Advanced search engine queries to discover subdomains, replicating a dns zone transfer when zone transfers are disabled on the dns server. Basically, the technique involves making search engine requests which restrict the url and site to the target domain. Then, based on the results of the search, excluding the subdomains that are returned. Repeat until the search engine returns 0 results. The final search query excludes all of the public facing subdomains that the search engine is aware of. Conduct a dns look-up of each of the identified subdomains, and you’ve got yourself a dns zone transfer of all the subdomains with public facing web servers.

Source | Download