We don't always we have a situation where a client has defined a full detailed scope of what needs to be pentested. So we will use the following mentioned recipes to gather as much information as we can to perform a pentest.
We start with jumping into Kali's Terminal and using the first and most widely used tool fierce
.
This is a free project by Hacker Target to look up subdomains. It relies on https://scans.io/ for its results. It can also be used to get the subdomains of a website. We should always prefer to use more than one tool for subdomain enumeration as we may get something from other tools that the first one failed to pick.