These will find your droids.<p>sublist3r
<a href="https://github.com/aboul3la/Sublist3r" rel="nofollow">https://github.com/aboul3la/Sublist3r</a><p>amass
<a href="https://github.com/caffix/amass" rel="nofollow">https://github.com/caffix/amass</a><p>subfinder
<a href="https://github.com/subfinder/subfinder" rel="nofollow">https://github.com/subfinder/subfinder</a>
Ah, the classical network pentester's problem. There's really no one good way to go about this.<p>Certificate transparency tools like CTFR (<a href="https://github.com/UnaPibaGeek/ctfr" rel="nofollow">https://github.com/UnaPibaGeek/ctfr</a>) work only if certs are registered.<p>You could go old school and use a tool like Sublist3r (<a href="https://github.com/aboul3la/Sublist3r" rel="nofollow">https://github.com/aboul3la/Sublist3r</a>) or Punter (<a href="https://github.com/nethunteros/punter" rel="nofollow">https://github.com/nethunteros/punter</a>), but ymmv as API endpoints are savvy to these tools and actively work to snub them out.<p>AXFR queries can be useful if the DNS server allows for it (my experience: 0-15).<p>Best of luck.
If the domain uses DNSSEC, you can do an offline brute force:<p><a href="https://security.stackexchange.com/questions/94503/does-dnssec-still-have-the-enumerate-all-names-in-zone-problem" rel="nofollow">https://security.stackexchange.com/questions/94503/does-dnss...</a><p><a href="https://nmap.org/nsedoc/scripts/dns-nsec3-enum.html" rel="nofollow">https://nmap.org/nsedoc/scripts/dns-nsec3-enum.html</a><p>There are tools for online brute force, but that's not very polite :)
Ask the name server: do a AXFR query, as in host -l foo.com.<p>These days many domains are configured to refuse AXFR queries though. Then there's a misguided but common phenomenon called split-horizon DNS is also common, where you serve different records as answers to the same query based on what the query originator's address is.
Check Google, Bing, Virustotal, Parse HTTPS Certificates including the metadata (Censys.io is great for specific queries), subdomain bruteforce with a good wordlist, download source code found in Github and regex search for HTTP urls, then parse them.<p>Now don't do it by hand people have already built tools. I recommend sublist3r <a href="https://github.com/aboul3la/Sublist3r" rel="nofollow">https://github.com/aboul3la/Sublist3r</a>, however, grab other subdomain bruteforcer wordlists and append them all together.<p>Go to <a href="https://opendata.rapid7.com/" rel="nofollow">https://opendata.rapid7.com/</a>, download the reverse DNS and Forward DNS and grep for your domain. I.E grep "*.mydomain.com" These are amazing.<p>I will make a note, sometimes if you are looking for servers related to a company specifically people miss ones that aren't in a company's zone file. You need to use a service like Shodan or Censys which regularly scan the internet and index these. It can be a pain to parse through these results but if you are strapped for ideas on getting a foodhold try this. I have found some juicy servers with this in mind.<p>If you are on a pentest it is completely ok to ask your client for permission to view their zone file/route53 as well. This will save you a lot of time up front.
This guy:<p><a href="https://medium.com/@jonathanbouman/how-i-hacked-apple-com-unrestricted-file-upload-bcda047e27e3" rel="nofollow">https://medium.com/@jonathanbouman/how-i-hacked-apple-com-un...</a><p>Used a tool called Aquatone:<p><a href="https://github.com/michenriksen/aquatone/" rel="nofollow">https://github.com/michenriksen/aquatone/</a><p>I have not used Aquatone; I just remembered this from a post on HN pretty recently.
You might search for subdomains using CT if they have certificates registered for them explicitly: <a href="https://transparencyreport.google.com/https/certificates" rel="nofollow">https://transparencyreport.google.com/https/certificates</a>
I suggest you to take a look at this: <a href="http://10degres.net/subdomain-enumeration/" rel="nofollow">http://10degres.net/subdomain-enumeration/</a> :-)
this tool could help you <a href="https://github.com/caffix/amass" rel="nofollow">https://github.com/caffix/amass</a>
Try fierce pl - there may be newer ways but this has always yielded decent results for me when pentesting. You generally have to do some form of brute force as most DNS servers won't spill their guts these days.
Adding a responsive subdomain to any domain you control is trivial and isn't registered anywhere (necessarily). I'm not sure you can achieve this, without additional requirements.