Domain names and subdomain enumeration...Used are dns en WHOIS protocol methods.
Re:
https://dnsspy.io/scanAlso for sub-domains:
https://securitytrails.com/blog/subdomain-scanner-find-subdomains.
Automatically generated at places where you could register.
Via zone-owner, authorities here are very restrictive because of risks.
Through DNS queries (example Cisco Umbrella (OpenDNS)
Via Certificate Transparency:
https://crt.sh/.
Through scans at shodan & censys etc.
Through multi-threaded scripts, Clone DNS-root-directories to see what is still available (free).
But these are rate-limited against obvious abuse.
Google is your best friend: Google for site:example.com of delivers info on subsites op; just try for instance site:wordpress.com or site:moonfruit.com. The latter has many a phishing site (eg with site:moonfruit.com owa).
Such queries could be combined with Google dorks e.g. for specific Wordpress versions and/or used themes/ plugins.
Info credits go to: Erik van Straten.
Look at resources like: RobTex.com
https://pentest-tools.com/information-gathering/find-subdomains-of-domain#Also try:
https://www.ultratools.com/There are many (semi-)public DNS servers that gather data on DNS lookups.
Such data is being used to look up sub-domains and hostnames per IP.
Resources can be public or on demand.
Whenever you use a "secret"hostname one should check what DNS servers will get your requests.
Do not use public name servers and/or on clients.
Then we have AFXR unrestricted open to offenders, to get to all of the zone.
This should be limited to trusted name servers.
Check all name servers for a particular domain. open to offenders, all of the zone can be found.
This should be limited to trusted name servers. Check all name servers of that particular domain.
Has a zone file been entered online?
dig ANY. De DNS server for that domain has all known domains from cache.
An open root directory on a web server can also lead to disclosure.
Also a DNS server or interface of control panel (etc.) could be hacked.
Also look for test-servers. Often these are not being maintained.
The plugin update check for WordPress is spurious, it cannot be trusted fully.
Using back up plugins check plug-ins are not available online.
Remove disable plugins and all remaining files.. (info credits anonymous resources)
polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)