The Ultimate Guide to Subdomain Enumeration for Bug Bounty Hunters

Photo by Kevin Ku on Unsplash

In the world of bug bounty hunting, discovering subdomains is often the first step toward finding valuable vulnerabilities. A wider attack surface means more opportunities to find security issues, and subdomains frequently contain less-hardened applications than main company domains.

This comprehensive guide will walk you through the most effective subdomain enumeration tools and techniques, followed by a practical implementation that automates the entire process.

Before diving into the tools, let’s understand why subdomain enumeration is crucial:

Expanded Attack Surface: Organizations often have countless subdomains running different applications and services.Less Security Focus: Secondary applications may receive less security attention than flagship properties.Legacy Systems: Forgotten subdomains might run outdated, vulnerable software.Development Environments: Test/staging environments on subdomains may contain sensitive data or lack proper security controls.

Let’s examine the key tools that make up our subdomain discovery arsenal:

What it is: Certificate Transparency (CT) is a system for publicly logging all issued SSL/TLS certificates. The crt.sh service indexes these logs and makes them searchable.

How it works: When an organization requests an SSL certificate for a domain or subdomain, this information becomes part of public CT logs. By querying these logs, we can discover subdomains that have had SSL certificates issued for them.

Strengths:

Highly reliable source of subdomain informationContains historical data going back several yearsOften reveals subdomains not found through other methods

Example query:

SELECT ci.NAME_VALUE FROM certificate_and_identities ci
WHERE plainto_tsquery('certwatch', 'example.com') @@ identities(ci.CERTIFICATE)

What it is: Subfinder is a subdomain discovery tool designed by ProjectDiscovery that discovers valid subdomains using passive online sources.

How it works: It queries over 30 different sources including:

Certificate transparency logsDNS aggregatorsWHOIS dataWeb archivesPublic datasets

Strengths:

Fast and efficient, capable of discovering thousands of subdomains in minutesSupports API keys for better resultsHighly configurable output optionsRegular updates with new data sources

Example usage:

subfinder -d example.com -all -silent

What it is: Chaos is another tool from ProjectDiscovery that provides access to their extensive DNS dataset.

How it works: ProjectDiscovery maintains a database of subdomains discovered from various sources. Chaos allows you to query this dataset using their API.

Note that to use chaos we need API key that issue by the Chaos Beta

Strengths:

Provides access to a continuously updated datasetOften finds unique subdomains not discoverable through other meansSimple, straightforward API

Example usage:

chaos -d example.com -silent

What it is: GAU is a tool that fetches known URLs from multiple sources for a given domain.

How it works: It queries various web archives and sources like the Wayback Machine, Common Crawl, and AlienVault to find previously captured URLs for a domain.

Strengths:

Discovers both subdomains and URL pathsFinds historically available content that might be missed by active enumerationOften reveals unusual subdomains used for specific purposes

Example usage:

gau example.com --threads 10 --subs | unfurl -u domains

What it is: The Internet Archive’s Wayback Machine saves snapshots of websites over time, creating a historical record of web content.

How it works: By querying the Wayback Machine’s CDX API, we can retrieve all URLs it has archived for a given domain, which often includes subdomains.

Strengths:

Extensive historical data going back decadesOften contains references to forgotten or deprecated subdomainsCan reveal development or testing subdomains that were once publicly accessible

Example usage:

curl -s "https://web.archive.org/cdx/search/cdx?url=*.example.com/*&fl=original&collapse=urlkey" | unfurl -u domains

What it is: AbuseIPDB provides WHOIS information that sometimes includes subdomain information for a given domain.

How it works: By querying their WHOIS service, we can extract subdomain information that may be included in the records.

Strengths:

Sometimes reveals subdomains not found through other sourcesProvides additional context about domain ownership and registrationSimple to query via their web interface

Example usage:

curl -s "https://www.abuseipdb.com/whois/example.com" -H "user-agent: Mozilla/5.0" -b "abuseipdb_session=YOURSESSION"

What it is: Subdomain.center is a specialized API service that aggregates subdomain information from various sources.

How it works: It maintains its own dataset of subdomains and provides a simple API for querying.

Strengths:

Easy to use with a simple APIRegularly updated with new subdomain informationOften finds unique results

Example usage:

curl -s "https://api.subdomain.center/?domain=example.com" | jq -r '.[]'

Now that we understand the individual tools, let’s look at how we can bring them all together in a single, automated script that makes subdomain enumeration effortless that called THEXRECON.

Our solution is a bash script that:

Organizes target domains by program (e.g., Google, Microsoft)Runs all enumeration techniques for each domainDeduplicates and stores results in a structured directoryProvides simple command-line options for flexible usageMulti-program Support: Organize domains by bug bounty programComprehensive Tool Integration: Leverages all seven enumeration methodsClean Result Management: Automatically organizes, deduplicates, and sorts resultsError Handling: Continues execution even if individual tools failFiltering: Removes invalid and wildcard subdomainsFlexible Execution: Run against all programs or target specific ones

The script is organized into distinct functions:

Data Collection Functions:Each tool has its own dedicated function (abuseipdb, subcenter, nice_subfinder, etc.)Functions handle their own error handling and result filteringProcessing Functions:process_domain: Runs all enumeration functions for a single domainmain: Processes all programs and domainsUtility Functions:check_dependencies: Verifies required tools are installedCommand-line argument parsing for flexible execution

Setting up and using our framework is straightforward:

Installation:git clone https://github.com/thexnumb/thexrecon.git
cd thexrecon
chmod +x thexrecon.sh

2. Adding Target Programs: Create files in the programs/ directory with one domain per line:

# programs/google.txt
google.com
youtube.com
android.com

3. Running the Script:

# Process all programs
./thexrecon.sh

# Process a specific program
./thexrecon.sh -p google

# Process a specific domain
./thexrecon.sh -p google -d google.com

4. Reviewing Results: Results are stored in the subdomains/ directory, organized by program and domain:

subdomains/google/google.com.txt
subdomains/google/youtube.com.txt

When building this framework, we encountered several challenges:

API Rate Limits:Solution: Implemented error handling to continue execution if a particular source failsFuture improvement: Add rate limiting and retry logic

2. Invalid Results:

Solution: Added filtering to remove clearly invalid entries and wildcardsEach function includes specific filtering logic tailored to its output

3. Tool Dependencies:

Solution: Added dependency checking before executionAdded alternative methods for some sources (e.g., curl fallback for crt.sh)

4. Performance Optimization:

Used temporary files and efficient text processing to handle large datasetsImplemented parallel execution where appropriate

THERECON isn’t just theoretical — it’s a practical tool that can significantly enhance your bug bounty workflow:

Initial Reconnaissance: Run it against a new program to quickly map out the attack surfaceContinuous Monitoring: Schedule regular runs to discover new subdomainsTargeted Campaigns: Focus on specific high-value domains within larger programs

For more advanced users, consider these enhancements(maybe added to the THEXRECON):

Custom Data Sources:Add your own functions for additional enumeration techniquesIntegrate DNS brute forcing with tools like MassDNS

2. Result Analysis:

Pipe results to tools like httpx to check for live hostsIntegrate with vulnerability scanners for automatic testing

3. Notification System:

Add logic to notify you when new subdomains are discoveredImplement comparison with previous results to highlight changes

Subdomain enumeration is a critical first step in the bug bounty hunting process. By leveraging multiple data sources and automation, you can quickly discover a wider attack surface than your competition.

THEXRECON brings together the best tools in a single, easy-to-use script that handles the complexity for you. Whether you’re a seasoned bug bounty hunter or just getting started, this solution will save you time and help you find more vulnerabilities.

Ready to expand your attack surface? Clone the repository, set up your target programs, and start discovering subdomains today!