Post cover image

June 11, 2026

Subdomain Enumeration β€” Finding the Hidden Doors

What’s up everyone! Nitin here πŸ‘‹

Nitin yadav

1 min read

Okay so last time I said recon wins. Now let me show you the very first move of recon β€” finding subdomains. This is where most of my bugs actually started.

Wait, What's A Subdomain?

Super simple. If the main site is target.com, then a subdomain is anything in front of it:

  • mail.target.com
  • dev.target.com
  • api.target.com
  • shop.target.com

Each one is basically a separate door into the company. And here's the thing β€” companies have HUNDREDS of these. They forget about half of them. The forgotten ones? That's where the gold is. πŸ’°

Why Subdomains Are A Goldmine

Think about it. The main website target.com gets tested by everyone. It's locked down tight. But old-promo-2019.target.com? Some intern set that up years ago and nobody's touched it since. No patches. No monitoring. Just sitting there, vulnerable.

That's why we enumerate β€” we want the WHOLE list, especially the stuff they forgot.

The Tools I Use (All Free)

Here's my go-to lineup:

  • Subfinder β€” my #1, pulls subdomains from tons of sources fast
  • Amass β€” thorough, deeper digging
  • Assetfinder β€” quick and simple
  • Findomain β€” another fast one I like to cross-check with

I run a couple of these, combine the results, sort out duplicates, and boom β€” a master list.

None

After You Have The List

A list of subdomains alone is useless. Next steps:

  1. Check which are alive β€” run them through httpx. Dead ones don't matter.
  2. Bruteforce more β€” sometimes I throw a wordlist at it with tools like shuffledns to find ones the passive sources missed.
  3. Screenshot the live ones β€” so I can quickly spot the weird, interesting, or clearly-old-looking pages.
  4. Look for takeovers β€” a dead subdomain pointing to an unclaimed service = subdomain takeover (whole post on that later).

My Honest Tip

Don't just look at the list and move on. ACTUALLY OPEN the weird ones. The ones with strange names. The ones that look half-broken. That broken-looking page is often a half-finished feature that someone forgot to secure.

I once found a critical just because a subdomain named internal-tools was somehow public. Nobody else opened it because it looked boring. Boring is good. Boring means forgotten. Forgotten means vulnerable. πŸ˜‰

Next post: our first real bug β€” IDOR. The easiest critical you'll ever find. You're gonna love it.

Stay curious! 🌐