Jason Haddix wrote my favorite subdomain/hostname discovery tool that depends on a very-recent version of recon-ng -- available here -- https://github.com/jhaddix/domain

subbrute is decent, fierce -dns <domain> works great, dnsmap <domain> -r file.txt is also valid, and I don't see any reason to dislike knock -wc <domain> (although the other features of knock may be suspect). All of these tools use techniques that are showing their age, however. The trick for some of these attack impovements is to come up with a customized file with hostnames that are geared specifically for the target.

However, the chainsaw for DNS discovery is dnsrecon. It does everything.

You might also consider a commercial offering, such as RiskIQ, which can do quite a lot more than all of these tools. Their techniques include a lot of surveying that most of you would not think of.

[UPDATE] Another favorite (for hostnames, not primarily subdomains -- is the OP interested in both?) is -- https://github.com/tomsteele/blacksheepwall

Jason Haddix wrote my favorite subdomain/hostname discovery tool that depends on a very-recent version of recon-ng -- available here -- https://github.com/jhaddix/domain

subbrute is decent, fierce -dns <domain> works great, dnsmap <domain> -r file.txt is also valid, and I don't see any reason to dislike knock -wc <domain> (although the other features of knock may be suspect). All of these tools use techniques that are showing their age, however. The trick for some of these attack improvements is to come up with a customized file with hostnames that are geared specifically for the target.

However, the chainsaw for DNS discovery is dnsrecon. It does everything.

You might also consider a commercial offering, such as RiskIQ, which can do quite a lot more than all of these tools. Their techniques include a lot of surveying that most of you would not think of.

[UPDATE] Another favorite (for hostnames, not primarily subdomains -- is the OP interested in both?) is -- https://github.com/tomsteele/blacksheepwall

Jason Haddix wrote my favorite subdomain/hostname discovery tool that depends on a very-recent version of recon-ng -- available here -- https://github.com/jhaddix/domain

subbrute is decent, fierce -dns <domain> works great, dnsmap <domain> -r file.txt is also valid, and I don't see any reason to dislike knock -wc <domain> (although the other features of knock may be suspect). All of these tools use techniques that are showing their age, however. The trick for some of these attack impovements is to come up with a customized file with hostnames that are geared specifically for the target.

However, the chainsaw for DNS discovery is dnsrecon. It does everything.

You might also consider a commercial offering, such as RiskIQ, which can do quite a lot more than all of these tools. Their techniques include a lot of surveying that most of you would not think of.

Jason Haddix wrote my favorite subdomain/hostname discovery tool that depends on a very-recent version of recon-ng -- available here -- https://github.com/jhaddix/domain

subbrute is decent, fierce -dns <domain> works great, dnsmap <domain> -r file.txt is also valid, and I don't see any reason to dislike knock -wc <domain> (although the other features of knock may be suspect). All of these tools use techniques that are showing their age, however. The trick for some of these attack impovements is to come up with a customized file with hostnames that are geared specifically for the target.

However, the chainsaw for DNS discovery is dnsrecon. It does everything.

You might also consider a commercial offering, such as RiskIQ, which can do quite a lot more than all of these tools. Their techniques include a lot of surveying that most of you would not think of.

[UPDATE] Another favorite (for hostnames, not primarily subdomains -- is the OP interested in both?) is -- https://github.com/tomsteele/blacksheepwall