Discover how hackers and security pros uncover hidden subdomains — and how you can too, using free tools and a few commands.

Ever wondered how security researchers (and hackers) manage to dig up all the hidden corners of a website — the secret login pages, admin panels, or forgotten services? It often starts with subdomain enumeration.

Not Medium Member: Read Here

And guess what? You don’t need to be a cybersecurity expert to start doing it yourself. In this post, I’ll walk you through how to discover subdomains using three popular tools: Sublist3r, Amass, and Gobuster.

Let’s get our hands dirty.

Subdomains are like branches of a website. For example:

• blog.example.com
• admin.example.com
• dev.example.com

Sometimes, these subdomains lead to outdated or vulnerable services. Finding them is a common step in bug bounty hunting and penetration testing.

That’s where subdomain enumeration comes in — it’s the process of discovering all those lesser-known branches.