How to enumerate subdomains

During a pentest on a web server it can certainly be useful to enumerate the victim’s domain to see if there are any subdomains, in order to test everything.

To do this you can use the following main methods:

Dns zone transfer

With this method it is possible to take advantage of the “DNS zones transfer” which in simple terms would be the exchange of records between DNS servers belonging to a specific zone. This exchange occurs whenever there is a change in the database of records.

It is therefore easy to understand that for an attacker the “DNS zone transfer” is an excellent weapon to obtain invaluable information from the victim.

The command I use in these cases is dig“. Let’s see its basic functions:

dig NS

This command lists the authoritative servers for “”. The result will be:

;; ANSWER SECTION:               3600    IN      NS      (nameserver).

To proceed with the enumeration the “nameserver” is useful.

Now, to test the “DNS zone transfer”, we can use the following command:

dig @nameserver axfr

“axfr” is the query we made to the “nameserver” which includes the “DNS zone transfer”. In the result we see subdomains with their IP addresses.

...		86400	IN	A	IP_ADDRESS	86400	IN	A	IP_ADDRESS        86400	IN	A	IP_ADDRESS

Another useful command to enumerate “DNS zone transfer” is “nslookup“:

nslookup -query=NS

To find nameserver. And:

nslookup -query=axfr nameserver

To see if “DNS zone transfer” is active.

Bruteforce subdomains

Another useful method to enumerate subdomains is bruteforce subdomains. I use “wfuzz” comand to do this:

wfuzz -w /WORDLIST_PATH/WORDLIST_FILE.TXT -u -H "" --hw 9


  • -w = wordlist file
  • -u = URL
  • -H “” = header, in which “FUZZ” is the location to test the wordlist file
  • – -hw 9 = it is useful to not show all the scans during the execution of the command but only those with positive results
— Google Dorks —

Google search allows you to use filters which, if used well, can be very useful.

In order to enumerate any subdomains the Google filter that can help us is “site:“.

Typing in the google search box will reveal all the subdomains (from that Google knows:

Or also:


Other search engines also have their own filters that do the same thing.


In conclusion, here I have explained some of the main tools but searching the web there are an infinity of them that do the same things.

5 1 vote
Article Rating
Notify of

Inline Feedbacks
View all comments
Dark Mode
Would love your thoughts, please comment.x