$loading...
Copy-ready commands for discovering subdomains via passive sources, active brute force, permutations, probing, and takeover checks during authorized testing. (25 payloads)
curl -s "https://crt.sh/?q=%25.example.com&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -usubfinder -d example.com -all -recursive -o subfinder.txtamass enum -passive -d example.com -o amass.txtassetfinder --subs-only example.com | sort -u > assetfinder.txtecho example.com | gau --subs | unfurl -u domains | sort -ucurl -s "https://api.certspotter.com/v1/issuances?domain=example.com&include_subdomains=true&expand=dns_names" | jq -r '.[].dns_names[]' | sort -uffuf -w /path/to/subdomains.txt -u https://FUZZ.example.com -mc 200,301,302,403 -of csv -o ffuf.csvgobuster dns -d example.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -t 50 -o gobuster.txtdnsx -d example.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -r resolvers.txt -o dnsx-brute.txtpuredns bruteforce all.txt example.com -r resolvers.txt --resolvers-trusted trusted.txt -w puredns-brute.txtshuffledns -d example.com -w wordlist.txt -r resolvers.txt -mode bruteforce -o shuffledns.txtdnsx -l candidates.txt -r resolvers.txt -a -resp -o resolved.txtaltdns -i known-subs.txt -o permutations.txt -w words.txt -r -s altdns-resolved.txtgotator -sub known-subs.txt -perm words.txt -depth 1 -numbers 5 -mindup -adv -md | sort -u > gotator.txtecho example.com | dnsgen known-subs.txt | puredns resolve -r resolvers.txt -w dnsgen-resolved.txtpuredns resolve permutations.txt -r resolvers.txt --resolvers-trusted trusted.txt -w perm-valid.txtcat all-subs.txt | httpx -silent -title -status-code -tech-detect -o httpx-live.txthttpx -l resolved.txt -sc -cl -location -ip -cdn -json -o httpx.jsonnaabu -list resolved.txt -top-ports 1000 -o naabu-ports.txtdnsx -l resolved.txt -cname -resp-only | sort -u > cnames.txtsubfinder -d example.com -all -silent | dnsx -silent | httpx -silent -title -status-codesubzy run --targets resolved.txt --hide_fails --verify_sslnuclei -l httpx-live.txt -t http/takeovers/ -o takeovers.txtsubjack -w resolved.txt -t 100 -timeout 30 -ssl -c fingerprints.json -v -o subjack.txtfor s in $(cat cnames.txt); do dig +short CNAME $s; done | grep -E 'amazonaws|github\.io|herokuapp|azurewebsites|fastly'Level up your security testing
Install the CLI
npx payload-playgroundExplore All Tools
Encoding, hashing, JWT & more
Browse Cheat Sheets
Quick-reference payload guides
It's a quick-reference collection of 25 Subdomain Enum payloads for testing Subdomain Enumeration vulnerabilities during authorized penetration testing, bug bounties, and CTFs. Every payload is copy-ready and grouped by attack context.
Copy any payload straight into your authorized test, or use the Subdomain Wordlist Builder to apply them interactively. Only test systems you have explicit permission to assess.
Yes — this cheat sheet and all Subdomain Enum payloads are completely free, with no account required. Everything runs in your browser.