Subdomain Enumeration- A comparison of services

TL:DR — Just spend the $50 on SecurityTrails

Update 03/03/2021 3pm +8GMT — We have identified issues with the methodology and the results used for this article, a new article discussing this is currently underway. Until then we recommend considering these findings and recommendations as invalid.

Update 26/02/2021 4pm +8GMT — The results of this article are currently being disputed and is under review.

Brief disclaimer: The information given in this article was written by me. I am employed by Bugcrowd but this was tested and written outside of work, and I chose to write this article. The accounts used for this test were paid out of pocket by me to remain impartial.

Subdomain Enumeration is the key to new attack surfaces, this allows us to find new assets to us, and in bug bounties is considered a key aspect of many bug hunters methodology. Most methods for enumerating subdomains used by bug hunters use a combination of API services, brute-forcing, or crawling existing assets and services to find these subdomains. Each have their upsides and downsides, some take time to complete, some have a lower rate of return, and some require time to configure, but what if we could avoid all of that, why can’t someone else do it for us.

These are services who generate these datasets, offering a host of information on these targets, each one offering different parts to their service, but in this case, we will be focusing on the subdomains…