon stack, in order.

Start passive, always

Passive enumeration pulls subdomains from public data without touching the target. It is safe, fast, and silent. Run subfinder with every source enabled. Run amass in passive mode. These two pull from certificate logs, DNS aggregators, and search engines. Merge the output. Sort unique. You now have your baseline.

Mine certificate transparency yourself

Every HTTPS certificate ever issued is logged publicly. A subdomain that has a certificate exists, even if it resolves to nothing today. Query the logs directly for targets that hide their subdomains.

Add historical URLs

Waybackurls and similar tools pull every URL the internet archive ever saw for a domain. Old endpoints. Forgotten subdomains. Dead API paths that sometimes still work. This is where you find the staging server from 2021 that everyone forgot.

Brute force the rest

Passive misses internal naming. Take a good wordlist, the kind in SecLists, and resolve every guess against the target DNS. dev. staging. admin. internal. vpn. git. jenkins. Each hit is a door competitors never opened.

Permute what you found

Found api and dev subdomains? A permutation tool will test api-dev, dev-api, api2 and a hundred more. Real infrastructure follows naming patterns. Permutation finds the rest of the pattern.

Filter to what is alive

Pipe everything through httpx. Keep only hosts that respond. Capture the title, the status code, and the tech stack. Two thousand subdomains becomes maybe four hundred live ones.

Then read, do not scan

Do not fire a scanner at four hundred hosts. Read the list. Sort by title. The ones that say login, admin, dashboard, internal, staging, beta, or old are your targets. The boring corporate homepage repeated three hundred times is not.

The mindset

Recon is not glamorous. It is a search problem. The hunter who searches widest, in the most sources, finds the door the hundred hunters before them walked past. Run all six sources every time. The bug is almost never on www.

Start tonight. Pick one wide scope program. Run the full stack. Count how many live hosts you find that are not the main site. Those are your leads.