Enumerate subdomains for a target domain using passive and active reconnaissance techniques. Use when starting reconnaissance on a new target, when you need to discover the attack surface, when expanding scope from a root domain, or when the user provides a domain to investigate.
# Fast passive enumeration with subfinder
subfinder -d example.com -silent -o subdomains.txt
# Validate live subdomains with httpx
cat subdomains.txt | httpx -silent -o live_subdomains.txt
Basic enumeration:
subfinder -d example.com -o subfinder_results.txt
Silent mode for clean output:
subfinder -d example.com -silent -o subdomains.txt
Use all sources (comprehensive):
subfinder -d example.com -all -o subdomains_all.txt
JSON output:
subfinder -d example.com -silent -oJ -o subdomains.json
Multiple domains from file:
subfinder -dL domains.txt -o all_subdomains.txt
Recursive enumeration:
subfinder -d example.com -recursive -o recursive_subs.txt
Passive only:
amass enum -passive -d example.com -o amass_passive.txt
Active enumeration:
amass enum -active -d example.com -o amass_active.txt
With brute forcing:
amass enum -brute -d example.com -o amass_brute.txt
JSON output:
amass enum -d example.com -json amass_results.json
Basic probe:
cat subdomains.txt | httpx -silent -o live_hosts.txt
With status codes:
cat subdomains.txt | httpx -silent -sc -o live_with_status.txt
Full information:
cat subdomains.txt | httpx -silent -sc -title -td -o detailed_hosts.txt
JSON output:
cat subdomains.txt | httpx -silent -json -o httpx_results.json
With technology detection:
cat subdomains.txt | httpx -silent -td -json -o tech_results.json
cat subfinder_results.txt amass_passive.txt | sort -u > all_subdomains.txt
Scenario: Fast subdomain discovery for a bug bounty target
subfinder -d hackerone.com -silent -o subs.txt
cat subs.txt | httpx -silent -sc -title
Output: