In this example, we will use the Google search engine; however, know that there are a number of search engines that can provide similar information and, in some cases, more or different data. The Google search engine provides a number of search operators that allow you to narrow your results when performing queries. A few that can come in particularly handy for the penetration tester are site:, inurl:, and intitle:.

For our purposes (finding subdomains), we will use the site: search operator, as follows:

1. Navigate to https://www.google.com, and we will search for sites that are part of the google.com domain.  We do this by searching site:google.com, as shown in the following screenshot:

2. As you can see, Google finds about 2.9 billion results, but almost all of the results are of the subdomain www.google.com. So, our next step is to filter these out so we can continue to find unique subdomains. We do this by modifying our query site:google.com -site:www.google.com, as shown in the following screenshot:

3. We find the additional subdomains of cloud.google.com, translate.google.com, gsuite.google.com, duo.google.com, domains.google.com, store.google.com, blog.google.com, firebase.google.com, on.google.com and developers.google.com. In some cases, you may need to repeat this process a number of times, excluding subdomains as you find them:

site:google.com -site:www.google.com -site:cloud.google.com -site:translate.google.com -site:gsuite.google.com -site:duo.google.com -site:domains.google.com -site:store.google.com -site:blog.google.com -site:firebase.google.com -site:on.google.com -site:developers.google.com