# subdomain

subdomain passive uses third-party sources without interacting directly with the target.

**General Command**

```bash
assetfinder --subs-only example.com
subfinder -d example.com
subfinder -d example.com -all
amass enum -passive -d example.com
chaos -d example.com -key YOUR_CHAOS_API_KEY
```

#### One Liner

```bash
curl -s "https://crt.sh/?q=%.example.com&output=json" | jq -r '.[].name_value' | sort -u

curl -s "https://api.securitytrails.com/v1/domain/example.com/subdomains" \
-H "APIKEY: YOUR_API_KEY"

echo example.com | waybackurls | cut -d/ -f3 | sort -u
```

**Online Tools to Do**

* <https://dnsdumpster.com>
* <https://crt.sh/?q=%.example.com>
* <https://hunter.io>