Fierce
Fierce is an open source active recon tool to enumerate sub domains of a target website. This tool was written by Robert (RSnake) Hansen and comes pre-installed by default in Kali Linux.
The Fierce Perl script applies techniques such as zone transfer and wordlist brute-forcing to find subdomains of the target domain:
fierce -dns target.com
Let's run Fierce against iitk.ac.in and see how it performs. It is shown in the following screenshot:
Voila, Fierce presented us with a list of subdomains. One thing to note is that Fierce enumerated the name servers of iitk.ac.in, and then tried to do a zone transfer on each. Luckily one of the name servers was misconfigured and Fierce then grabbed a list of DNS entries including the subdomains from the misconfigured server.
We can also use a tool called dig which is available in *nix systems too, to perform a zone transfer without using Fierce. The command to perform a zone transfer using dig goes like this:
dig @<name-server-of-target> <...
