Subdomain Enumeration

Subdomain Enumeration for Bug Bounty — 4 Kali Tools, One Chain

The first thing any bug bounty hunter or pentester does on a new target is the same: figure out the full attack surface. A program in scope says "*.target.com" — your job is to find every subdomain that resolves to something interesting. The bigger your map, the more chances you have of finding the host nobody else thought to test. This post walks the four-tool chain I run on every engagement, end to end, with real output against `hackerone.com` (an authorized recon target under their own bug bounty program).


> Prefer video?




The Chain at a Glance

| `subfinder` | Fast passive enum from many public sources | Subs → file |

| `assetfinder` | Different source mix, catches hosts subfinder misses | Subs → file |

| `amass` | Deepest passive coverage (especially with API keys configured) | Subs → file |

| `sort -u` | Merge + dedupe the three lists | File → master list |

| `httpx-toolkit` | Probe each host live, fingerprint the tech stack | Master list → live services |


Three passive collectors, one merge, one live-probe. No port scans, no brute force — just public data sources stitched together.


What You'll Need

A Kali Linux box (or any Debian/Ubuntu derivative) with the four tools installed. All of them are in the Kali repos:

sudo apt install subfinder assetfinder amass httpx-toolkit


> Heads-up on the `httpx` naming: On Kali, Project Discovery's `httpx` tool is installed as `httpx-toolkit` because there's a name clash with the popular Python `httpx` HTTP client. Same tool, different binary name. If you've used `httpx` on macOS or in a custom Go install, just remember to type `httpx-toolkit` on Kali.


Tool 1 — `subfinder` (Fast Passive Recon)

`subfinder` from ProjectDiscovery is the fastest of the bunch. It hits dozens of passive sources in parallel — certificate transparency logs, search engines, DNS aggregators, archive.org — and outputs hostnames as it finds them. Zero packets sent to the target itself, which makes it perfect to run early without burning OPSEC.

subfinder -d hackerone.com -silent -o subfinder.txt

- `-d` — the root domain.

- `-silent` — suppresses the banner so output is just hostnames, one per line.

- `-o` — write to a file (subfinder also prints to stdout, so you can `tee` if you prefer).


Tool 2 — `assetfinder` (Different Sources)

`assetfinder` by tomnomnom is the second-pass collector. Its data sources overlap with subfinder but aren't identical — it almost always surfaces at least one host the first tool missed. That's the entire reason you chain multiple tools instead of trusting one.

assetfinder --subs-only hackerone.com | tee assetfinder.txt

- `--subs-only` — strips the output down to just the hostnames (otherwise it includes the root domain itself and some IP context).

- `| tee` — watch results scroll by in real time while also writing them to disk.


In my run, `assetfinder` caught `wearehackerone.com` — a related domain that `subfinder` didn't return.


Tool 3 — `amass` (Deeper Coverage)

[OWASP Amass](https://github.com/owasp-amass/amass) is the heavyweight of subdomain enum. Its passive mode pulls from even more data sources than the other two, including some that require API keys. This is where most beginners under-use amass: with no API keys configured, you get a baseline result. With keys configured (Shodan, SecurityTrails, VirusTotal, Censys, etc.), amass becomes a different beast.

amass enum -passive -d hackerone.com -o amass.txt

- `enum` — the enumeration subcommand.

- `-passive` — no DNS brute-forcing, just data-source queries (quiet on the wire).

- `-d` + `-o` — target and output file.


Amass also has an active mode (`amass enum -active -d ...`) that brute-forces DNS names against a wordlist. It's louder and slower but finds hosts nothing else does. For first-pass recon I stay passive.


To configure API keys, edit `~/.config/amass/config.yaml` and add your keys under the `[data_sources]` section. The amass repo has a sample config — well worth 15 minutes of setup if you're doing this regularly.


Merge and Dedupe

Three files, lots of overlap, one combined list:

cat subfinder.txt assetfinder.txt amass.txt | sort -u > all-subs.txt

wc -l all-subs.txt


`sort -u` does the dedup. The output count is your raw attack surface map — every distinct hostname the public internet thinks belongs to this target.


Tool 4 — `httpx-toolkit` (Live Probe + Fingerprint)

A list of hostnames doesn't tell you which ones actually serve traffic, what tech stacks they run, or what status codes they return. `httpx-toolkit` (Project Discovery again) probes each host over HTTP and HTTPS, follows redirects, and reports back with rich metadata.

cat all-subs.txt | httpx-toolkit -title -tech-detect -status-code -silent

- `-title` — pull the page title (great context at a glance).

- `-tech-detect` — fingerprint the stack via Wappalyzer signatures (WordPress, Nginx, Cloudflare, etc.).

- `-status-code` — show HTTP status (200 = alive, 404 = dead, 301/302 = redirect, etc.).

- `-silent` — skip the banner.


What's Next

You've now got a ranked list of live web services on your target. The next phase is content discovery: hunting for hidden directories, admin panels, and forgotten staging endpoints on each live host.


Comments

Post a Comment

Popular posts from this blog

How to Install a Printer on Kali Linux

Image
 Installing a printer on Kali Linux involves several steps. Before we start, ensure you have administrative privileges, as you'll need to run some commands as a superuser.   Prerequisites   1. Physical Connection : Make sure the printer is physically connected to the machine and turned on. 2. Driver : Check if your printer manufacturer provides a Linux driver. If not, you may still be able to use generic drivers. 3. Update Repositories : Make sure your package manager repositories are updated by running `sudo apt update`.   Step 1: Install CUPS (Common UNIX Printing System)   CUPS is a modular printing system that enables a computer to act as a print server. It's the most commonly used system for printing on Unix-based operating systems.   To install CUPS, open a terminal and run: sudo apt install cups   Step 2: Start and Enable CUPS Service   Once CUPS is installed, you'll need to start its service and enable i...
Read more

Sharing a Folder on Kali Linux

Image
  Sharing a folder over a network on Kali Linux can be efficiently accomplished using Samba, a re-implementation of the SMB/CIFS networking protocol. This guide will take you through the steps to set up a Samba share. Prerequisites 1. Administrative Privileges : You'll need to run commands as a superuser. 2. Folder to Share : Have a folder ready that you wish to share. If not, create one. 3. Network Access : Ensure that the Kali Linux machine is connected to the network where you want to share the folder. Step 1: Update Package Repositories Before installing any package, it's a good practice to update your package repositories: sudo apt update Step 2: Install Samba To install Samba, execute the following command: sudo apt install samba Step 3: Configure Samba The main configuration file for Samba is /etc/samba/smb.conf . You can edit this file to define your shares. First, backup the original configuration file: sudo cp /etc/samba/smb.conf /etc/samba/smb.conf.bak Now, edit ...
Read more

Listing Files and Folders in Kali Linux

Image
In the intricate world of ethical hacking, the computer is an indispensable ally. The ability to swiftly navigate through files and folders is a foundational skill that every hacker must master. The Kali Linux terminal, with its array of commands, offers the tools needed to achieve this mastery. Key Insights: The "ls" Command : One of the most frequently used commands in Kali Linux, the ls command allows users to list the files and folders in the current directory. When executed without any parameters, it displays items in the current directory, with folders appearing in blue and files in green. Discovering the Current Directory with the "pwd" Command : If you ever find yourself lost amidst the myriad of directories, the pwd command is your compass. It reveals the current directory you're in, ensuring you always know your location in the filesystem. Diving Deeper with the "ls -l" Option : For those w...
Read more