The Ultimate Subdomain Recon Playbook: From DNS Dust to Subdomain Empire
In the world of cybersecurity and bug bounty hunting, a single subdomain can be the key that unlocks a critical vulnerability. The difference between finding nothing and discovering a high-severity bug often lies in the thoroughness of your reconnaissance. This playbook is your ultimate guide, designed to transform you from a beginner into a master of subdomain enumeration.
We will move methodically from the safest, most passive techniques to advanced, automated workflows. By the end, you'll have a systematic approach to uncover every potential entry point for a target organization, ensuring you find every hidden gem—online, offline, and beyond. Let's turn DNS dust into a subdomain empire.
Phase 1: Passive Recon (Online Tools)
The goal here is to find subdomains without sending a single request to the target. This is pure OSINT (Open-Source Intelligence). These cloud-based, fast, and beginner-friendly tools gather information from publicly available sources like certificate transparency logs and search engines.
crt.sh: Search certificate transparency logs.
Command: Navigate to https://crt.sh/?q=%.example.com
DNSDumpster: Provides DNS records and host information.
Command: Navigate to https://dnsdumpster.com and enter example.com.
SecurityTrails, Shodan, Censys: Powerful databases for discovering exposed assets.
Pro Tips:
Cross-Reference: Don't rely on a single tool. Combine results from crt.sh, Censys, and Shodan to get maximum coverage.
Search Engine Dorking: Use advanced Google searches like site:*.example.com to find indexed subdomains.
Phase 2: Offline Recon (Command-Line Tools)
This phase uses powerful CLI tools run from your local machine for deep, offline analysis.
Subfinder: Passive subdomain enumeration from 50+ sources.
subfinder -d example.com -o subfinder.txtAmass (🔴 King of Recon): Performs passive, active, and brute-force recon.
amass enum -passive -d example.com -o amass_passive.txtAssetfinder: Finds domains using public datasets.
assetfinder --subs-only example.com > assetfinder.txtpuredns: Smart brute-forcing and wildcard filtering.
puredns bruteforce wordlist.txt example.com --resolvers resolvers.txt --write subdomains.txtdnsx (ProjectDiscovery): Filters and validates DNS records from a list.
cat subs.txt | dnsx -a -cname -resp -silent > valid.txtPro Tips:
Virtual Host Brute-Forcing: Some subdomains don't have a public DNS record but are hosted on a server with an existing IP. Use ffuf to discover them by brute-forcing the Host header.
ffuf -w wordlist.txt -H "Host: FUZZ.example.com" -u http://<TARGET_IP>Phase 3: Web Archives & JS Crawling = Secret Subs
This is where you find unique subdomains that are no longer actively in use but may still be vulnerable.
gau (GetAllURLs): Gathers URLs from web archives.
gau example.com | tee urls.txtwaybackurls: Another tool for retrieving URLs from the Wayback Machine.
waybackurls example.com > wayback.txtlinkfinder: Parses JS files and extracts endpoints.
python3 linkfinder.py -i https://example.com/app.js -o clihakrawler: Crawls a website to find subdomains.
echo "https://example.com" | hakrawler -subs -js -depth 3Pro Tips:
DNS Record Analysis: Don't just look for A or CNAME records. Use dig to query for MX (mail), TXT (text), and SRV (service) records, as they can sometimes contain clues to other subdomains.
Phase 4: DNS Permutation Attacks
This is an advanced technique for uncovering domains that passive methods would never find.
dnsgen: Generates permutations from a list of subdomains.
dnsgen subs.txt > permutated.txtaltdns: Takes a list of subdomains and a wordlist to create mutations.
altdns -i subs.txt -o data_output -w words.txt -r -s results.txtPro Tips:
Targeted Mutations: Feed a list of known internal subdomains (e.g., dev.example.com) into dnsgen to create highly specific new subdomains like dev-staging.example.com.
Phase 5: Automation Stack Combo
This is the final, most efficient step. Don't run tools manually—create a pipeline.
Chaos: ProjectDiscovery's maintained dataset of known subdomains.
chaos -d example.com -o chaos.txthttpx (ProjectDiscovery): Filters, probes, and gathers initial information.
cat subs.txt | httpx -silent -status-code -title -tech-detect > live_subs.txtOneForAll: All-in-one passive and active subdomain recon tool.
python3 oneforall.py --target example.com runReconFTW: A fully automated recon pipeline using Amass, Subfinder, dnsx, gau, and more.
# Set up and run the ReconFTW script
python3 reconftw.py -d example.comPro Tips:
Build Your Own Pipeline: Learn to chain commands using | (pipes) to create a custom, automated workflow.
subfinder -d example.com | sort -u | httpx -silent -o final_subs.txtFiltering is Key: After gathering your subdomains, use httpx to filter out dead or non-responsive ones. This is crucial for reducing false positives and saving time on future scans.
Conclusion: Your Post-Recon Workflow
Reconnaissance is a marathon, not a sprint. Follow this final checklist to ensure you've done everything to "recon like a pro."
✅ Use Passive + Active + Brute-force: Never rely on just one method.
✅ Combine Online Tools + CLI + Archives: A multi-layered approach guarantees maximum coverage.
✅ Validate with DNS Resolvers: Confirm your subdomains with tools like dnsx.
✅ Filter and Validate: Use httpx to remove dead domains and gather initial information.
After you have your final, clean list of subdomains, the real work begins. Here's a brief post-recon workflow:
Subdomain Takeover: Check for vulnerable subdomain takeovers with subjack and nuclei.
nuclei -l final_subs.txt -t cves/subdomain-takeoverPort Scanning: Discover open ports and services on your live subdomains using a fast scanner like naabu.
cat final_subs.txt | naabu -o ports.txtVulnerability Scanning: Use nuclei with its comprehensive template library to perform a rapid scan for common vulnerabilities.
nuclei -l final_subs.txt -t cves/ -c 25 -o vulns.txtBy systematically executing this playbook, you will consistently find more subdomains than your peers, giving you a significant advantage in any bug bounty program or security assessment. Happy hunting!
