There are countless of tools to use for subdomain enumeration. I personally use subfinder or amass when doing recon on bug bounty targets.