icon icon icon icon icon icon icon
Full Subdomain Brute Force Discovery Using Automated Trickest Workflow - Part 2
back to posts

Full Subdomain Brute Force Discovery Using Automated Trickest Workflow - Part 2

subdomains brute force recon enumeration OSINT
November 02, 2022
3 mins read
Carlos Polop display picture

Carlos Polop

Cloud Pentesting Team Leader

In the previous post about subdomain discovery, we explained what subdomain discovery is and the best techniques to start finding subdomains from a domain. We also created a workflow to search for subdomains given a domain name. We show we could find several subdomains from trickest.com and concluded the post by suggesting some improvements, so let’s implement them now!

Several Domains as Input

Currently, if we want to use the previous workflow to search for subdomains of different domains, we would need to launch it several times, modifying the domain used as input.

To avoid this, the first improvement we will develop is to allow the workflow to search for subdomains of several domains running it just once.

To do this, the main change we have to make is to change the initial input string for an input file pointing to


This is a .txt file with the domains:


Therefore, instead of using a “STRING-TO-FILE” to connect the initial subdomains to oneforall, for example, we can directly connect our file input:


But what happened with the tools that expect a domain string as input? We can use the special node “FILE-SPLITTER” to call the tools once per line in the input file:


This way, we can control the domains we will enumerate in a gist and enumerate all of them in just 1 run of the workflow.

This is how the workflow looks like after these changes:

Workflow after changes

Generate Permutations to Brute Force

Having names of the already discovered subdomains, you could create permutations of those names and brute-force them to discover even more subdomains. For this technique, you need:

  • Discovered subdomains: We already have this in our workflow
  • Permutation wordlists: Wordlists with permutations to perform.
  • Permutation tools: Tools that give names and a permutation wordlist, and the initial names will generate permutations.

Permutation Wordlists

These are the permutation wordlists I will combine into one to use in the workflow:

Permutation Tools

In this workflow, I will be using the following tools to generate permutations of the discovered subdomains’ names:

Add Wordlists and Brute Force Tools to Trickest Workflow

These are the nodes we will be adding to our workflow to generate permutations of the discovered subdomains and then brute-force them with Puredns (using the same parameters as before):


Grabbing All Subdomains

Finally, we will be combining the found subdomains from the first part of our workflow with the discovered brute forcing name permutations into one list.

Run it!

Let’s give this workflow a try and see what it finds!


For the sake of brevity, I’m not going to list here all the discovered subdomains, but it discovered 63 subdomains:



We improved our previous subdomain’s discovery workflow to try to find hidden subdomains with uncommon names. This will help us find those potentially forgotten subdomains exposing outdated webs.

However, could we improve even more this workflow? Yes, we can. You could dedicate tens of hours to improve this kind of workflow, and you will always find new ways to tune them better.

Here are some suggestions:

Furthermore, note that different tools will use the same OSINT platforms to find information and won’t find new subdomains. Keep this in mind to optimize your workflow!

All these possibilities allow you to find new subdomains that other hunters or pentesters couldn’t find.

Fill out the form to access Trickest and have fun creating your unique workflow!

Share this post


Fill out our early access form to put yourself on the waitlist and stay in the loop.