Whether you’re searching for story ideas, doing competitive research, or just exercising some web curiosity, having a list of all the subdomains off a given host can be helpful.

I stumbled on this tutorial and thought it was a helpful intro, in large part due to the inclusion of lists containing the top 1,000,000 subdomains. If you’re on a Mac, you can get going with nmap by installing with brew install nmap. Then grab one of the subdomain lists – say, the top 1,000 subdomains – and put it on your desktop.

So with the subdomain list and nmap installed, we can open our terminal app, change directory to the desktop, and then setup a one-liner like this:
nmap --script dns-brute --script-args dns-brute.domain=onwardstate.com,dns-brute.threads=6,dns-brute.hostlist=./sub1000.lst

And voila, a couple minutes later you’ll have a list of the configured subdomains, as well as their IP addresses.