Bug Bounty Subdomain Hunting: Pro Tips and Strategies

Introduction to Bug Bounty Subdomain Hunting

Subdomain discovery is often the first and most critical phase of bug bounty hunting. A thorough reconnaissance phase can mean the difference between finding high-impact vulnerabilities and coming up empty-handed. This comprehensive guide shares proven strategies, tools, and methodologies used by successful bug bounty hunters to discover subdomains that others miss.

In the competitive world of bug bounty hunting, the ability to find forgotten, misconfigured, or overlooked subdomains often leads to the most significant findings. These hidden assets frequently contain vulnerabilities that have been missed by automated scanners and other hunters.

The Bug Bounty Mindset

Successful subdomain hunting in bug bounties requires a different approach than traditional penetration testing:

Think Like an Attacker

• Assume nothing is documented: Companies often have forgotten subdomains
• Look for patterns: Naming conventions reveal infrastructure
• Target the edges: Development, staging, and legacy systems
• Think scalable: Techniques that work on multiple targets

Competitive Advantages

• Speed matters: First to find often gets the bounty
• Depth over breadth: Thorough analysis of fewer targets
• Automation is key: Scale your reconnaissance efforts
• Persistence pays: Continue monitoring targets over time

Pre-Hunting Research and Intelligence

Before diving into subdomain enumeration, successful hunters gather intelligence about their targets.

Target Analysis

# Company research checklist
1. Main business domains and subsidiaries
2. Recent acquisitions and mergers
3. Technology stack and cloud providers
4. Development practices and CI/CD
5. Historical security incidents
6. Social media and job postings
7. GitHub repositories and code leaks

Scope Verification

Always verify what's in scope before testing:

• Read the bug bounty policy carefully
• Note excluded domains and IP ranges
• Understand testing limitations and requirements
• Contact the program if scope is unclear

Historical Context

Understanding a target's history provides valuable context:

# Tools for historical analysis
- Wayback Machine (web.archive.org)
- SecurityTrails DNS history
- VirusTotal domain relations
- Certificate transparency historical data
- Shodan historical data

Advanced Subdomain Discovery Techniques

Multi-Source Passive Reconnaissance

Combine multiple passive sources for comprehensive coverage:

Certificate Transparency Deep Dive

# Advanced CT log queries
# Find wildcard certificates
curl -s "https://crt.sh/?q=*.target.com&output=json" | jq -r '.[].name_value' | grep '\*'

# Historical certificate analysis
curl -s "https://crt.sh/?q=%25.target.com&output=json" | \
jq -r '.[] | select(.not_before < "2020-01-01") | .name_value'

# Find certificates by organization
curl -s "https://crt.sh/?O=Target%20Company&output=json"

DNS Intelligence Sources

• VirusTotal: Domain relationships and passive DNS
• SecurityTrails: Historical DNS records
• Shodan: Certificate and banner data
• Censys: Certificate and host discovery
• FOFA: Network asset discovery

Creative Wordlist Generation

Generic wordlists miss target-specific subdomains. Create custom wordlists:

Company-Specific Terms

# Generate company-specific wordlists
Company: "TechCorp"
- tech, corp, techcorp
- tc, techc, tcorp
- Products/services names
- Department names
- Location names
- Executive names

Pattern-Based Generation

#!/bin/bash
# Generate numbered subdomains
for prefix in api app web mail; do
    for i in {1..50}; do
        echo "${prefix}${i}"
        echo "${prefix}-${i}"
        echo "${prefix}_${i}"
    done
done

# Generate environment variations
for env in dev test stage prod; do
    for service in api web app admin; do
        echo "${env}-${service}"
        echo "${env}.${service}"
        echo "${service}-${env}"
    done
done

Technology-Specific Wordlists

# Based on identified technologies
AWS: s3, cloudfront, elastic, ec2, rds
Azure: blob, cdn, vault, sql
GCP: storage, compute, sql, firebase
Kubernetes: k8s, kube, cluster, ingress
Docker: registry, hub, swarm

Permutation and Alteration Techniques

Generate variations of discovered subdomains:

# Altdns-style permutations
Original: api.target.com

Insertions:
- api-v1.target.com
- api-dev.target.com
- api-staging.target.com

Replacements:
- apiv1.target.com
- webapi.target.com
- rest.target.com

Additions:
- api.v1.target.com
- api.internal.target.com
- api.aws.target.com

Automation and Tool Stacking

Successful bug bounty hunters automate repetitive tasks and stack multiple tools.

Multi-Tool Reconnaissance Pipeline

#!/bin/bash
# Comprehensive subdomain discovery pipeline

DOMAIN=$1
OUTPUT_DIR="recon_$DOMAIN"
mkdir -p $OUTPUT_DIR

echo "[+] Starting reconnaissance for $DOMAIN"

# Passive enumeration
echo "[+] Certificate Transparency logs..."
subfinder -d $DOMAIN -all -silent > $OUTPUT_DIR/subfinder.txt

echo "[+] Additional passive sources..."
amass enum -passive -d $DOMAIN -config amass_config.yaml -o $OUTPUT_DIR/amass.txt

echo "[+] DNS aggregation..."
assetfinder --subs-only $DOMAIN > $OUTPUT_DIR/assetfinder.txt

echo "[+] Certificate transparency..."
curl -s "https://crt.sh/?q=%25.$DOMAIN&output=json" | \
jq -r '.[].name_value' | sort -u > $OUTPUT_DIR/crtsh.txt

# Combine and deduplicate
cat $OUTPUT_DIR/*.txt | sort -u > $OUTPUT_DIR/passive_all.txt

# Generate permutations
echo "[+] Generating permutations..."
altdns -i $OUTPUT_DIR/passive_all.txt -o $OUTPUT_DIR/permutations.txt -w permutation_words.txt

# Active validation
echo "[+] Validating subdomains..."
httpx -l $OUTPUT_DIR/passive_all.txt -silent -o $OUTPUT_DIR/live_subdomains.txt

# Content discovery
echo "[+] Content discovery on live hosts..."
while read subdomain; do
    gobuster dir -u "https://$subdomain" -w /usr/share/wordlists/common.txt -q >> $OUTPUT_DIR/content_discovery.txt
done < $OUTPUT_DIR/live_subdomains.txt

echo "[+] Reconnaissance complete for $DOMAIN"
wc -l $OUTPUT_DIR/*.txt

Tool Recommendations by Phase

Passive Discovery

• Subfinder: Fast, multiple API integrations
• Amass: Comprehensive, advanced features
• Assetfinder: Simple, effective for basic enumeration
• Findomain: Fast with multiple sources

Active Enumeration

• Gobuster: Fast directory and DNS brute forcing
• FFuF: High-performance fuzzing
• MassDNS: Mass DNS resolution
• DNSGen: Intelligent subdomain generation

Validation and Analysis

• HTTPx: Fast HTTP probing
• Aquatone: Visual inspection of websites
• Subjack: Subdomain takeover detection
• Nuclei: Vulnerability scanning

Finding High-Value Targets

Not all subdomains are created equal. Focus on finding high-value targets that are more likely to contain vulnerabilities.

High-Priority Subdomain Patterns

• Development environments: dev, staging, test, qa, uat
• Administrative interfaces: admin, cpanel, portal, dashboard
• API endpoints: api, rest, graphql, v1, v2
• Internal tools: internal, corp, intranet, staff
• Legacy systems: old, legacy, archive, backup
• Geographic variations: us, eu, asia, uk, de

Technology-Specific Hunting

Cloud Infrastructure

# AWS-specific subdomains
s3, aws, cloudfront, elb, ec2
bucket, cdn, static, assets, files

# Look for S3 bucket patterns
COMPANY-backup, COMPANY-logs, COMPANY-data
COMPANY.s3.amazonaws.com variations

CI/CD and DevOps

# CI/CD related subdomains
jenkins, gitlab, github, bitbucket
ci, cd, build, deploy, pipeline
docker, registry, harbor, nexus

Monitoring and Security Tools

# Security and monitoring tools
elk, kibana, grafana, prometheus
splunk, nagios, zabbix, datadog
vault, consul, etcd

Common Pitfalls and How to Avoid Them

Rate Limiting and Blocking

Aggressive enumeration can lead to rate limiting or IP blocking:

• Solution: Use multiple DNS resolvers
• Solution: Implement random delays
• Solution: Use cloud instances for distribution
• Solution: Monitor for defensive responses

Wildcard DNS False Positives

Wildcard DNS records can create thousands of false positives:

# Wildcard detection and filtering
# Test random subdomains
test_random=$(dig +short randomstring12345.target.com)
test_random2=$(dig +short anotherteststring.target.com)

if [ "$test_random" = "$test_random2" ]; then
    echo "Wildcard detected: $test_random"
    # Filter this IP from results
fi

Scope Violations

• Always verify discovered subdomains are in scope
• Be careful with subdomain takeovers (may affect third parties)
• Avoid testing production systems aggressively
• Document your methodology for transparency

Advanced Techniques for Experienced Hunters

DNS History Analysis

Historical DNS data can reveal forgotten subdomains:

# Tools for DNS history
- SecurityTrails API
- VirusTotal passive DNS
- PassiveTotal (RiskIQ)
- Umbrella (Cisco)

# Look for patterns in historical data
- Subdomains that used to resolve
- IP address changes over time
- Certificate history correlation

GitHub and Code Repository Mining

Developers often leak subdomain information in code:

# GitHub search queries
"target.com" filename:config
"target.com" filename:.env
"*.target.com" language:yaml
"api.target.com" path:config

# GitLab, BitBucket searches
site:gitlab.com "target.com"
site:bitbucket.org "*.target.com"

Mobile App and JavaScript Analysis

Mobile apps and web applications often contain hardcoded URLs:

• APK analysis: Extract strings from mobile apps
• JavaScript files: Search for API endpoints
• Configuration files: Look for embedded URLs
• Source maps: Analyze original source code

Social Engineering and OSINT

Non-technical sources can reveal valuable information:

• Job postings: Technology stacks and internal tools
• Conference presentations: Architecture diagrams
• Technical blogs: Infrastructure descriptions
• Social media: Employee posts about work

Monetization Strategies

Different types of subdomain findings can lead to different payout potentials:

High-Value Findings

• Subdomain takeovers: Often high-severity findings
• Admin panels: Potential for privilege escalation
• API endpoints: Data exposure and injection flaws
• Development environments: Often have weaker security

Vulnerability Chaining

Combine subdomain discovery with other techniques:

1. Discover forgotten admin panel
2. Find default credentials or weak authentication
3. Chain with other vulnerabilities for higher impact
4. Document the complete attack chain

Continuous Monitoring and Automation

Set up systems to monitor targets continuously:

Automated Monitoring Setup

#!/bin/bash
# Daily subdomain monitoring script

TARGETS_FILE="bug_bounty_targets.txt"
TELEGRAM_BOT_TOKEN="your_token"
TELEGRAM_CHAT_ID="your_chat_id"

while read domain; do
    echo "Monitoring $domain..."

    # Run subdomain discovery
    subfinder -d $domain -all -silent > "current_$domain.txt"

    # Compare with previous results
    if [ -f "previous_$domain.txt" ]; then
        NEW_SUBS=$(comm -13 "previous_$domain.txt" "current_$domain.txt")

        if [ ! -z "$NEW_SUBS" ]; then
            # Send notification
            MESSAGE="🔍 New subdomains found for $domain:%0A$NEW_SUBS"
            curl -s "https://api.telegram.org/bot$TELEGRAM_BOT_TOKEN/sendMessage" \
                -d "chat_id=$TELEGRAM_CHAT_ID&text=$MESSAGE"
        fi
    fi

    mv "current_$domain.txt" "previous_$domain.txt"

done < $TARGETS_FILE

Integration with Bug Bounty Platforms

• Monitor for new programs and scope changes
• Automate initial reconnaissance for new targets
• Set up alerts for high-value target additions
• Track your success rate per target

Building Your Reputation and Scaling Success

Documentation and Reporting

• Detailed methodology: Explain how you found the vulnerability
• Impact assessment: Clearly articulate the business impact
• Reproduction steps: Make it easy for the team to verify
• Remediation guidance: Suggest fixes when appropriate

Scaling Your Operations

• Develop reusable scripts and tools
• Build relationships with security teams
• Focus on programs that match your skills
• Collaborate with other researchers when appropriate

Staying Current

• Follow security research and new techniques
• Participate in bug bounty communities
• Learn from disclosed vulnerabilities
• Experiment with new tools and approaches

Legal and Ethical Considerations

Staying Within Scope

• Always read and understand the bug bounty policy
• Test only what's explicitly in scope
• Avoid testing third-party services unless authorized
• Be mindful of subdomain takeover impacts

Responsible Disclosure

• Report vulnerabilities through proper channels
• Don't access sensitive data unnecessarily
• Provide reasonable time for fixes before disclosure
• Cooperate with security teams during remediation

Future Trends in Subdomain Hunting

Emerging Technologies

• AI-powered discovery: Machine learning for pattern recognition
• Cloud-native hunting: Container and serverless focus
• Real-time monitoring: Instant notification systems
• Blockchain and Web3: New infrastructure patterns

Defensive Evolution

• Improved subdomain management
• Better monitoring and detection
• DNS over HTTPS adoption
• Enhanced access controls

Conclusion

Successful bug bounty subdomain hunting combines technical skills, creativity, persistence, and ethical conduct. By mastering the techniques outlined in this guide and staying current with evolving technologies, hunters can consistently find valuable vulnerabilities while building positive relationships with security teams.

Remember that subdomain discovery is just the beginning – the real value comes from thoroughly analyzing discovered assets and finding the vulnerabilities that others miss. Focus on quality over quantity, automate repetitive tasks, and always operate within the bounds of the bug bounty program's scope and guidelines.

The most successful bug bounty hunters are those who combine excellent technical skills with strong communication, ethical behavior, and a genuine desire to help organizations improve their security. Use these techniques responsibly, contribute to the security community, and continue learning as the landscape evolves.