Sub-domain enumeration
Threat actors such as hackers use both passive and active reconnaissance techniques to identify the sub-domains of a target. Usually, an organization will register a domain name (parent domain) and create additional sub-domains, where each sub-domain points to a different server that’s owned by the target. For instance, domain.local points to the IP address of the web server and mail.domain.local points to the IP address of the email server. Therefore, enumerating the sub-domains and resolving their IP addresses helps attackers to identify security vulnerabilities and the attack surface of additional systems owned by the target.
Sometimes, a sub-domain is used to host a test environment for users that are misconfigured, running a vulnerable or less secure application, and connected to the internal corporate network. If an attacker were to compromise this system, they would be able to pivot their attacks through the compromised system to the internal...