Learn practical passive and active techniques to discover subdomains, map hidden assets, and safely expand the attack surface of a target during ethical hacking recon.

Discover how to use OSINT, brute force, and virtual host techniques to uncover hidden subdomains and strengthen your web hacking recon skills.

===============================================================

🕵️‍♂️ Subdomain Enumeration — A Complete Beginner's Guide

===============================================================

🚀 Introduction

In ethical hacking, reconnaissance is the first and one of the most critical stages. One very useful reconnaissance activity is subdomain enumeration — the process of discovering hidden subdomains of a main website.

Subdomains often host additional services that can lead to new vulnerabilities, so identifying them is crucial for mapping a target's attack surface.

Example:

example.com
admin.example.com
dev.example.com

🎯 Why Subdomain Enumeration Matters

• Expands the attack surface
• Helps identify hidden entry points
• Reveals misconfigured or forgotten assets

⚡ Common Methods

1. Brute Force — Uses a wordlist to guess subdomains (e.g. admin, test, dev).
2. OSINT (Open-Source Intelligence) — Collects subdomains using free public data.
3. Virtual Host Enumeration — Finds hostnames on the same server/IP.

🧠 Key Takeaways

• Subdomain enumeration is essential for reconnaissance.
• It helps uncover hidden assets.
• The main techniques are Brute Force, OSINT, and Virtual Host enumeration.

Q1. What is a subdomain enumeration method beginning with B?

Correct Answer: Brute Force

Q2. What is a subdomain enumeration method beginning with O?

Correct Answer: OSINT

Q3. What is a subdomain enumeration method beginning with V?

Correct Answer: Virtual Host

===============================================================

🧩 TASK 2 — Using SSL/TLS Certificates (OSINT)

🔐 What Are SSL/TLS Certificates?

SSL/TLS certificates secure communication between a browser and a web server. Issued by Certificate Authorities (CA), they are publicly registered in Certificate Transparency (CT) logs.

🌐 Why CT Logs Matter

CT logs:

• Maintain transparency in certificate issuance
• Help detect fraudulent certificates
• Contain valuable OSINT data for discovering subdomains

🔧 Tool: crt.sh

1. Go to crt.sh.
2. Enter the target domain (e.g. tryhackme.com).
3. Review the logs for subdomains found in certificates.

Example: Searching for tryhackme.com showed a subdomain logged on 2020‑12‑26: Ans. store.tryhackme.com

🧠 Key Takeaways

• Certificate Transparency logs are publicly accessible.
• Tools like crt.sh make SSL‑based subdomain discovery easy.
• This is a passive and safe reconnaissance method.

===============================================================

🔎 TASK 3 — Using Search Engines (OSINT)

Search engines can reveal indexed subdomains using advanced queries.

🧰 Google Dork Example

site:*.domain.com -site:www.domain.com

Explanation: Shows all indexed subdomains while excluding the main website.

Example:

site:*.tryhackme.com -site:www.tryhackme.com

Result may include:

What is the TryHackMe subdomain beginning with S discovered using the above Google search?

Ans. store.tryhackme.com

🧠 Key Takeaways

• Works as a passive OSINT technique.
• Uses search operators to find indexed subdomains.

===============================================================

🌐 TASK 4 — DNS Brute Force Enumeration

🔍 What Is It?

DNS Brute Forcing is an active method that tests a wordlist of common names to find valid subdomains.

Example Wordlist:

admin
api
dev
test

⚙️ Tool: dnsrecon

Example command:

dnsrecon -t brt -d acmeitsupport.thm

Output:

api.acmeitsupport.thm
www.acmeitsupport.thm

🧠 Key Takeaways

• Fast but noisy technique (can trigger monitoring).
• Automates subdomain discovery using DNS requests.

Answer the questions below

What is the first subdomain found with the dnsrecon tool?

Ans. api.acmeitsupport.thm

===============================================================

⚡ TASK 5 — Automated Enumeration using Sublist3r

🔍 What Is Sublist3r?

Sublist3r is a Python-based OSINT tool that automates the collection of subdomains from multiple data sources like:

• Google, Bing, Yahoo
• Netcraft, VirusTotal
• SSL Certificate repositories

🔧 Usag

./sublist3r.py -d acmeitsupport.thm

Result:

web55.acmeitsupport.thm

🧠 Key Takeaways

• Fully passive method.
• Combines multiple OSINT sources quickly.
• Perfect for bug bounty and recon automation.

==============================================================

🕸️ TASK 6 — Virtual Host Enumeration

🔍 What Are Virtual Hosts?

A single server IP can host multiple websites using the Host header in HTTP requests.

For example, sending different Host: values can uncover hidden or internal subdomains.

⚙️ Tool: ffuf (Fast Web Fuzzer)

ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt \
-H "Host: FUZZ.acmeitsupport.thm" -u http://10.10.184.243

Explanation:

• -w → wordlist file
• FUZZ → placeholder for subdomain
• -H → sets Host header

🎯 Filtering False Positives

Use a filter on response size:

ffuf -w wordlist.txt -H "Host: FUZZ.acmeitsupport.thm" \
-u http://10.10.184.243 -fs <response_size>

Discovered Subdomains:

delta.acmeitsupport.thm
yellow.acmeitsupport.thm

🧠 Key Takeaways

• Finds subdomains not visible in DNS.
• Requires wordlists and host header fuzzing.
• ffuf is fast and versatile for this task.

Answer the questions below

What is the first subdomain discovered?

Ans. delta

What is the second subdomain discovered?

Ans. yellow

===============================================================

🔥 Final Thoughts

Subdomain enumeration is a cornerstone of ethical hacking reconnaissance. By combining OSINT, brute force, and virtual host methods, you can build a complete map of a target's digital footprint — safely and effectively.

✍️ Author

Written by : Bhanvara Ram Choudhary

TryHackme : https://tryhackme.com/p/bhanvararam

linkedin: https://www.linkedin.com/in/bhanvara-ram-choudhary-862610299/ For educational and authorized penetration testing use only.

🕵️‍♂️ Subdomain Enumeration — A Complete Beginner's Guide

===============================================================