Subdomain Enumeration Techniques

I'm Subhadeep Pramanik , this is my first post on Medium . I'm gonna share some techniques and tools to find more subdomains than others.

Subhadeep Pramanik

~2 min read · September 19, 2025 (Updated: September 19, 2025) · Free: Yes

put all you wildcard domains inside a file if needed , in my case it's wd.txt . in my case i own notsecure.in that's why I'm using this as target .

1. ASSETFINDER >>
[ Installation ]
[ https://github.com/tomnomnom/assetfinder ]
$ go install github.com/tomnomnom/assetfinder@latest

$ asstefinder --subs-only notsecure.in
$ cat wd.txt | assetfinder --subs-only | tee assetfinder.txt
2. SUBFINDER >>
[ Installation ]
[ https://github.com/projectdiscovery/subfinder ]
$ go install github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest

$ subfinder -dL wd.txt
$ cat wd.txt | subfinder | tee -a subfinder.txt
3. KNOCKPY >>
[ Installation ]
[ https://github.com/guelfoweb/knock ]
$ pip install knock-subdomains

$ knockpy notsecure.in --no-local | tee -a knockpy.txt
4. AMASS >>
[ Installation ]
[ https://github.com/owasp-amass/amass ]

$ amass enum -d notsecure.in
$ amass enum -d --passive notsecure.in -o amass.txt
$ amass intel -active -cidr 8.8.8.8/8
$ amass intel -org "Not Secure"
$ amass intel -d notsecure.in -whois

5. FINDOMAIN >>
[ Installation ]
[ https://github.com/Findomain/Findomain ]

$ ./findomain -t
$ ./findomain -t notsecure.in
6. CRTSH >>
[ Installation ]
[ https://github.com/az7rb/crt.sh ]

$ ./crt.sh -d
$ ./crt.sh -d notsecure.in
$ curl -s https://crt.sh/?q=%.notsecure.in&output=json
7. SubEnum >>
[ Installation ]
[ https://github.com/bing0o/SubEnum ]

$ ./subenum -d notsecure.in
$ ./subenum -l wd.txt -r

8. Subdominator >>
[ Installation ]
[ https://github.com/RevoltSecurities/Subdominator ]
$ pipx install subdominator

$ subdominator -d notsecure.in -o subdomain.txt
$ cat wd.txt | subdominator | tee -a subdominator.txt
9. Chaos  >>
[ Installation ]
[ https://github.com/projectdiscovery/chaos-client ]
$ go install -v github.com/projectdiscovery/chaos-client/cmd/chaos@latest

$ chaos -silent -d notsecure.in
10. github-subdomains >>
[ Installation ]
[ https://github.com/gwen001/github-subdomains ]
$ go install github.com/gwen001/github-subdomains@latest

$ github-subdomains -d notsecure.in
11. Shosubgo  >>
[ Installation ]
[ https://github.com/incogbyte/shosubgo ]
$ go install github.com/incogbyte/shosubgo@latest

$ shosubgo_linux -d notsecure.in -s YourAPIKEY
$ shosubgo_linux -f file -s YourAPIKEY
12. BBOT >>
[ Installation ]
[ https://github.com/incogbyte/shosubgo ]
$ pipx install bbot

# find subdomains of notsecure.in
$ bbot -t notsecure.in -p subdomain-enum

# passive sources only
$ bbot -t notsecure.in -p subdomain-enum -rf passive
13. SubIntel AI
>> https://subintel.tushal.io/

# put your target in input field
14. ShodanX >>
[ Installation ]
[ https://github.com/RevoltSecurities/ShodanX ]

$ shodanx subdomain -d notsecure.in

Thank You . let's connect on linkedin — https://www.linkedin.com/in/adrianalvird .

#cybersecurity #bug-bounty #bug-bounty-tips #bugbounty-writeup #bugcrowd

Subdomain Enumeration Techniques

I'm Subhadeep Pramanik , this is my first post on Medium . I'm gonna share some techniques and tools to find more subdomains than others.

Reporting a Problem