- Brute Force DNS bruteforce - try large number of possible subdomains; Automated using a tool eg DNSrecon Request
- OSINT crt.sh - database of certificates that show current and historical results search engine - google - search within a specific domain eg: -site:www.tryhackme.com site:*.tryhackme.com sublist3r - speed up process of OSINT subdomain discovery
- Virtual Host -DNS record could be kept on a private DNS server that maps domain names to IP addresses -Host header - used to tell the server which website to serve for the client (change the host header to discover subdomains) use ffuf tool