During first step of security audit you need to get list of all sub-domains for a company domain name. How we can do it?
1. If target corporate DNS server support zone transfer (it's a security problem itself) it's easy:
#dig nameserver domainname axfr
#host -l domainname
2. DNS brute forcers - as a any brute force attack it's take a lot of time and it's always dirty work
3. My favorite way - ,sure thing, using google:
Just do a simple request
-inurl:www.ibm.com site:ibm.com
So, if google already indexed these domains you will find it in the list!
Sure thing, it works only with domains with web-servers on it.