There are three different subdomain enumeration methods: Brute Force, OSINT (Open-Source Intelligence) and Virtual Host.
Subdomain Enumeration
OSINT
SSL/TLS Certificates
Find sub domains by searching the certificate transparency logs:
http://crt.sh/
https://transparencyreport.google.com/https/certificates
Google Dorks
-site:www.poplabsec.com site:*.poplabsec.com
DNS Brute Force
DNSRecon
./dnsrecon -t brt -d poplabsec.com
Sublist3r
./sublist3r.py -d poplabsec.com
Virtual Hosts
ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -H "Host: FUZZ.poplabsec.com" -u http://10.10.224.18