🏴‍☠️ Subdomain Enumeration for Bug Bounty Hunters: Tools & Techniques

💡 Why Subdomain Enumeration Is a Core Weapon in Bug Bounty Recon

Subdomains are often the weak links in corporate security. While organizations focus on hardening their main applications, internal tools, staging environments, forgotten APIs, and test dashboards are frequently left vulnerable.

Why Subdomains Are Valuable for Hackers:

🧱 Legacy or Unmaintained Infrastructure: Old Jenkins panels, forgotten APIs, legacy WordPress instances.
⚙️ Misconfigurations: CORS issues, open redirects, or improperly protected admin panels.
🐛 High-Impact Vulnerabilities: SSRF, IDOR, RCE, unrestricted file uploads, and more.

🎯 The Mission: Find. Filter. Exploit.

Identify as many subdomains as possible.
Validate which are live and exploitable.
Prioritize high-value targets (e.g., dev, admin, internal, staging).
Launch precise, ethical attacks.

🔍 Step 1: Passive Subdomain Enumeration — Stealth Mode Activated

Passive reconnaissance avoids direct interaction with the target's infrastructure, keeping you invisible to security logs.

🔧 Top Passive Recon Tools & Techniques:

CRT.sh – Certificate Transparency Logs

curl -s "https://crt.sh/?q=%25.target.com&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u

🧠 Pro Tip: Many organizations register internal subdomains in wildcard SSL certificates.

Subfinder by ProjectDiscovery

subfinder -d target.com -o subdomains.txt

📌 Pulls data from APIs like VirusTotal, Censys, AlienVault, and Shodan.

Amass (Passive Mode)

amass enum -passive -d target.com -o passive-amass.txt

🧠 Pro Tip: Use Amass’ config files to add custom sources like GitHub.

Threat Intel APIs (Hackertarget, SecurityTrails)

curl -s "https://api.hackertarget.com/hostsearch/?q=target.com"

🎁 Bonus: Merge and Deduplicate Results

cat *.txt | sort -u > all-passive-subdomains.txt

💥 Step 2: Active Subdomain Enumeration — Time to Get Loud

Active enumeration uncovers hidden, dynamically generated, and unindexed subdomains.

🧰 Best Active Recon Tools:

dnsx — DNS Bruteforcing Beast

dnsx -d target.com -w wordlist.txt -o valid.txt

Altdns — Permutation + Mutation Generator

altdns -i all-passive-subdomains.txt -o permutations.txt -w words.txt

MassDNS — High-Speed DNS Resolver

massdns -r resolvers.txt -t A -o S -w resolved.txt domains.txt

AXFR — Zone Transfer Testing

dig axfr @ns1.target.com target.com

🎁 Bonus Tool: DNSDumpster.com

Visualize DNS records, mail servers, and subdomains in a neat graph.

🔎 Step 3: JS File Recon – Where Devs Leave Skeletons in Closets

Public JavaScript files often contain hardcoded API keys, endpoints, and dev URLs.

Tools for JS Recon:

Katana — Modern Crawler for JavaScript

katana -u "https://target.com" -d 2 -o js-files.txt

Grep Out Subdomains from JS

grep -Eo "https?://[a-zA-Z0-9./?=_-]*" js-files.txt | grep target.com

LinkFinder (by @Gwen001)

python3 linkfinder.py -i js-files.txt -o output.html

🕵️‍♂️ Step 4: Discovering Wildcard & Shadow Subdomains

Tools for Wildcard & Shadow Subdomains:

Wildcard Test with dnsx

echo "randomname123.target.com" | dnsx -a -resp-only

Shadow Subdomains

subfinder -d staging.target.com -o shadow.txt

🧪 Step 5: Filter for Live, Juicy Targets

Tools to Prioritize Targets:

httpx – Check for Live Services

cat all-subdomains.txt | httpx -silent -o live.txt

nuclei – Vulnerability Detection Framework

nuclei -l live.txt -t vulnerabilities/ -o vulns.txt

Regex Goldmine

cat live.txt | grep -E "admin|api|test|dev|staging"

waybackurls – Historical Endpoints

cat live.txt | waybackurls | tee archived.txt

🧠 TL;DR — Subdomain Enumeration Mastery Checklist

🔍 Start passive for stealth and breadth.
💥 Go active to uncover real-time DNS entries and hidden targets.
📜 Analyze JavaScript for internal routes, endpoints, and dev secrets.
🎯 Hunt for wildcards and forgotten shadow zones.
🧪 Use tools like httpx, nuclei, and regex filters to prioritize high-value targets.