How to Find Subdomains Using Various Tools and Methods

Hello! This is my first blog on Medium, and I’m excited to share insights on finding subdomains using various tools and resources.

Nmap (“Network Mapper”) is a free and open source utility for network discovery and security auditing.

dnsmap scans a domain for common subdomains using a built-in or an external wordlist

If you want using a custom wordlist:

Fierce is a semi-lightweight scanner that helps locate non-contiguous IP space and hostnames against specified domains.

Sublist3r enumerates subdomains using many search engines such as Google, Yahoo, Bing, Baidu, and Ask. Sublist3r also enumerates subdomains using Netcraft, Virustotal, ThreatCrowd, DNSdumpster, and ReverseDNS.

subfinder is a subdomain discovery tool that returns valid subdomains for websites, using passive online sources.

Amass contains a tool to help information security professionals perform network mapping of attack surfaces and perform external asset discovery using open source information gathering and active reconnaissance techniques.

assetfinder is a command-line tool designed to find domains and subdomains associated with a specific domain.

When you want to use a custom wordlist, visit Assetnote Wordlists, which includes a variety of wordlists.

Next, you can use the FFuF tool to find subdomains with your chosen wordlist. Here’s a simple guide to get you started:

Here are some additional resources for finding subdomains: