February 15, 2026
TryHackMe Walkthrough -Subdomain Enumeration
Learn practical passive and active techniques to discover subdomains, map hidden assets, and safely expand the attack surface of a target…
Bhanvararam choudhary
2 min read
Learn practical passive and active techniques to discover subdomains, map hidden assets, and safely expand the attack surface of a target during ethical hacking recon.
Discover how to use OSINT, brute force, and virtual host techniques to uncover hidden subdomains and strengthen your web hacking recon skills.
===============================================================
🕵️♂️ Subdomain Enumeration — A Complete Beginner's Guide
===============================================================
🚀 Introduction
In ethical hacking, reconnaissance is the first and one of the most critical stages. One very useful reconnaissance activity is subdomain enumeration — the process of discovering hidden subdomains of a main website.
Subdomains often host additional services that can lead to new vulnerabilities, so identifying them is crucial for mapping a target's attack surface.
Example:
example.com
admin.example.com
dev.example.comexample.com
admin.example.com
dev.example.com🎯 Why Subdomain Enumeration Matters
- Expands the attack surface
- Helps identify hidden entry points
- Reveals misconfigured or forgotten assets
⚡ Common Methods
- Brute Force — Uses a wordlist to guess subdomains (e.g. admin, test, dev).
- OSINT (Open-Source Intelligence) — Collects subdomains using free public data.
- Virtual Host Enumeration — Finds hostnames on the same server/IP.
🧠 Key Takeaways
- Subdomain enumeration is essential for reconnaissance.
- It helps uncover hidden assets.
- The main techniques are Brute Force, OSINT, and Virtual Host enumeration.
Q1. What is a subdomain enumeration method beginning with B?
Correct Answer: Brute Force
Q2. What is a subdomain enumeration method beginning with O?
Correct Answer: OSINT
Q3. What is a subdomain enumeration method beginning with V?
Correct Answer: Virtual Host
===============================================================
🧩 TASK 2 — Using SSL/TLS Certificates (OSINT)
🔐 What Are SSL/TLS Certificates?
SSL/TLS certificates secure communication between a browser and a web server. Issued by Certificate Authorities (CA), they are publicly registered in Certificate Transparency (CT) logs.
🌐 Why CT Logs Matter
CT logs:
- Maintain transparency in certificate issuance
- Help detect fraudulent certificates
- Contain valuable OSINT data for discovering subdomains
🔧 Tool: crt.sh
- Go to crt.sh.
- Enter the target domain (e.g.
tryhackme.com). - Review the logs for subdomains found in certificates.
Example:
Searching for tryhackme.com showed a subdomain logged on 2020‑12‑26:
Ans. store.tryhackme.com
🧠 Key Takeaways
- Certificate Transparency logs are publicly accessible.
- Tools like
crt.shmake SSL‑based subdomain discovery easy. - This is a passive and safe reconnaissance method.
===============================================================
🔎 TASK 3 — Using Search Engines (OSINT)
Search engines can reveal indexed subdomains using advanced queries.
🧰 Google Dork Example
site:*.domain.com -site:www.domain.comsite:*.domain.com -site:www.domain.comExplanation: Shows all indexed subdomains while excluding the main website.
Example:
site:*.tryhackme.com -site:www.tryhackme.comsite:*.tryhackme.com -site:www.tryhackme.comResult may include:
What is the TryHackMe subdomain beginning with S discovered using the above Google search?
Ans. store.tryhackme.com
🧠 Key Takeaways
- Works as a passive OSINT technique.
- Uses search operators to find indexed subdomains.
===============================================================
🌐 TASK 4 — DNS Brute Force Enumeration
🔍 What Is It?
DNS Brute Forcing is an active method that tests a wordlist of common names to find valid subdomains.
Example Wordlist:
admin
api
dev
testadmin
api
dev
test⚙️ Tool: dnsrecon
Example command:
dnsrecon -t brt -d acmeitsupport.thmdnsrecon -t brt -d acmeitsupport.thmOutput:
api.acmeitsupport.thm
www.acmeitsupport.thmapi.acmeitsupport.thm
www.acmeitsupport.thm🧠 Key Takeaways
- Fast but noisy technique (can trigger monitoring).
- Automates subdomain discovery using DNS requests.
Answer the questions below
What is the first subdomain found with the dnsrecon tool?
Ans. api.acmeitsupport.thm
===============================================================
⚡ TASK 5 — Automated Enumeration using Sublist3r
🔍 What Is Sublist3r?
Sublist3r is a Python-based OSINT tool that automates the collection of subdomains from multiple data sources like:
- Google, Bing, Yahoo
- Netcraft, VirusTotal
- SSL Certificate repositories
🔧 Usag
./sublist3r.py -d acmeitsupport.thm./sublist3r.py -d acmeitsupport.thmResult:
web55.acmeitsupport.thmweb55.acmeitsupport.thm🧠 Key Takeaways
- Fully passive method.
- Combines multiple OSINT sources quickly.
- Perfect for bug bounty and recon automation.
==============================================================
🕸️ TASK 6 — Virtual Host Enumeration
🔍 What Are Virtual Hosts?
A single server IP can host multiple websites using the Host header in HTTP requests.
For example, sending different Host: values can uncover hidden or internal subdomains.
⚙️ Tool: ffuf (Fast Web Fuzzer)
ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt \
-H "Host: FUZZ.acmeitsupport.thm" -u http://10.10.184.243ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt \
-H "Host: FUZZ.acmeitsupport.thm" -u http://10.10.184.243Explanation:
-w→ wordlist fileFUZZ→ placeholder for subdomain-H→ sets Host header
🎯 Filtering False Positives
Use a filter on response size:
ffuf -w wordlist.txt -H "Host: FUZZ.acmeitsupport.thm" \
-u http://10.10.184.243 -fs <response_size>ffuf -w wordlist.txt -H "Host: FUZZ.acmeitsupport.thm" \
-u http://10.10.184.243 -fs <response_size>Discovered Subdomains:
delta.acmeitsupport.thm
yellow.acmeitsupport.thmdelta.acmeitsupport.thm
yellow.acmeitsupport.thm🧠 Key Takeaways
- Finds subdomains not visible in DNS.
- Requires wordlists and host header fuzzing.
ffufis fast and versatile for this task.
Answer the questions below
What is the first subdomain discovered?
Ans. delta
What is the second subdomain discovered?
Ans. yellow
===============================================================
🔥 Final Thoughts
Subdomain enumeration is a cornerstone of ethical hacking reconnaissance. By combining OSINT, brute force, and virtual host methods, you can build a complete map of a target's digital footprint — safely and effectively.
✍️ Author
Written by : Bhanvara Ram Choudhary
TryHackme : https://tryhackme.com/p/bhanvararam
linkedin: https://www.linkedin.com/in/bhanvara-ram-choudhary-862610299/ For educational and authorized penetration testing use only.
🕵️♂️ Subdomain Enumeration — A Complete Beginner's Guide
===============================================================