Amass is my favorite reconnaissance tool

Let’s say you want to find out all the subdomains for a given domain in order to perform an authorized security audit. There are many options but I have seen the best results using Amass.

$ amass enum -brute -d example.com

With that command you will perform a very noisy brute force subdomain discovery scan. This tools has many advanced featured but for me, most of the time I just use the above command and get excellent result.

Try it on your domains and see what comes up.