Let’s say you want to find out all the subdomains for a given domain in order to perform an authorized security audit. There are many options but I have seen the best results using Amass.
$ amass enum -brute -d example.com
With that command you will perform a very noisy brute force subdomain discovery scan. This tools has many advanced featured but for me, most of the time I just use the above command and get excellent result.
Try it on your domains and see what comes up.