Logo
Waseem Akram
HomeAboutResumeBlogVU Study MaterialStoreContact
Logo
Waseem Akram

Cybersecurity expert, web developer, and educator dedicated to sharing knowledge and empowering others in the tech world.

LinkedInGitHubFacebookInstagramYouTubeWhatsApp

Quick Links

  • Home
  • About
  • Services
  • Blog
  • VU Study Material
  • Contact
  • Resume
  • Store
  • Support Me

Contact Info

  • hello@hackerwasii.com
  • +92 313 711 9351
  • Okara, Punjab Pakistan

Newsletter

Subscribe to receive updates on new content, tutorials, and cybersecurity tips.

I respect your privacy. Unsubscribe at any time.

Now Playingon Spotify
© 2020 - 2025 Waseem Akram. All rights reserved.Made with 🩡
Privacy PolicyTerms of ServiceRefund PolicyCookies Policy
CybersecurityBug BountyEnumeration

Subdomain Enumeration for Bug Bounty Hunters: Tools & Techniques

W
Waseem AkramVerified account
Researcher, Pentester, Dev
2025-04-19
4 min read
5,777 views
Featured image for Subdomain Enumeration for Bug Bounty Hunters: Tools & Techniques

πŸ΄β€β˜ οΈ Subdomain Enumeration for Bug Bounty Hunters: Tools & Techniques

πŸ’‘ Why Subdomain Enumeration Is a Core Weapon in Bug Bounty Recon

Subdomains are often the weak links in corporate security. While organizations focus on hardening their main applications, internal tools, staging environments, forgotten APIs, and test dashboards are frequently left vulnerable.

Why Subdomains Are Valuable for Hackers:

  • 🧱 Legacy or Unmaintained Infrastructure: Old Jenkins panels, forgotten APIs, legacy WordPress instances.
  • βš™οΈ Misconfigurations: CORS issues, open redirects, or improperly protected admin panels.
  • πŸ› High-Impact Vulnerabilities: SSRF, IDOR, RCE, unrestricted file uploads, and more.

🎯 The Mission: Find. Filter. Exploit.

  1. Identify as many subdomains as possible.
  2. Validate which are live and exploitable.
  3. Prioritize high-value targets (e.g., dev, admin, internal, staging).
  4. Launch precise, ethical attacks.

πŸ” Step 1: Passive Subdomain Enumeration β€” Stealth Mode Activated

Passive reconnaissance avoids direct interaction with the target's infrastructure, keeping you invisible to security logs.

πŸ”§ Top Passive Recon Tools & Techniques:

  • CRT.sh – Certificate Transparency Logs

Advertisement

curl -s "https://crt.sh/?q=%25.target.com&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u

🧠 Pro Tip: Many organizations register internal subdomains in wildcard SSL certificates.

  • Subfinder by ProjectDiscovery

  • subfinder -d target.com -o subdomains.txt

    πŸ“Œ Pulls data from APIs like VirusTotal, Censys, AlienVault, and Shodan.

    Advertisement

  • Amass (Passive Mode)

  • amass enum -passive -d target.com -o passive-amass.txt

    🧠 Pro Tip: Use Amass’ config files to add custom sources like GitHub.

  • Threat Intel APIs (Hackertarget, SecurityTrails)

  • Advertisement

    curl -s "https://api.hackertarget.com/hostsearch/?q=target.com"

    🎁 Bonus: Merge and Deduplicate Results

    cat *.txt | sort -u > all-passive-subdomains.txt

    πŸ’₯ Step 2: Active Subdomain Enumeration β€” Time to Get Loud

    Active enumeration uncovers hidden, dynamically generated, and unindexed subdomains.

    🧰 Best Active Recon Tools:

    • dnsx β€” DNS Bruteforcing Beast

    dnsx -d target.com -w wordlist.txt -o valid.txt
  • Altdns β€” Permutation + Mutation Generator

  • Advertisement

    altdns -i all-passive-subdomains.txt -o permutations.txt -w words.txt
  • MassDNS β€” High-Speed DNS Resolver

  • massdns -r resolvers.txt -t A -o S -w resolved.txt domains.txt
  • AXFR β€” Zone Transfer Testing

  • dig axfr @ns1.target.com target.com

    🎁 Bonus Tool: DNSDumpster.com

    Visualize DNS records, mail servers, and subdomains in a neat graph.

    Advertisement


    πŸ”Ž Step 3: JS File Recon – Where Devs Leave Skeletons in Closets

    Public JavaScript files often contain hardcoded API keys, endpoints, and dev URLs.

    Tools for JS Recon:

    • Katana β€” Modern Crawler for JavaScript

    katana -u "https://target.com" -d 2 -o js-files.txt
  • Grep Out Subdomains from JS

  • Advertisement

    grep -Eo "https?://[a-zA-Z0-9./?=_-]*" js-files.txt | grep target.com
  • LinkFinder (by @Gwen001)

  • python3 linkfinder.py -i js-files.txt -o output.html

    πŸ•΅οΈβ€β™‚οΈ Step 4: Discovering Wildcard & Shadow Subdomains

    Tools for Wildcard & Shadow Subdomains:

    • Wildcard Test with dnsx

    echo "randomname123.target.com" | dnsx -a -resp-only
  • Shadow Subdomains

  • Advertisement

    subfinder -d staging.target.com -o shadow.txt

    πŸ§ͺ Step 5: Filter for Live, Juicy Targets

    Tools to Prioritize Targets:

    • httpx – Check for Live Services

    cat all-subdomains.txt | httpx -silent -o live.txt
  • nuclei – Vulnerability Detection Framework

  • nuclei -l live.txt -t vulnerabilities/ -o vulns.txt
  • Regex Goldmine

  • Advertisement

    cat live.txt | grep -E "admin|api|test|dev|staging"
  • waybackurls – Historical Endpoints

  • cat live.txt | waybackurls | tee archived.txt

    🧠 TL;DR β€” Subdomain Enumeration Mastery Checklist

    • πŸ” Start passive for stealth and breadth.
    • πŸ’₯ Go active to uncover real-time DNS entries and hidden targets.
    • πŸ“œ Analyze JavaScript for internal routes, endpoints, and dev secrets.
    • 🎯 Hunt for wildcards and forgotten shadow zones.
    • πŸ§ͺ Use tools like httpx, nuclei, and regex filters to prioritize high-value targets.

    πŸš€ Bonus Tools to Explore:

    • gau – for grabbing archived URLs.
    • gospider – fast content discovery spider.
    • dnsgen – generate permutations intelligently.
    • dirsearch – for digging into discovered subdomains.

    Stay sharp, stay stealthy, and may your next recon lead to a $10,000 bounty.

    Advertisement

    CybersecurityBug BountyEnumeration
    W

    Waseem AkramVerified account

    Researcher, Pentester, Dev

    Cybersecurity expert and educator with a passion for sharing knowledge and helping others stay safe online.

    Related Articles

    Bugbounty Resources and ToolsπŸ“š
    CybersecurityBug Bounty+5

    Bugbounty Resources and ToolsπŸ“š

    Bugbounty Resources to get started with bug bounty hunting and security research. Learn about the tools and resources that can help you...

    2024-03-019 min read
    Active Directory Pentesting Resources (2025 Guide)
    CybersecurityActive Directory+2

    Active Directory Pentesting Resources (2025 Guide)

    Discover the best Active Directory pentesting resources in 2025 β€” tools, labs, and attack techniques for mastering AD security.

    2025-09-082 min read
    The Ultimate Guide to Protecting Your Online Privacy in 2025
    CybersecurityPrivacy+1

    The Ultimate Guide to Protecting Your Online Privacy in 2025

    Learn comprehensive strategies to safeguard your digital footprint and protect your personal information from data breaches and surveillance.

    2025-04-014 min read