# Subdomains

## What is it?

Subdomain discovery is the process of finding what subdomains exist given a domain name. For example, the domain `tcm-sec.com` might have the subdomains `dev.tcm-sec.com` and `blog.tcm-sec.com`. 

### Wordlists

Assetnote <https://wordlists-cdn.assetnote.io/data/manual/best-dns-wordlist.txt>

Seclists [/Seclists/Discovery/DNS/\<multiple lists here>](https://github.com/danielmiessler/SecLists/tree/master/Discovery/DNS)

## Passive discovery

* Sublistr
* Google
* <https://crt.sh/>

## Active discovery

* Sublistr
* DNSRecon
* Amass
* Ffuf

```
ffuf -u <target> -w /path/to/wordlist.txt -H "Host: FUZZ.target.com" -fs <size-filter>
```