All topics ›
Ethical Hacking ›
Reconnaissance
Reconnaissance · Ethical Hacking Walk me through subdomain enumeration for a target.
Multi-source approach: (1) Passive sources — amass enum -passive, subfinder, assetfinder. Pull from CT logs, DNS aggregators, search engines. (2) Active resolution — massdns to verify which subdomains have live IPs. (3) Permutation/wordlist — gobuster vhost mode + custom wordlists for missed subdomains. (4) JS file analysis — extract subdomain references from target's JavaScript with subjs + mantra. (5) Combine + dedupe → final subdomain list. Critical: assets like staging/dev/admin subdomains often have weaker security than primary domain.
Want the full explanation? This is the atomic answer suitable for
quick interview prep. For the structured deep-dive — including code samples,
strong-answer vs weak-answer notes, common follow-up questions, and how this fits
the larger ethical hacking topic — see the full Q&A on Networkers Home:
→ Ethical Hacking Interview Hub — Full Q&A with deep context
→ Ethical Hacking Interview Hub — Full Q&A with deep context
How Networkers Home prepares students for this kind of question
This question reflects real interview rounds at Bangalore's top product, BFSI, and GCC cybersecurity teams. Networkers Home's flagship courses include mock interview sessions drilling exactly these question patterns, with feedback from interviewers who have hired for the role.
→ View the complete ethical hacking interview prep hub
→ View the related Networkers Home course
→ Book a free career consultation
Related Reconnaissance questions
Reconnaissance
Q. Difference between active and passive reconnaissance. Which to use first?
Passive recon — gathering info without sending packets to target (Google dorking, Shodan/Censys queries, GitHub source code search, social media OSINT). Stealthy, can't be blocked. Active recon — direct interaction (port…
Read full answer →