One way of finding out subdomains are wordlists. Knockpy offers exactly this possibility! It is written in Python, easy to install and to use. The usage of own wordlists is possible, too. The output displayed in the terminal and saved in CSV file.
- Python installed
# install with pip $ sudo pip install https://github.com/guelfoweb/knock/archive/knock3.zip
# usage with internal wordlist $ knockpy domain.com # usage with own wordlist $ knockpy domain.com -w wordlist.txt # resolve domain name $ knockpy -r domain.com # check zone transfer $ knockpy -r domain.com