When doing bug bounties or various types of assessment, you may need to find subdomains to understand the organisations internet footprint. To do this, start with their top level domain name, like google.com and then using the tools below you can find related subdomains.

Sublist3r

python3 sublist3r.py -v -b -o /<output_file> -d <URL>

The -v flag makes the output more verbose and shows results in real time

The -b flag enables brute force mode to search for more subdomains

The -o flag allows you to choose an output file and location

The -d flag is where you input the initial top level domain name

Amass

amass enum -d <URL> -p 80,443,8080,8443 -active

The enum option tells amass to perform enumerations and network mapping

The -d flag is where you input the initial top level domain name

The -p flag checks if the given ports are open (80, 443, 8080 and 8443 are common web ports)

The -active flag forces DNS zone transfers and certificate name grabs for better enumeration