Here is my cheat sheet of subdomain enumeration methods, collected on the Internet.

• Subdomain gathering. Passive recon
  • Subdomain bruteforcing
  • Reverse DNS sweeping
  • Subdomain name alterations
  • Certificate search
  • External sources
  • Domain validation
  • Horizontal domain correlation
• Next steps. Active recon
  • Gathering additional domains from web resources
  • Gathering additional domains from non web resources

The key part of any successful bruteforcing is creating good wordlist:

• Good wordlist for start: here
• Creating wordlist with google BigQuery: commonspeak2. Request example

• Good Cheat Sheet about tools
• Amass tool is the best choice for domains enumeration

Whichever tool you choose, it is important to configure it correctly. Every network area (the network from which you will start bruteforce) have the fastest DNS resolvers and here is tool to find them Also you need a list of public DNS servers
Warning: it could be illegal in some countries

Start with main domain here: BGP Toolkit and check every AS with reverse-dns-sweep tool

It could be usefull for big organizations, in common case you will find all mail servers.

Altdns - Python tool that could generate a lot of mutation of input domains list

Altdns also have dns resolver but it's very slow, so it will be better to generate list with altdns and resolve it with another tool (with massdns)

Amass has mutation module

An SSL/TLS certificate usually contains domain names, sub-domain names and email addresses. The simplest way to collect data from certificates is to connect to crt.sh through web (could be unstable), example

It's possible to connect to postgres database (example). In some cases it could be more stable and faster

Exists a lot of online sources with APIs that collect subdomains, and so many tools use them. Subfinder one of the best

Interesting APIs:

• Amass can now use GitHub as a data source
• Web Archives. (Python script) for connect

assets-from-spf

nsec3map

dnsrecon

dnsrecon

One of the helpful ways is to use BGP Toolkit by this way:

1. Enter the main domain of the company.
2. Go to the "IP Info" tab and copy the company name.
3. Find all AS of company (also you can play with companies name).
4. Try to find new domains in http://ipv4info.com/ or use Amass with AS number.

After subdomains collected it could be helpful to check it's validity. Bash script
Python tool for this: dnsvalidator

• Scan current domains and IPs for web resourses. Bash script
• Create web urls from nmap XML file: nmap-parse-output
• Extract new domains from HTML: second-order
• Extract domain names from Content Security Policy(CSP) headers
• VHost discovery: vhost-brute

• Zone transfers: host -t axfr domain.name dns-server
• Collect TXT-record for tokens and other things: Article
• extract new URLs from APK: Diggy
• ⏳ BGP
• ⏳ SNMP

• Monitorizer
• Keye