🏴‍☠️ Subdomain Enumeration for Bug Bounty Hunters: Tools & Techniques

💡 Why Subdomain Enumeration Is a Core Weapon in Bug Bounty Recon

Subdomains are often the weak links in corporate security. While organizations focus on hardening their main applications, internal tools, staging environments, forgotten APIs, and test dashboards are frequently left vulnerable.

Why Subdomains Are Valuable for Hackers:

• 🧱 Legacy or Unmaintained Infrastructure: Old Jenkins panels, forgotten APIs, legacy WordPress instances.
• ⚙️ Misconfigurations: CORS issues, open redirects, or improperly protected admin panels.
• 🐛 High-Impact Vulnerabilities: SSRF, IDOR, RCE, unrestricted file uploads, and more.

🎯 The Mission: Find. Filter. Exploit.

1. Identify as many subdomains as possible.
2. Validate which are live and exploitable.
3. Prioritize high-value targets (e.g., dev, admin, internal, staging).
4. Launch precise, ethical attacks.

🔍 Step 1: Passive Subdomain Enumeration — Stealth Mode Activated

Passive reconnaissance avoids direct interaction with the target's infrastructure, keeping you invisible to security logs.

🔧 Top Passive Recon Tools & Techniques:

• CRT.sh – Certificate Transparency Logs

curl -s "https://crt.sh/?q=%25.target.com&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u

🧠 Pro Tip: Many organizations register internal subdomains in wildcard SSL certificates.

subfinder -d target.com -o subdomains.txt

📌 Pulls data from APIs like VirusTotal, Censys, AlienVault, and Shodan.

amass enum -passive -d target.com -o passive-amass.txt

🧠 Pro Tip: Use Amass’ config files to add custom sources like GitHub.

curl -s "https://api.hackertarget.com/hostsearch/?q=target.com"

🎁 Bonus: Merge and Deduplicate Results

cat *.txt | sort -u > all-passive-subdomains.txt

💥 Step 2: Active Subdomain Enumeration — Time to Get Loud

Active enumeration uncovers hidden, dynamically generated, and unindexed subdomains.

🧰 Best Active Recon Tools:

• dnsx — DNS Bruteforcing Beast

dig axfr @ns1.target.com target.com

🎁 Bonus Tool: DNSDumpster.com

Visualize DNS records, mail servers, and subdomains in a neat graph.

🔎 Step 3: JS File Recon – Where Devs Leave Skeletons in Closets

Public JavaScript files often contain hardcoded API keys, endpoints, and dev URLs.

Tools for JS Recon:

• Katana — Modern Crawler for JavaScript

python3 linkfinder.py -i js-files.txt -o output.html

🕵️‍♂️ Step 4: Discovering Wildcard & Shadow Subdomains

Tools for Wildcard & Shadow Subdomains:

• Wildcard Test with dnsx

subfinder -d staging.target.com -o shadow.txt

🧪 Step 5: Filter for Live, Juicy Targets

Tools to Prioritize Targets:

• httpx – Check for Live Services

cat live.txt | waybackurls | tee archived.txt

🧠 TL;DR — Subdomain Enumeration Mastery Checklist

• 🔍 Start passive for stealth and breadth.
• 💥 Go active to uncover real-time DNS entries and hidden targets.
• 📜 Analyze JavaScript for internal routes, endpoints, and dev secrets.
• 🎯 Hunt for wildcards and forgotten shadow zones.
• 🧪 Use tools like httpx, nuclei, and regex filters to prioritize high-value targets.

🚀 Bonus Tools to Explore:

• gau – for grabbing archived URLs.
• gospider – fast content discovery spider.
• dnsgen – generate permutations intelligently.
• dirsearch – for digging into discovered subdomains.

Stay sharp, stay stealthy, and may your next recon lead to a $10,000 bounty.