A Top Level Domain can encompass numerous subdomains.
In the case of PEH, we massively expand our scope (while staying within our overarching scope limitations! IMPORTANT!) , to include things like sites that never were supposed to be public facing such as development environments, login forms, test sites and the likes.
There are multiple tools available to enumerate subdomains of a domain, with the one listed on PEH as SubList3r, a CLI tool to search subdomains.
<aside> 💡 sudo apt install sublist3r sublist3r -d domainname.com
</aside>
This is a web interface for a distributed database called certificate transparancy logs.
Essentially, it gives us a way to search for registered certs for a subdomain.
Basically, this is just a great way to find subdomains for our enumeration phase!