Bug Bounty Hunting | Reconnaissance | Subdomain Enumeration

Hola Hunters, today I will be sharing a simple yet effective way to go about in your bug hunting ventures and gather lots of useful assets to hack in. This post will be focused on the aspect of subdomain enumeration.

So, before diving into subdomain enumeration, let’s briefly talk about what exactly subdomains are. Let’s try to understand this better with help of this illustration below.

As you can see here, subdomain is what goes between the protocol and the domain name. For example, in

https://mail.google.com

The protocol is https, subdomain is “mail” and the domain is google.com.

Alright, now since we have the basic understanding of what a subdomain is, let us move to the fun part, i.e, subdomain enumeration.

First let’s have a look on the tools we will be using for this purpose:

For the installation of these tools, you can either use the default package-manager of your OS, and if it is not available there, you can use the official GitHub pages for these tools and follow the instructions from there.

Simply running the default commands is going to leave us with best possible information. So we will be using some tweaks.

Firstly, we will use amass and subfinder to find us actual subdomains. But wait, we are gonna give these tools a boost!

So amass and subfinder both depend on online subdomain enumeration services such as DNSDumpster, Active Crawl etc. But some of these services require to use API keys with them. So what we need to do now is sign up for these services online and add our API keys to the config files of these tools.

The location of these files should be as follows:

For amass,

$HOME/.config/amass/datasources.yaml

and

$HOME/.config/amass/config.yaml

For subfinder,

$HOME/.config/subfinder/provider-config.yaml

Note that, in case of amass, the config files may not be present initially. You can download them from here.

So, say you logged in to censys and got the API key. Add the key to the above config files. And repeat the same for quite a few other online services. With the help of the these services, amass and subfinder can now find even more subdomains and make our attack surface larger.

Now, we are equipped with all we need to start the actual enumeration.

We will be running amass and subfinder both, to find as many subdomains as possible. Note that subfinder would finish its search much faster than amass would.

To run subfinder, we will use this command

To run amass, we will use this command

I have provided the awk part of the command to ensure that I get only the subdomain names and nothing else. You can always go ahead and just put the first part of the command but you might not be able to integrate it with the next step if you do so.

Now we will combine the results from amass and subfinder, filter for only those subdomains that are unique and redirect them to one separate file. Like this,

Now, to find live subdomains, we will use httpx.

httpx comes with lots of options, and you can use any combination of those to suit your needs. But here, I will share the command that I find really useful in getting efficient returns.

Now this command would provide you the status codes for all the live subdomains (except those with status code 404), and display the URL to which we are redirected in case of a 3xx status code. Finally, the -ss option would click a screenshot of the page as it appears while opening up. This is a really useful utility as it can give us great insight into which page has some interesting, exploitable functionality without actually opening every page one by one.

That’s it! Now you have got hold of numerous useful subdomains and increased your attack surface. Hope you learnt something new from this article and will integrate a few tips from this into your own recon methodology. Now you can happily go out there and start hacking your way in to huge bounties :)

Found this article helpful? Consider buying me a coffee below to support more content like this. Your contribution really motivates me to publish more articles like this.