Table of Contents Brief Introduction of Subdomain Enumeration Goals Ethical Considerations Demonstration Search Engine Dorking Certificate Transparency Lookup Passive Aggregation with Sublist3r Virtual Host Discovery with ffuf Active DNS Brute Force with Gobuster Key Findings Summary Brief Introduction of Subdomain Enumeration Subdomain enumeration is the process of finding all subdomains that belong to a target domain. Each subdomain is a potential entry point, making this a key step in external reconnaissance. In this write-up, we walk through the subdomain enumeration techniques tested in a hands-on lab, so you can see the tools, commands, and results along the way. There are two main approaches: Passive enumeration : Uses public data sources like search engines, certificate transparency logs, and third-party APIs. This method does not send direct requests to the target, so it has low risk of detection. Active enumeration : Sends direct requests to DNS servers or web servers using wordlists.…