Security Cipher

  1. Home
  2. Docs
  3. Security Resources
  4. Penetration Testing Trick...
  5. Subdomain Enumeration Tools

Subdomain Enumeration Tools

Below is a compilation of subdomain enumeration tools that can be used to discover subdomains associated with a specific domain. The identification of these subdomains can significantly expand the scope of your testing activities and enhance your testing effectiveness.

Table Format

Tools NameDescriptionURLCommand
subfinderFast passive subdomain enumeration tool. -d -all -silent
amassIn-depth attack surface mapping and asset discovery enum -passive -d
Sublist3rFast subdomains enumeration tool for penetration testers -d
chaosGo client to communicate with Chaos DB API. -d -silent
assetfinderFind domains and subdomains related to a given domain –subs-only
gauFetch known URLs from AlienVault’s Open Threat Exchange, the Wayback Machine, and Common Crawl. –subs | unfurl -u domains
github-subdomainsFind subdomains on GitHub. -d 
findomainThe fastest and complete solution for domain recognition. Supports screenshoting, port scan, HTTP check, data import from other tools, subdomain monitoring, alerts via Discord, Slack and Telegram, multiple API Keys for sources and much more. -t --external-subdomains
OneForAllOneForAll is a powerful subdomain integration tool --target run
purednsPuredns is a fast domain resolver and subdomain bruteforcing tool that can accurately filter out wildcard subdomains and DNS poisoned entries. bruteforce wordlist.txt
gobusterDirectory/File, DNS and VHost busting tool written in Go dns -d -w wordlist.txt
shufflednsMassDNS wrapper written in go that allows you to enumerate valid subdomains using active bruteforce as well as resolve subdomains with wildcard handling and easy input-output support. -d -w wordlist.txt -r resolvers.txt



Subdomain Enumeration Tools
Subdomain Enumeration Tools


This Post Has One Comment

  1. MR. Z

    Hey guys this also subdomain enumeration tool which is developed by with inbuilt concurrency and good results than others and have modes like osint , passive, notification abilities to do enumerations for single or file of domains and it uses only free api services and guve better results visit here:

Leave a Reply