Subdomain Enumeration Tools – 2019 Update

Initially, the penetration tester needs to acquire or gather all the possible relevant information about the main domain that a particular organization uses. When information gathering is complete, the tester can look into the subdomains that the organization uses. There could be a possibility that all the subdomain names that exist under the main domain are not being used. The penetration tester should attempt to guess the subdomain names relevant to the organization.

A company named, for example, could have the following easily guessed subdomains:


Most Webmasters put all their efforts in securing their main domain, often ignoring their subdomains. What if an attacker manages to hack into a subdomain and uses it to compromise the main domain?

Depending upon the scope of the pentest, you might also need to test sub-domains for vulnerabilities.

A very common way of searching for sub-domains is by using a simple Google dork. Even though you won’t be able to find all the sub-domains with this method, you can find some important ones.

site: -inurl:www

This query is telling the search engine to return results without www, which are normally sub-domains.

A Gitbook is also available which is released by Appsecco on the same topic where they’ve covered all the topics in-depth for enumerating the sub domains.

One of the major role of penetration testing is reconnaissance. The more you gather information,the more you win.

Below is the list of some open source tools/scripts & online scanners through which you can easily enumerate all sub-domains against any target.

[#] Opensource Tools/Scripts

S.No. Tool Name Download Link Author Name
1 AltDNS Github Download Shubham Shah
2 Amass Github Download Jeff Foley
3 Anubis Github Download JonLuca DeCaro
4 Aquatone Github Download Michael Henriksen
5 Bluto Github Download Darryl Lane
6 Censys subdomain finder Github Download Christophe Tafani-Dereeper
7 Cleveridge Subdomain Scanner Github Download Erwin De Laat
8 CT Exposer Github Download Christopher B.
9 Dnscan Github Download Dionach
10 Dnsenum Github Download Filip Waeytens
11 Dnsrecon Github Download Carlos Perez
12 Domain Analyzer Github Download Sebastian Garcia
13 DomainRecon Github Download Sanjay
14 Domain Scanner Github Download Robert Hansen
15 Fierce Github Download Mike Schwager
16 Gobuster Github Download OJ Reeves
17 Knock Subdomain Scan Github Download Gianni Amato
18 MassDNS Github Download B. Blechschmidt
19 SubBrute Github Download TheRook
20 SubFinder Github Download Michael Skelton
21 Sublist3r Github Download Ahmed Aboul-Ela
22 Subquest Github Download Nafeez
23 SubScraper Github Download Mike
24 XRAY Github Download Simone
25 DNS Brute Nmap Script Cirrus
26 DMitry Github Download J Greig
27 Assets-from-spf Github Download Bharath
28 Bi-directional Link Extractor Github Download SensePost
29 Art of subdomain enumeration Github Download Appsecco
30 CTFR Github Download Sheila A. Berta
31 Domains from CSP Github Download Bharath
32 Dnssearch Github Download Simone
33 Domained Github Download Caleb
34 nsec3map – DNSSEC Zone Enumerator Github Download
35 Second Order Github Download Mohammed Diaa
36 theHarvester Github Download Christian Martorella
37 Vhost Brute Github Download Gwendal Le Coguic
38 Virtual host scanner Github Download Jobert Abma
38 Subdomain Bruteforce Github Download Justin
39 Findomain Github Download Eduard Tolosa

[#] Online Sub-domain Scanners

S.No. Name Website Link Author Name
1 Certificate Search
2 DNS Dumpster
3 Certificate Transparency Search Tool
4 Find subdomains online
5 Robtex
6 Security Trails
7 VirusTotal
8 Cert DB
9 Certificate Transparency Monitoring
10 Certificate transparency
You may also like:

Sarcastic Writer

Step by step hacking tutorials about wireless cracking, kali linux, metasploit, ethical hacking, seo tips and tricks, malware analysis and scanning.

Related Posts

This Post Has One Comment

  1. In my case Sublist3r is the best, I have used it before I event built it online here at

Comments are closed.