Subdomain enumeration is an information gathering technique. It can be used to define the all sites opened to the internet in a company. In large organizations, it is very common to have some forgotten websites that having vulnerabilities or some sensitive data. So, subdomain enumeration also important for bug bounty.
The first technique is searching for passive dns information. There are a lot of ways to search for dns information however it should also be noted that the DNS information of closed servers may remain in the cache.
DNSdumpster.com: can give archive information about the domain also with some additional information like geolocation, nmap port scan, visualization of the domain mapping, and HTTP responses to check whether the site is alive or not.
crt.sh: is another interesting tool for searching for SSL certificates used by a domain and its subdomains.
Virustotal: When you search a domain in virustotal, it gives you all subdomains and additional information about the domain.
Other technique is automated.
amass: has a lot of options showing subdomains and things associated with it.
Sublist3r: Sublister lists subdomains of a domain, meanwhile it has a bruteforce module. Domain wordlists can be used with this module called subbrute.
#sublist3r -v -d facebook.com