Reconnaissance & Target Discovery
Subdomain Enumeration
Subdomain enumeration expands your attack surface. Each subdomain is a potential entry point. In 2026, combining tools yields the best coverage.
The Recon Pipeline
Passive Sources → Active Brute-force → DNS Resolution → HTTP Probing
↓ ↓ ↓ ↓
subfinder amass dnsx httpx
Subfinder: Fast Passive Enumeration
Subfinder queries multiple passive sources quickly:
# Basic usage
subfinder -d example.com -o subs.txt
# All sources (slower but thorough)
subfinder -d example.com -all -o subs-all.txt
# Multiple domains
subfinder -dL domains.txt -o all-subs.txt
# Silent mode (output only)
subfinder -d example.com -silent
Sources: Certificate logs, DNS aggregators, search engines, threat intelligence feeds.
Amass: Comprehensive Discovery
Amass provides deeper enumeration with active capabilities:
# Passive mode (recommended first)
amass enum -passive -d example.com -o amass-passive.txt
# Active mode with brute-forcing
amass enum -active -d example.com -brute -o amass-active.txt
# With specific wordlist
amass enum -active -d example.com -brute -w ~/wordlists/subdomains.txt
# Track changes over time
amass track -d example.com
Pro tip: Amass's intel command finds related domains:
amass intel -whois -d example.com
DNS Brute-forcing
Generate permutations to find unlisted subdomains:
# Using dnsx for resolution
cat subdomains.txt | dnsx -silent -a -resp -o resolved.txt
# Using puredns for brute-force + resolution
puredns bruteforce ~/wordlists/best-dns-wordlist.txt example.com -r resolvers.txt -w brute-results.txt
# Permutation with alterx
echo "example.com" | alterx -enrich | dnsx -silent
Combining Results
Merge and deduplicate:
# Combine all sources
cat subfinder.txt amass.txt brute.txt | sort -u > all-subdomains.txt
# Count results
wc -l all-subdomains.txt
DNS Resolution & Validation
Not all discovered subdomains are live:
# Resolve with dnsx
cat all-subdomains.txt | dnsx -silent -a -aaaa -cname -resp -o dns-resolved.txt
# Check for DNS takeover potential (CNAME to dangling services)
cat dns-resolved.txt | grep -E "(cloudfront|s3|github|heroku|azure)"
Subdomain Takeover Indicators
| Service | CNAME Pattern | Vulnerable If |
|---|---|---|
| AWS S3 | .s3.amazonaws.com | Bucket doesn't exist |
| GitHub Pages | .github.io | Repo not configured |
| Heroku | .herokuapp.com | App deleted |
| Azure | .cloudapp.net | Resource removed |
HTTP Probing
Identify live web servers:
# Using httpx
cat all-subdomains.txt | httpx -silent -status-code -title -tech-detect -o live-hosts.txt
# With screenshots
cat all-subdomains.txt | httpx -silent -screenshot -o live-with-screens/
# Filter by status code
cat live-hosts.txt | grep "\[200\]"
Complete Recon Script
#!/bin/bash
# recon.sh - Automated subdomain enumeration
DOMAIN=$1
OUTPUT_DIR="./recon/$DOMAIN"
mkdir -p $OUTPUT_DIR
echo "[*] Running subfinder..."
subfinder -d $DOMAIN -silent > $OUTPUT_DIR/subfinder.txt
echo "[*] Running amass passive..."
amass enum -passive -d $DOMAIN -o $OUTPUT_DIR/amass.txt 2>/dev/null
echo "[*] Combining results..."
cat $OUTPUT_DIR/*.txt | sort -u > $OUTPUT_DIR/all-subs.txt
echo "[*] Resolving DNS..."
cat $OUTPUT_DIR/all-subs.txt | dnsx -silent > $OUTPUT_DIR/resolved.txt
echo "[*] Probing HTTP..."
cat $OUTPUT_DIR/resolved.txt | httpx -silent -status-code -title > $OUTPUT_DIR/live.txt
echo "[+] Found $(wc -l < $OUTPUT_DIR/live.txt) live hosts"
Real-World Success
A bug bounty hunter found:
- subfinder: 234 subdomains
- amass: 312 subdomains
- Combined unique: 389 subdomains
- Live HTTP: 156 hosts
- One forgotten staging server led to a $5,000 RCE
Key Insight: Use multiple tools. No single tool finds everything. The overlap shows confidence; the unique findings are your advantage.
Next, we'll fingerprint technologies and discover hidden content. :::