Subdomain enumeration is one of the most crucial skills in bug bounty hunting and ethical hacking. Without proper recon, you miss the majority of a company’s attack surface. Modern online infrastructures include dozens—sometimes hundreds—of hidden systems such as:
- evelopment servers
- Staging and QA environments
- Internal dashboards
- Legacy APIs
- Mobile endpoints
- Backup or forgotten subdomains
What Is Subdomain Enumeration and Why Is It Important in Bug Bounty Recon?
Subdomain enumeration is the process of discovering all domain names associated with a target organization. For example:
dev.company.com
admin.company.com
api.company.com
staging.company.com
login.company.com Finding these hidden subdomains is critical for discovering vulnerabilities like:
- Exposed admin panels
- Leaky staging servers
- Weak development systems
- Vulnerable old applications
- API misconfigurations
- Third-party integrations
Passive Subdomain Enumeration (OSINT-Based & Stealthy)
Passive enumeration is the safest and most stealthy way to expand your attack surface. These tools do not touch the target, which makes them ideal for initial recon.
Subfinder — Fast and Reliable Passive Finder
subfinder -d target.com -all -o subfinder.txtSubfinder is excellent for discovering subdomains through public OSINT sources. It’s fast, efficient, and highly accurate.
Amass Passive Mode — Deep Historical Recon
amass enum -passive -d target.com -o amass_passive.txtAmass is famous for its deep data sources. It pulls subdomains from:
- VirusTotal
- Passive DNS archives
- Certificate Transparency logs
- Shodan
- RDAP
- Domain discovery APIs
This is one of the most powerful tools for discovering old or forgotten subdomains.
Assetfinder — Quick Supplemental OSINT
assetfinder --subs-only target.com > assetfinder.txtGreat for capturing additional domains that Subfinder or Amass may miss.
Extracting Subdomains from Wayback Machine (Historical URLs)
waybackurls target.com | unfurl -u domains | sort -u > wayback.txtArchived URLs reveal past references to internal systems.
Many companies forget to remove old infrastructure, making this technique incredibly valuable.
Active Subdomain Enumeration & Brute Force (Finding Hidden Services)
Active enumeration interacts directly with DNS to uncover subdomains that don’t appear in public databases.
Gobuster DNS — Quick DNS Brute Force
gobuster dns -d target.com -w wordlist.txt -o gobuster.txtThis reveals subdomains such as:
- dev
- api
- staging
- admin
- portal
- beta
- internal
These names often lead to sensitive or unprotected systems.
Amass Brute Force (Clean Output Only)
amass enum -brute -d target.com -w wordlist.txt -silent | awk '{print $1}' | sort -uThis command prints only valid subdomains, removing A-records, MX-records, and CNAME noise.
Permutation Attacks (dnsgen + dnsx) — Finding Pattern-Based Subdomains
Developers often reuse naming patterns.
If you find:
api.target.com
dev.target.comThen dnsgen might reveal:
api-dev.target.com
dev-api.target.com
api-v2.target.com
staging-api.target.com
old-api.target.com Generate Subdomain Permutations
dnsgen subs.txt > mutated.txtClean the results:
sort -u mutated.txt > mutated_clean.txtResolve Mutations Using dnsx
dnsx -l mutated_clean.txt -resp -silent > permuted_resolved.txtExtract valid subdomains:
cat permuted_resolved.txt | awk '{print $1}' | sort -u > permuted_subdomains.txtOr use the advanced one-liner:
cat subs.txt | dnsgen - | sort -u | dnsx -silent -resp | awk '{print $1}' | sort -u > permuted_subdomains.txtThis step alone finds a shockingly high number of hidden assets.
ASN-Based Subdomain Discovery (IP Range Recon)
For companies that own their IP ranges, ASN-based discovery is extremely powerful. It helps find assets that may not be listed in DNS at all.
Extract ASN-Owned IP Blocks
amass intel -org "Company Name" -whois | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}/[0-9]+' > cidr.txtExpand IP Ranges Into Individual IPs
mapcidr -cidr cidr.txt -o ips.txtReverse DNS Lookup to Discover Subdomains
dnsx -ptr -resp -l ips.txt -silent > ptr_output.txtFilter Only Clean Subdomains
cat ptr_output.txt | awk '{print $NF}' | sed 's/\.$//' | sort -u > asn_subdomains.txtNote: This works only if the company controls its own IP ranges.
If PTR records belong to ISPs (e.g., Zayo, Akamai, Cloudflare), this method will show provider domains instead.
JavaScript Recon — Extracting Subdomains Hidden in JS Files
- JavaScript files frequently expose:
- API endpoints
- Internal development servers
- Mobile service URLs
- OAuth callback hosts
- Deprecated systems
This is one of the most undervalued recon techniques.
Crawl Target and Collect JS URLs
katana -u https://target.com -js-crawl -silent -o js_urls.txtExtract Only .js Files
grep "\.js" js_urls.txt > js_files.txtExtract Domain Names from JavaScript Contents
cat js_files.txt | xargs -I % curl -s % | grep -oE '[A-Za-z0-9._-]+\.[A-Za-z]+' > js_domains_raw.txtFilter Subdomains of the Target
grep "target.com" js_domains_raw.txt | sort -u > js_subdomains.txtOne-Line JavaScript Recon Pipeline
katana -u https://target.com -js-crawl -silent | unfurl -u domains | grep "target.com" | sort -u > js_subdomains.txtDevelopers often forget to hide internal URLs inside JS files.
This technique regularly uncovers high-impact vulnerabilities.
Complete Bug Bounty Recon Workflow
- Run Subfinder + Assetfinder + Amass passive
- Extract archived subdomains via Wayback Machine
- Resolve all hostnames using dnsx
- Run DNS brute force using Gobuster
- Run Amass brute force for deeper discovery
- Generate permutations with dnsgen
- Resolve them with dnsx
- Perform ASN-based enumeration
- Extract subdomains using JavaScript recon
- Merge all results and sort -u
- Use httpx to find live hosts
Seeker: A Powerful Tool for Location Tracking and Device Info Gathering
thank you