are you looking to get a directory structure, like: domain.com/dir1, domain.com/dir2
or are you looking to get subdomains like: www.domain.com
, sub1.domain.com, sub2.domain.com ?
One thing you can do is ping the site and get the IP address, then do a reverse IP Lookup. You can also use Google Site search to get a full site index. You can also use a scanner that will look for common subdirectories on the domain like /wp-admin or /phpmyadmin, etc.