Hands-on subdomain enumeration and DNS reconnaissance using four industry-standard tools on Kali Linux. Documents real findings against google.com as a safe public target.
⚠️ Ethical use only. Only enumerate domains you own or have explicit written permission to test. google.com is used here as a safe, publicly enumerable target for demonstration purposes.
| Tool | Type | Results Found |
|---|---|---|
| Sublist3r | OSINT — searches Google, Bing, Yahoo, VirusTotal | 272 subdomains |
| Gobuster | DNS brute-force using wordlist | 226 subdomains |
| DNSRecon | DNS records enumeration | 77 DNS records |
| Amass | Deep attack surface mapping | 6 subdomains |
Total unique subdomains discovered: 500+
google.com A safe, publicly enumerable domain used for demonstration purposes.
Searches multiple public sources simultaneously — Google, Bing, Yahoo, Baidu, Ask, Netcraft, SSL Certificates, and PassiveDNS — to find subdomains that are already indexed publicly.
sublist3r -d google.com -o sublist3r_results.txt- 272 subdomains found
- Sources used: Google, Bing, Yahoo, Baidu, Ask, Netcraft, SSL Certificates
- Some sources blocked requests (VirusTotal, DNSDumpster) — normal behaviour
Brute-forces subdomains by taking each word from a wordlist, building
word.domain.com, and checking if it resolves via DNS.
gobuster dns --domain google.com -w /usr/share/wordlists/dirb/common.txt -o gobuster_results.txt- 226 subdomains found
- Wordlist:
/usr/share/wordlists/dirb/common.txt - Ran 10 concurrent threads
Enumerates all DNS record types for the target domain — A records (IP addresses), MX records (mail servers), NS records (nameservers), TXT records (SPF/DKIM), and SOA records.
dnsrecon -d google.com -t std > dnsrecon_results.txt- 77 DNS records found
- Record types: A, AAAA, MX, NS, TXT, SOA
- Revealed mail servers, nameservers, and SPF records
The most comprehensive subdomain enumeration tool — combines OSINT, DNS brute-force, certificate transparency logs, and multiple API sources for deep attack surface mapping.
amass enum -d google.com | tee amass_results.txt- 6 subdomains found (deep scan — quality over quantity)
- Took 10+ minutes due to thorough scanning
- Used certificate transparency logs and passive DNS
mail.google.com → Gmail service
drive.google.com → Google Drive
api.google.com → API endpoint
admin.google.com → Admin panel
dev.google.com → Development server
staging.google.com → Staging environment
MX → mail servers handling Google email
NS → nameservers managing google.com DNS
TXT → SPF records preventing email spoofing
A → IP addresses of google.com servers
Every subdomain is a potential attack surface. Forgotten dev/staging servers are often less patched and more vulnerable than the main site. Finding them is the first step in any security assessment.
| Tool | Best for | Speed |
|---|---|---|
| Sublist3r | Quick OSINT recon | Fast (2 min) |
| Gobuster | Thorough brute-force | Medium (3 min) |
| DNSRecon | DNS record analysis | Very fast (30 sec) |
| Amass | Deep comprehensive scan | Slow (10+ min) |
In a real penetration test, all four tools are used together:
- Sublist3r first — quick wins from public sources
- DNSRecon — understand DNS infrastructure
- Gobuster — brute-force what OSINT missed
- Amass — deep scan for thorough coverage
subdomain-enumerator/
├── README.md
├── sublist3r_results.txt (272 subdomains)
├── gobuster_results.txt (226 subdomains)
├── dnsrecon_results.txt (77 DNS records)
├── amass_results.txt (6 subdomains)
└── screenshots/
├── sublist3r.png
├── gobuster.png
├── dnsrecon.png
└── amass.png
- OS: Kali Linux (VirtualBox)
- Tools: Sublist3r, Gobuster, DNSRecon, Amass .
- Target: google.com (public domain)
All enumeration was performed against google.com which is a publicly accessible domain. No systems were accessed or compromised. This is purely passive reconnaissance using publicly available information.
MIT